二、安装 JDK
三、安装 Elasticsearch
四、安装 Logstash
五、安装 Kibana
六、Kibana 简单使用
系统环境:CentOS Linux release 7.4.1708 (Core)
- 开发人员不能登录线上服务器查看详细日志。
- 各个系统都有日志,日志数据分散难以查找。
- 日志数据量大,查询速度慢,或者数据不够实时。
ELK 由 Elasticsearch、Logstash 和 Kibana 三部分组件组成;
Elasticsearch 是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引自动分片,索引副本机制,restful 风格接口,多数据源,自动搜索负载等。
Logstash 是一个完全开源的工具,它可以对你的日志进行收集、分析,并将其存储供以后使用
kibana 是一个开源和免费的工具,它可以为 Logstash 和 ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助您汇总、分析和搜索重要数据日志。

Logstash: logstash server 端用来搜集日志;
Elasticsearch: 存储各类日志;
Kibana: web 化接口用作查寻和可视化日志;
Logstash Forwarder: logstash client 端用来通过 lumberjack 网络协议发送日志到 logstash server;
在需要收集日志的所有服务上部署 logstash,作为 logstash agent(logstash shipper)用于监控并过滤收集日志,将过滤后的内容发送到 Redis,然后 logstash indexer 将日志收集在一起交给全文搜索服务 ElasticSearch,可以用 ElasticSearch 进行自定义搜索通过 Kibana 来结合自定义搜索进行页面展示。

