Elastic Stack 8 EP 4:Logstash & Kafka – 收集與緩衝
What Is Logstash?
Logstash作為資料處理管道的重要工具,利用簡單的設定將來源資料寫入Elasticsearch,當然功能強大的Logstash也不止支援Elasticsearch,理論上來說,Logstash也可以作為ETL工具,在不同的來源與目的端傳輸資料,並在傳輸的過程中執行資料的轉換或計算,這也是很典型的數據管線處理的方法。
實際在ELK這個大框架之下,Logstash更常用作於緩衝的角色,試想一個有100~200台伺服器的環境,若每秒有幾百MB的資料直接衝進Elasticsearch,雖然不至於造成故障,但卻會對Elasticsearch造成一定的系統壓力,此時,若伺服器的Log是先送至Logstash後,經過預處理,並依序寫入Elasticsearch,雖然有可能造成資料不即時的狀況,可是Elasticsearch本來就不是作為交易系統使用,合理的延遲是可以被接受的。
Kafka的重要角色
如果在大規模部署的環境,除了幾百、幾千、甚至上萬台伺服器的資料要收集,還有應用系統、網路設備等即時的日誌數據,這些可都是一秒幾百萬上下的規模,橫向擴展Logstash叢集的規模當然是一種選擇,但若有一個解決方案可以滿足需求呢?這就是擅長處理大量資料且具有極高效能的Kafka。
先藉由Kafka作為巨量資料的數據收集管道工具,再使用Logstash一點一點的消化,就能達到巨量、高效且低成本的目的,整體架構規劃概念如下圖,Log可以選擇送Kafka,也可以選擇直送Logstash,按照需求及現實考量來分配資料收集的方式。
安裝並設定Kafka
參考過去的文章安裝Kafka:
設定一個Topic,以本篇為例,新增Topic名為”jovepater_log“,實際環境中,可以設定多個不同的Topic來接收不同的資料來源或型態,更有利於管理。
安裝並設定Logstash
第1步:下載並安裝Logstash。
$ cd /tmp/
$ wget https://artifacts.elastic.co/downloads/logstash/logstash-8.2.0-x86_64.rpm
$ yum install logstash-8.2.0-x86_64.rpm -y第2步:透過RPM安裝,各種檔案放置的目錄如下:(不同安裝方式的目錄詳見官方網站)
| 檔案類型 | 描述 | 預設目錄 | 設定 |
| home | Logstash的安裝目錄 | /usr/share/logstash | |
| bin | Logstash的執行檔 | /usr/share/logstash/bin | |
| settings | 設定檔 | /etc/logstash | path.settings |
| conf | 資料管線的設定檔 | /etc/logstash/conf.d/*.conf | See /etc/logstash/pipelines.yml |
| logs | 日誌檔 | /var/log/logstash | path.logs |
| pluguns | 外掛檔 | /usr/share/logstash/plugins | path.plugins |
| data | Logstash處理資料或外掛所產生的資料 | /var/lib/logstash | path.data |
第3步:從設定範例檔案logstash-sample.conf複製一個到conf.d/目錄下,並取名為”logstash-from-kafka.conf”。
$ cp logstash-sample.conf conf.d/logstash-from-kafka.conf第4步:調整資料處理管線的設定檔。
$ vi logstash-from-kafka.conf
input {
kafka {
bootstrap_servers = >"lab-kafka.example.com:9092"
topics => ["jovepater_log"]
group_id => "logstash_kafka"
}
}
output {
elasticsearch {
hosts => ["https://lab-elk-1.example.com:9200", "https://lab-elk-2.example.com:9200", "https://lab-elk-3.example.com:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "${es_user}"
password => "${es_pwd}"
cacert => "/etc/logstash/http_ca.crt"
}
}第5步:將Elasticsearch的”logstash_system”重設密碼,用於認證。
$ /usr/share/elasticsearch/bin/elasticsearch-reset-password -u logstash_system
This tool will reset the password of the [logstash_system] user to an autogenerated value.
The password will be printed in the console.
Please confirm that you would like to continue [y/N]y
Password for the [logstash_system] user successfully reset.
New value: UvIdmpbRTpK6nf*Z52_W第6步:設定keystore,新增keystore,並增加對應設定檔的${ES_USER}與${ES_PWD}變數的參數。
$ /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
WARNING: The keystore password is not set. Please set the environment variable `LOGSTASH_KEYSTORE_PASS`. Failure to do so will result in reduced security. Continue without password protection on the keystore? [y/N] y
[2022-05-30T01:32:29,845][INFO ][org.logstash.secret.store.backend.JavaKeyStore] Created Logstash keystore at /etc/logstash/logstash.keystore
Created Logstash keystore at /etc/logstash/logstash.keystore
$ /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add es_user
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
Enter value for ES_USER: *******************
Added 'es_user' to the Logstash keystore.
$ /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add es_pwd
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
Enter value for ES_PWD: *******************
Added 'es_pwd' to the Logstash keystore.第7步:啟動Logstash。
$ systemctl start logstash特別提醒
提請1:
使用systemctl來啟動Logstash,部分錯誤訊息會沒辦法正確顯示,若一直問有問題,建議使用以下指令,就可以把所有訊息列印在視窗上,以此來收集Debug的資訊。
$ /usr/share/logstash/bin/logstash –path.settings=/etc/logstash/
提醒2:
[2022-06-04T18:04:25,986][ERROR][logstash.outputs.elasticsearch][main] Failed to install template {:message=>"Got response code '403' contacting Elasticsearch at URL 'https://lab-elk.example.com:9200/_index_template/ecs-logstash'", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :backtrace=> ...“logstash_system”這個帳號的權限並不高,在某些特別的版本或狀況下,會導致Logstash無法正常取得template,造成噴403錯誤,建議第一次啟動可以使用”elastic”將預設的設定都完成後,在改回”logstash_system”;或是在Kibana中暫時提供”logstash_system”更高的權限。
~ END ~
