1、回顾昨天(索引优化）

1. 按照我们想要的效果生成索引
- 自定索引名称
- 按月生成
- 按域名和访问类型创建索引
- 能够索引日志里的 每个字内容

2. filebeat设置
- nginx格式修改为json
- filebeate添加模板相关选项
       setup.template.name: "nginx"
       setup.template.pattern: "nginx_*"
       setup.template.enabled: false
       setup.template.overwrite: true
- filebeat添加参数直接解析成json格式
      json.keys_under_root: true
      json.overwrite_keys: true
- filebeat的input添加tags标签
      tags["www"]
- filwbeat的output里判断tags
    - index: "nginx_www_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        tags: "www"


3. 收集tomcat日志
- 安装tomcat并访问，产生数据
- 修改tomcat日志为json格式，139行替换
- 验证tomcat日志是否为json格式
- filebeat配置
-- 使用*来匹配tomcat每天生成的日志
    - type: log


4. 收集java多行日志
- filebeat配置java日志路径
- 添加3行多行匹配的参数
  - type: log
    enabled: true 
    paths:
      - /var/log/elasticsearch/linux58.log
    tags: ["java"]
    multiline.pattern: '^\['
    multiline.negate: true
    multiline.match: after


5.kibana画图展示
- 柱状图，饼图，仪表图，折线图，Data Table,markdown
- Dashboard大屏实时展示
- 查询时间要注意，查询条件对面板也是生效的
- 画完记得保存
- 别把es里的.kibana给删了

2、ELk filebeat modules

filebeat是go语言编写
- 快，不依赖于java环境

配置步骤：
1.配置相关modules参数
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
  reload.period: 10s

2.查看模块
filebeat modules list

3.激活模块
[root@db01 ~]# filebeat modules enable nginx
Enabled nginx

4.修改nginx为普通日志格式

5.修改filebeat配置文件


不足的地方：
1.错误日志和正确日志都混在一起了
2.不能按域名生成索引

2.1、filebeat modules 自定义索引和视图

1.为了不影响实验，建议删除所有其他的索引
systemctl stop elasticsearch
systemctl stop kibana
rm -rf /data/elasticsearch/*
rm -rf /var/lib/kibana/*
systemctl start elasticsearch
systemctl start kibana

2.修改nginx配置文件
sed -i 's#json#main#g' /etc/nginx/conf.d/bbs.conf

3.清空nginx日志
> /var/log/nginx/bbs_access.log

4.重启nginx
systemctl restart nginx

5.修改filebeat配置文件:
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
setup.kibana:
  host: "10.0.0.51:5601"
output.elasticsearch:
  hosts: ["10.0.0.51:9200"]
  indices:
    - index: "nginx_bbs_access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        source: "/var/log/nginx/bbs_access.log"
    - index: "nginx_error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        fileset.name: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx_*"
setup.template.enabled: false
setup.template.overwrite: true

6.激活nginx模块报错
filebeat modules enable nginx

7.安装nginx modules插件
/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///root/ingest-geoip-6.6.0.zip /usr/share/elasticsearch/bin/elasticsearch-plugin install file:///root/ingest-user-agent-6.6.0.zip 

8.重启es
systemctl restart elasticsearch

9.修改模块配置
[root@db01 ~]# egrep -v "#|^$" /etc/filebeat/modules.d/nginx.yml 
- module: nginx
  access:
    enabled: true
    var.paths: ["/var/log/nginx/bbs_access.log"]
  error:
    enabled: true
    var.paths: ["/var/log/nginx/error.log"]


10.备份删除不必要的视图文件并导入到kibana
cp -a /usr/share/filebeat/kibana /root
cd /usr/share/filebeat/kibana/6/dashboard
find . -type f ! -name "*nginx*"|xargs rm -rf
rm -rf  ml-nginx-*
sed -i 's#filebeat\-\*#nginx\_\*#g' Filebeat-nginx-logs.json 
sed -i 's#filebeat\-\*#nginx\_\*#g' Filebeat-nginx-overview.json
cd index-pattern/
sed -i 's#filebeat\-\*#nginx\_\*#g' filebeat.json
filebeat setup --dashboards -E setup.dashboards.directory=/root/kibana/
rm -rf /var/lib/kibana/*
systemctl restart kibana

3、安装docker步骤

安装docker步骤
rm -fr /etc/yum.repos.d/local.repo
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
sed -i 's#download.docker.com#mirrors.tuna.tsinghua.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce -y
systemctl start docker
cat > /etc/docker/daemon.json <<EOF
{
  "registry-mirrors": ["https://registry.docker-cn.com"]
}
EOF 
systemctl restart docker

下载镜像
docker pull nginx
docker run --name nginx -p 80:80 -d nginx
docker ps
docker logs -f nginx



镜像：模板
容器：以什么模板启动的微型linux


docker pull 镜像名:版本：拉去镜像
docker rmi  镜像名或id：删除镜像
docker images：获取本地已有镜像
docker run  镜像名或id：使用默认端口启动镜像
docker run -p port:port1 -d 镜像名或id：指定port端口映射到port1，并后台启动镜像


进入容器内部 docker exec -it nginx容器ID /bin/bash
docker ps：查看正在运行的docker容器
docker ps -a：查看所有执行过run命令的容器服务（包括已经停止的容器）
docker stop 容器id：停止某个容器
docker restart 容器id：重启某个容器
docker rm 容器Id：删除某个容器

docker exec -it nginx /bin/bash

3.1、收集docker容器日志

1.生成多个容器
systemctl stop nginx 
docker stop $(docker ps -q)
docker rm $(docker ps -aq)
docker commit nginx nginx:v2
docker run --name nginx -p 80:80 -d nginx
docker run --name mysql -p 8080:80 -d nginx:v2
docker images
docker ps 
docker logs -f nginx
docker logs -f mysql