配置阿里源:wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
yum clean all
yum makecache
Logstash 的运行依赖于 Java 运行环境,Elasticsearch 要求至少 Java 7。
[root@controller ~]# yum install java-1.8.0-openjdk -y
[root@controller ~]# java -version
openjdk version “1.8.0_151”
OpenJDK Runtime Environment (build 1.8.0_151-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)
systemctl stop firewalld.service #停止 firewall
systemctl disable firewalld.service #禁止 firewall 开机启动
2、关闭 selinux
sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/g’ /etc/selinux/config
setenforce 0
基础环境安装(elk-node1 和 elk-node2 同时操作)
1)下载并安装 GPG Key
[root@elk-node1 ~]# rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch
2)添加 yum 仓库
[root@elk-node1 ~]# vim /etc/yum.repos.d/elasticsearch.repo
name=Elasticsearch repository for 2.x packages
3)安装 elasticsearch
[root@elk-node1 ~]# yum install -y elasticsearch
chkconfig –add elasticsearch
systemctl daemon-reload
systemctl enable elasticsearch.service
[root@elk-node1 ~]# cd /etc/elasticsearch/
[root@elk-node1 elasticsearch]# ls
elasticsearch.yml logging.yml scripts
[root@elk-node1 elasticsearch]# cp elasticsearch.yml{,.bak}
[root@elk-node1 elasticsearch]# mkdir -p /data/es-data
[root@elk-node1 elasticsearch]# vim elasticsearch.yml
[root@elk-node1 elasticsearch]# grep ‘^[a-z]’ elasticsearch.yml
cluster.name: hejianlai // 集群名称
node.name: elk-node1 // 节点名称
path.data: /data/es-data // 数据存放目录
path.logs: /var/log/elasticsearch/ // 日志存放目录
bootstrap.memory_lock: true // 打开内存
network.host: // 监听网络
http.port: 9200 // 端口
discovery.zen.ping.multicast.enabled: false // 改为单播
discovery.zen.ping.unicast.hosts: [“”, “”]
[root@elk-node1 elasticsearch]# systemctl start elasticsearch
You have new mail in /var/spool/mail/root
[root@elk-node1 elasticsearch]# systemctl status elasticsearch
● elasticsearch.service – Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2018-07-12 22:00:47 CST; 9s ago
Docs: http://www.elastic.co
Process: 22333 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -Des.pidfile=${PID_DIR}/elasticsearch.pid -Des.default.path.home=${ES_HOME} -Des.default.path.logs=${LOG_DIR} -Des.default.path.data=${DATA_DIR} -Des.default.path.conf=${CONF_DIR} (code=exited, status=1/FAILURE)
Process: 22331 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
Main PID: 22333 (code=exited, status=1/FAILURE)
Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:384)
Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at java.nio.file.Files.createDirectory(Files.java:674)
Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781)
Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at java.nio.file.Files.createDirectories(Files.java:767)
Jul 12 22:00:47 elk-node1 elasticsearch[22333]: at org.elasticsearch.bootstrap.Security.ensureDirectoryExists(Security.java:337)
Jul 12 22:00:47 elk-node1 systemd[1]: elasticsearch.service: main process exited, code=exited, status=1/FAILURE
Jul 12 22:00:47 elk-node1 systemd[1]: Unit elasticsearch.service entered failed state.
Jul 12 22:00:47 elk-node1 systemd[1]: elasticsearch.service failed.
[root@elk-node1 elasticsearch]# cd /var/log/elasticsearch/
[root@elk-node1 elasticsearch]# ll
total 4
-rw-r–r– 1 elasticsearch elasticsearch 0 Jul 12 22:00 hejianlai_deprecation.log
-rw-r–r– 1 elasticsearch elasticsearch 0 Jul 12 22:00 hejianlai_index_indexing_slowlog.log
-rw-r–r– 1 elasticsearch elasticsearch 0 Jul 12 22:00 hejianlai_index_search_slowlog.log
-rw-r–r– 1 elasticsearch elasticsearch 2232 Jul 12 22:00 hejianlai.log
[root@elk-node1 elasticsearch]# tail hejianlai.log
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:84)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileSystemProvider.createDirectory(UnixFileSystemProvider.java:384)
at java.nio.file.Files.createDirectory(Files.java:674)
at java.nio.file.Files.createAndCheckIsDirectory(Files.java:781)
at java.nio.file.Files.createDirectories(Files.java:767)
at org.elasticsearch.bootstrap.Security.ensureDirectoryExists(Security.java:337)
at org.elasticsearch.bootstrap.Security.addPath(Security.java:314)
… 7 more
[root@elk-node1 elasticsearch]# less hejianlai.log
You have new mail in /var/spool/mail/root
[root@elk-node1 elasticsearch]# grep elas /etc/passwd
elasticsearch:x:991:988:elasticsearch user:/home/elasticsearch:/sbin/nologin
# 报错 /data/es-data 没权限,赋权限即可
[root@elk-node1 elasticsearch]# chown -R elasticsearch:elasticsearch /data/es-data/
[root@elk-node1 elasticsearch]# systemctl start elasticsearch
[root@elk-node1 elasticsearch]# systemctl status elasticsearch
● elasticsearch.service – Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2018-07-12 22:03:28 CST; 4s ago
Docs: http://www.elastic.co
Process: 22398 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
Main PID: 22400 (java)
CGroup: /system.slice/elasticsearch.service
└─22400 /bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMe…
Jul 12 22:03:29 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:29,739][WARN][bootstrap] If you are logged in interactively, you will have to re-login for the new limits to take effect.
Jul 12 22:03:29 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:29,899][INFO][node] [elk-node1] version[2.4.6], pid[22400], build[5376dca/2017-07-18T12:17:44Z]
Jul 12 22:03:29 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:29,899][INFO][node] [elk-node1] initializing …
Jul 12 22:03:30 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:30,644][INFO][plugins] [elk-node1] modules [reindex, lang-expression, lang-groovy], plugins [], sites []
Jul 12 22:03:30 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:30,845][INFO][env] [elk-node1] using [1] data paths, mounts [[/ (rootfs)]], net usable_space [1.7gb], n…types [rootfs]
Jul 12 22:03:30 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:30,845][INFO][env] [elk-node1] heap size [1007.3mb], compressed ordinary object pointers [true]
Jul 12 22:03:33 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:33,149][INFO][node] [elk-node1] initialized
Jul 12 22:03:33 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:33,149][INFO][node] [elk-node1] starting …
Jul 12 22:03:33 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:33,333][INFO][transport] [elk-node1] publish_address {}, bound_addresses {[::]:9300}
Jul 12 22:03:33 elk-node1 elasticsearch[22400]: [2018-07-12 22:03:33,345][INFO][discovery] [elk-node1] hejianlai/iUUTEKhyTxyL78aGtrrBOw
Hint: Some lines were ellipsized, use -l to show in full.

# 统计索引数
[root@elk-node1 ~]# curl -i -XGET ‘’ -d ‘
> “query”: {
> “match_all”:{}
> }’
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 95
“count” : 0,
“_shards” : {
“total” : 0,
“successful” : 0,
“failed” : 0
#es 插件,收费的不建议使用(这个不安装)
[root@elk-node1 bin]# /usr/share/elasticsearch/bin/plugin install marvel-agent
# 安装开源的 elasticsearch-head 插件
[root@elk-node1 bin]# /usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head
-> Installing mobz/elasticsearch-head…
Trying https://github.com/mobz/elasticsearch-head/archive/master.zip …
Downloading ………………………………………………………………………………………………………………………….DONE
Verifying https://github.com/mobz/elasticsearch-head/archive/master.zip checksums if available …
NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)

