[svc]elk5.x x-pack插件使用(elasticsearch5)

时间:2022-09-12 23:57:16

想要2个功能:

1,日志报表发邮件

2,日志报警

测了老半天测的吐血.


1.安装过程--遇到的问题

先装es
再装kibana
再在es目录安装x-pack()
kibana里面安装x-pack
在elasticsearch.yml中设置xpack.security.enabled: false
重启es
重启kibana
访问IP:9200,正常,告诉我去搜索。
访问IP:5601,页面不展示,浏览器上说重定向过多,
依据官网也在kibana.yml中配置了xpack.security.enabled: false,
访问kibana没数据


elk安装(http://bbotte.blog.51cto.com/6205307/1613571)


2,查看索引
curl 'http://192.168.14.134:9200/_search?pretty'


3,安装xpack
./elasticsearch/bin/elasticsearch-plugin install file:///usr/local/x-pack-5.2.0.zip
./kibana/bin/kibana-plugin install file:///usr/local/x-pack-5.2.0.zip
./logstash/bin/logstash-plugin install file:///usr/local/x-pack-5.2.0.zip


xpack安装(https://www.elastic.co/guide/en/x-pack/current/installing-xpack.html)
xpack(破解,仅5.2版本)(http://blog.csdn.net/mvpboss1004/article/details/65445023)

注意:最新的5.4破解不好用.

licence得自己申请后改

{"license":{"uid":"7c05f405-6c40-4acb-b2e3-f60e3bd589b4","type":"basic","issue_date_in_millis":1496620800000,"expiry_date_in_millis":1528243199999,"max_nodes":100,"issued_to":"lanny ma (tt100)","issuer":"Web Form","signature":"AAAAAwAAAA2DOwdPxO9fkXfph+U4AAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQBYiKu/XhqFwLgFQOu0N2YgrI7RJ3B7O45qFbVJjfMmHDBMmKb7iEr+IDj5WLxhkvBEKLGLx+nVwdxLWqFSw/4lQNHaErjwx4IB1qzkFV12bhPXjIQrbowpBJNfA+T+SKRWvUiurCVxT1m3HSY9rR8huKFxsR6RG/jOWU3TT6GURwocxxnd8KKkZHhIMkS5c7wh9ZTVNVWmEfBbQPl4tpOiu9qiAwf9k0HQBQBaR/NgcwWhrDc4rK5u/z6YJwQueNjJDdtrAHdC2hWa+LaLYD2wG9uV8ti3sYQl6pNwUd4G9jobE2INFX/+EGIGyOwsp03JdwVrEu9DzNC8e3kNr3y5","start_date_in_millis":1496620800000}}
{"license":{"uid":"helloworld","type":"platinum","issue_date_in_millis":1486598400000,"expiry_date_in_millis":2524579200999,"max_nodes":1000,"issued_to":"helloworld","issuer":"Web Form","signature":"helloworld","start_date_in_millis":1486598400000}


安装licence:

licence.json放到/tmp/licence.json
 curl -XPUT -u elastic 'http://SID-HZ-ES1:9200/_xpack/license?acknowledge=true' -d @/tmp/license.json

参考:

https://blog.yourtion.com/install-x-pack-for-elasticsearch-and-kibana.html


4,测试
输入到es
[root@linux-node1 application]# cat nginx_access.confinput{
file{
path => ["/var/log/nginx/access.log"]
codec => "json"
}
}


output{
elasticsearch{
# username: elastic
# password: changeme
hosts => ["127.0.0.1:9200"]
index => "nginx-www-access-%{+YYYY.MM.dd}"
}
}

#安装nginx并配置日志
yum install nginx -y修改日志
log_format json '{"@timestamp": "$time_iso8601",'
'"@version": "1",'
'"client": "$remote_addr",'
'"url": "$uri", '
'"status": "$status", '
'"domain": "$host", '
'"host": "$server_addr",'
'"size":"$body_bytes_sent", '
'"response_time": "$request_time", '
'"referer": "$http_referer", '
'"http_x_forwarded_for": "$http_x_forwarded_for", '
'"ua": "$http_user_agent" } ';

https://blog.yourtion.com/install-x-pack-for-elasticsearch-and-kibana.html



告警

报警 Alerting

Elasticsearch 中报警功能的实现目前还不算特别智能,这里我们只简单了解一下其工作机制,具体在需要的时候可以根据文档来进行设置。

简单来说,我们需要自己设定触发条件,并指定条件触发之后的动作。一个实际的例子就是,如果发现近十分钟内某个接口一直返回 503 错误,那么就发送邮件通知。分解一下,一个可能的逻辑是:

  1. Trigger: 每十分钟执行一次
  2. Input: 对某个 index 进行检索,查询日志中状态为 error 的条目
  3. Condition: 如果 error 的次数超过 5 次,则认为触发了条件
  4. Transform: 触发之后会再次进行检索,检索的结果可以被之后的动作访问
  5. Actions: 执行具体的操作,可以是通知第三方系统或发送邮件等

上面的套路对应到配置文件就是:

 
     
PUT _xpack/watcher/watch/log_errors
{
"metadata" : {
"color" : "red"
},
"trigger" : {
"schedule" : {
"interval" : "5m"
}
},
"input" : {
"search" : {
"request" : {
"indices" : "log-events",
"body" : {
"size" : 0,
"query" : { "match" : { "status" : "error" } }
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 5 }}
},
"transform" : {
"search" : {
"request" : {
"indices" : "log-events",
"body" : {
"query" : { "match" : { "status" : "error" } }
}
}
}
},
"actions" : {
"my_webhook" : {
"webhook" : {
"method" : "POST",
"host" : "mylisteninghost",
"port" : 9200,
"path" : "/{{watch_id}}",
"body" : "Encountered {{ctx.payload.hits.total}} errors"
}
},
"email_administrator" : {
"email" : {
"to" : "sys.admino@host.domain",
"subject" : "Encountered {{ctx.payload.hits.total}} errors",
"body" : "Too many error in the system, see attached data",
"attachments" : {
"attached_data" : {
"data" : {
"format" : "json"
}
}
},
"priority" : "high"
}
}
}
}

以上也可以在 Dev Tools 中的面板中执行试试看。

参考:  写的还不错: http://wdxtub.com/2016/11/19/babel-log-analysis-platform-3/