2.修改filebeat配置文件
filebeat.inputs:
- type: docker
  containers.ids: 
    - '*'
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false 
setup.kibana:
  host: "10.0.0.51:5601"
output.elasticsearch:
  hosts: ["10.0.0.51:9200"]
  index: "docker-nginx-%{[beat.version]}-%{+yyyy.MM}"
setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
setup.template.overwrite: true

3.重启filebeat
systemctl restart filebeat

3.2、按服务类型拆分docker容器日志

1.安装docker-compose
yum install -y python2-pip
2.这里使用pip安装，默认源为国外，可以使用国内加速，相关网站
https://mirrors.tuna.tsinghua.edu.cn/help/pypi/
pip加速操作命令
pip install -i https://pypi.tuna.tsinghua.edu.cn/simple pip -U
pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple
3.继续安装docker-compose
pip install docker-compose
4.检查版本
docker-compose version

5.创建docker-compose配置文件
[root@db03 ~]# cat docker-compose.yml 
version: '3'
services:
  nginx:
    image: nginx:latest
    #设置labels
    labels:
      service: nginx
    #logging设置增加labels.service
    logging:
      options:
        labels: "service"
    ports:
      - "80:80"
  mysql:
    image: nginx:v2
    #设置labels
    labels:
      service: mysql
    #logging设置增加labels.service
    logging:
      options:
        labels: "service"
    ports:
      - "8080:80"


6.使用docker-compose启动docker
docker stop $(docker ps -q)
docker rm $(docker ps -aq)
docker-compose up -d
docker ps 

7.修改filebeat配置文件
filebeat.inputs:
- type: log 
  enabled: true 
  paths:
    - /var/lib/docker/containers/*/*-json.log
  json.keys_under_root: true
  json.overwrite_keys: true

setup.kibana:
  host: "10.0.0.51:5601"

output.elasticsearch:
  hosts: ["10.0.0.51:9200"]
  indices:
    - index: "docker-nginx-access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        attrs.service: "nginx"
        stream: "stdout"
    - index: "docker-nginx-error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        attrs.service: "nginx"
        stream: "stderr"
    - index: "docker-mysql-access-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        attrs.service: "mysql"
        stream: "stdout"
    - index: "docker-mysql-error-%{[beat.version]}-%{+yyyy.MM}"
      when.contains:
        attrs.service: "mysql"
        stream: "stderr"

setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
setup.template.overwrite: true    

4、filebeat和logstash配置

filebeat存入redis，logstash从redis读取数据

#filebeat配置
filebeat.inputs:
- type: log
  enabled: true 
  paths:
    - /var/log/nginx/bbs_access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["bbs"]

- type: log
  enabled: true 
  paths:
    - /var/log/nginx/www_access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["www"]

setup.kibana:
  host: "10.0.0.51:5601"

output.redis:
  hosts: ["localhost"]
  keys:
    - key: "bbs"
      when.contains:
        tags: "bbs"
    - key: "www"
      when.contains:
        tags: "www"
  db: 0
  timeout: 5

setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true

#redis查看命令
redis-cli 
keys *
llen bbs
llen www


#logstash配置
[root@db01 /data/soft]# cat /etc/logstash/conf.d/redis.conf 
input {
  redis {
    host => "127.0.0.1"
    port => "6379"
    db => "0"
    key => "bbs"
    data_type => "list"
  }

  redis {
    host => "127.0.0.1"
    port => "6379"
    db => "0"
    key => "www"
    data_type => "list"
  }
}



#filter {
#  mutate {
#    convert => ["upstream_time", "float"]
#    convert => ["request_time", "float"]
#  }
#}

output {
    if "bbs" in [tags] {
      stdout {} 
      elasticsearch {
        hosts => "http://10.0.0.51:9200"
        manage_template => false
        index => "nginx-bbs-%{+yyyy.MM}"
      }
    }
   
    if "www" in [tags] {
      stdout {} 
      elasticsearch {
        hosts => "http://10.0.0.51:9200"
        manage_template => false
        index => "nginx-www-%{+yyyy.MM}"
      }
    }
}

#logstash启动命令
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/redis.conf

4.1、redis和logstash配置优化

#####filebeat#######
filebeat.inputs:
- type: log
  enabled: true 
  paths:
    - /var/log/nginx/bbs_access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["bbs"]

- type: log
  enabled: true 
  paths:
    - /var/log/nginx/www_access.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["www"]

setup.kibana:
  host: "10.0.0.51:5601"

output.redis:
  hosts: ["localhost"]
  key: "all_keys"
  db: 0
  timeout: 5

setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true

#######logstash########
input {
  redis {
    host => "127.0.0.1"
    port => "6379"
    db => "0"
    key => "all_keys"
    data_type => "list"
  }

#filter {
#  mutate {
#    convert => ["upstream_time", "float"]
#    convert => ["request_time", "float"]
#  }
#}

output {
    if "bbs" in [tags] {
      stdout {} 
      elasticsearch {
        hosts => "http://10.0.0.51:9200"
        manage_template => false
        index => "nginx-bbs-%{+yyyy.MM}"
      }
    }
   
    if "www" in [tags] {
      stdout {} 
      elasticsearch {
        hosts => "http://10.0.0.51:9200"
        manage_template => false
        index => "nginx-www-%{+yyyy.MM}"
      }
    }
}