使用 POST 方法创建查询

使用 GET 方法查询数据


[root@elk-node2 elasticsearch]# grep ‘^[a-z]’ /etc/elasticsearch/elasticsearch.yml
cluster.name: hejianlai
node.name: elk-node2
path.data: /data/es-data
path.logs: /var/log/elasticsearch/
bootstrap.memory_lock: true
http.port: 9200
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: [“”, “”]
在构建 Elasticsearch(ES)多节点集群的时候,通常情况下只需要将 elasticsearch.yml 中的 cluster.name 设置成相同即可,ES 会自动匹配并构成集群。但是很多时候可能由于不同的节点在不同的网段下,导致无法自动获取集群。此时可以将启用单播,显式指定节点的发现。具体做法是在 elasticsearch.yml 文件中设置如下两个参数:
discovery.zen.ping.multicast.enabled: false
discovery.zen.ping.unicast.hosts: [“”, “”]
重启 elk-node1,并开启 elk-node2,访问:

[root@elk-node1 ~]# /usr/share/elasticsearch/bin/plugin install lmenezes/elasticsearch-kopf
-> Installing lmenezes/elasticsearch-kopf…
Trying https://github.com/lmenezes/elasticsearch-kopf/archive/master.zip …
Downloading ………………………………………………………………………………………………………….DONE
Verifying https://github.com/lmenezes/elasticsearch-kopf/archive/master.zip checksums if available …
NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify)
Installed kopf into /usr/share/elasticsearch/plugins/kopf

1)下载并安装 GPG Key
[root@elk-node1 ~]# rpm –import https://packages.elastic.co/GPG-KEY-elasticsearch
2)添加 yum 仓库
[root@elk-node1 ~]# vim /etc/yum.repos.d/logstash.repo
name=Logstash repository for 2.1.x packages
3)安装 logstash
[root@elk-node1 ~]# yum install -y logstash
# 简单的输入输出
[root@elk-node1 ~]# /opt/logstash/bin/logstash -e ‘input {stdin{} } output {stdout{} }’
Settings: Default filter workers: 1
Logstash startup completed
hello world
2018-07-13T00:54:34.497Z elk-node1 hello world
hi hejianlai
2018-07-13T00:54:44.453Z elk-node1 hi hejianlai
2018-07-13T00:55:35.278Z elk-node1 来宾张家辉
^CSIGINT received. Shutting down the pipeline. {:level=>:warn}
Logstash shutdown completed
# 可以使用 rubydebug 详细输出
[root@elk-node1 ~]# /opt/logstash/bin/logstash -e ‘input {stdin{} } output {stdout{ codec => rubydebug} }’
Settings: Default filter workers: 1
Logstash startup completed
“message” => “mimi”,
“@version” => “1”,
“@timestamp” => “2018-07-13T00:58:59.980Z”,
“host” => “elk-node1”
# 内容写进 elasticsearch 中
[root@elk-node1 ~]# /opt/logstash/bin/logstash -e ‘input {stdin{} } output {elasticsearch{hosts=>[“”]} }’
Settings: Default filter workers: 1
Logstash startup completed
I love you
^CSIGINT received. Shutting down the pipeline. {:level=>:warn}
Logstash shutdown completed
[root@elk-node1 ~]# /opt/logstash/bin/logstash -e ‘input {stdin{} } output {elasticsearch { hosts => [“”]} stdout{codec => rubydebug}}’
Settings: Default filter workers: 1
Logstash startup completed
“message” => “ 广州 ”,
“@version” => “1”,
“@timestamp” => “2018-07-13T02:17:40.800Z”,
“host” => “elk-node1”
“message” => “hehehehehehehe”,
“@version” => “1”,
“@timestamp” => “2018-07-13T02:17:49.400Z”,
“host” => “elk-node1”

# 交换式输入信息
[root@elk-node1 ~]# cat /etc/logstash/conf.d/logstash-01.conf
input {stdin {} }
output {
elasticsearch {hosts => [“”]}
stdout {codec => rubydebug}
[root@elk-node1 ~]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash-01.conf
Settings: Default filter workers: 1
Logstash startup completed
l o v e
“message” => “l o v e”,
“@version” => “1”,
“@timestamp” => “2018-07-13T02:37:42.670Z”,
“host” => “elk-node1”
“message” => “ 地久梁朝伟 ”,
“@version” => “1”,
“@timestamp” => “2018-07-13T02:38:20.049Z”,
“host” => “elk-node1”
# 收集系统日志
[root@elk-node1 conf.d]# cat /etc/logstash/conf.d/systemlog.conf
file {
path => “/var/log/messages”
type => “sysstem”
start_position => “beginning”
hosts => [“”]
index => “systemlog-%{+YYYY.MM.dd}”
# 放在后台执行
[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/systemlog.conf &

[root@elk-node1 ~]# cat /etc/logstash/conf.d/elk_log.conf
input {
file {
path => “/var/log/messages”
type => “system”
start_position => “beginning”
input {
file {
path => “/var/log/elasticsearch/hejianlai.log”
type => “es-error”
start_position => “beginning”
codec => multiline {
pattern => “^\[” // 正则匹配[开头的为一个事件
negate => true
what => “previous”
output {
if [type] == “system”{
elasticsearch {
hosts => [“”]
index => “systemlog-%{+YYYY.MM.dd}”
if [type] == “es-error”{
elasticsearch {
hosts => [“”]
index => “es-error-%{+YYYY.MM.dd}”
# 放入后台运行
[root@elk-node1 ~]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/elk_log.conf &
[1] 28574
You have new mail in /var/spool/mail/root
[root@elk-node1 ~]# Settings: Default filter workers: 1
Logstash startup completed

官方最新的版本出来了 6.3.1 太新了,下载后出现很多坑后来就下了 4.3.1 的·先用着吧~~~
1)kibana 的安装:
[root@elk-node1 local]# cd /usr/local/
[root@elk-node1 local]# wget https://artifacts.elastic.co/downloads/kibana/kibana-4.3.1-linux-x64.tar.gz
[root@elk-node1 local]# tar -xf kibana-4.3.1-linux-x64.tar.gz
[root@elk-node1 local]# ln -s /usr/local/kibana-4.3.1-linux-x64 /usr/local/kibana
[root@elk-node1 local]# cd kibana
[root@elk-node1 kibana]# ls
bin config installedPlugins LICENSE.txt node node_modules optimize package.json README.txt src webpackShims
[root@elk-node1 kibana]# cd config/
[root@elk-node1 config]# pwd
[root@elk-node1 config]# vim kibana.yml
You have new mail in /var/spool/mail/root
[root@elk-node1 config]# grep -Ev “^#|^$” kibana.yml
server.port: 5601
server.host: “”
elasticsearch.url: “”
kibana.index: “.kibana”
3)screen 是一个全屏窗口管理器,它在几个进程(通常是交互式 shell)之间复用物理终端。每个虚拟终端提供 DEC VT100 的功能。
[root@elk-node1 local]# yum install -y screen
4)启动 screen 命令后运行 kibana 最后按 ctrl+a+ d 组合键让其在单独的窗口里运行。
[root@elk-node1 config]# screen
[root@elk-node1 config]# /usr/local/kibana/bin/kibana
log [02:23:34.148] [info][status][plugin:kibana@6.3.1] Status changed from uninitialized to green – Ready
log [02:23:34.213] [info][status][plugin:elasticsearch@6.3.1] Status changed from uninitialized to yellow – Waiting for Elasticsearch
log [02:23:34.216] [info][status][plugin:xpack_main@6.3.1] Status changed from uninitialized to yellow – Waiting for Elasticsearch
log [02:23:34.221] [info][status][plugin:searchprofiler@6.3.1] Status changed from uninitialized to yellow – Waiting for Elasticsearch
log [02:23:34.224] [info][status][plugin:ml@6.3.1] Status changed from uninitialized to yellow – Waiting for Elasticsearch
[root@elk-node1 config]# screen -ls
There are screens on:
29696.pts-0.elk-node1 (Detached)
[root@elk-node1 kibana]# /usr/local/kibana/bin/kibana
log [11:25:37.557] [info][status][plugin:kibana] Status changed from uninitialized to green – Ready
log [11:25:37.585] [info][status][plugin:elasticsearch] Status changed from uninitialized to yellow – Waiting for Elasticsearch
log [11:25:37.600] [info][status][plugin:kbn_vislib_vis_types] Status changed from uninitialized to green – Ready
log [11:25:37.602] [info][status][plugin:markdown_vis] Status changed from uninitialized to green – Ready
log [11:25:37.604] [info][status][plugin:metric_vis] Status changed from uninitialized to green – Ready
log [11:25:37.606] [info][status][plugin:spyModes] Status changed from uninitialized to green – Ready
log [11:25:37.608] [info][status][plugin:statusPage] Status changed from uninitialized to green – Ready
log [11:25:37.612] [info][status][plugin:table_vis] Status changed from uninitialized to green – Ready
log [11:25:37.647] [info][listening] Server running at
访问 kibana 地址:
第一次登录我们创建一个 elk 的 es-error 索引

添加 message 和 path 字段

运用搜索栏功能,我们搜 soft 关键字

我们在添加之前写的 systemlog 索引

* 为正则匹配

好啦~~ 到此为止 ELK 日志平台搭建基本搞掂,,,,累得一笔,,后续可以根据需求编写好需要监控的应用文件添加到 kibana 上即可。