Hi everyone, long time no see.
Homebrew and JAVA JDK are required to install ELK. If you do not have it installed, please put it in first. Homebrew Under my working path
$ mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew
Java SDK Please refer to Oracle's ** Java SE Downloads **. I chose JDK 8 just in case.
ELK
ELK stack is a general term for Elasticsearch's three products: Elasticsearch (analysis) + Logstash (collection) + Kibana (visualization). (When it actually moves, it moves according to the LEK flow) Elasticsearch Elasticsearch is an open source full-text search engine developed by Elastic. You can quickly extract documents containing the desired word from a large number of documents.
You can't use SQL statements because Elasticsearch is not a relational database. Operate using the RESTful interface instead.
This time, Elasticsearch 6.2.4 will be used.
$ brew install elasticsearch
First, you will find ʻelasticsearch.yml`.
$ brew info elasticssearch
I think that such information will come out.
...(Blah Blah Blah)...
Data: /usr/local/var/lib/elasticsearch/elasticsearch_JP23417/
Logs: /usr/local/var/log/elasticsearch/elasticsearch_JP23417.log
Plugins: /usr/local/var/elasticsearch/plugins/
Config: /usr/local/etc/elasticsearch/
...(Blah Blah Blah)...
ʻElasticsearch.yml is under the path in
Config. Open it and change
network.host` to your actual IP address. This time I will build it in the local environment, so I uncommented it and set it like this.
network.host: localhost
Start Elasticsearch with brew services elasticsearch start
.
Elasticsearch runs on port 9200 by default, so if you go to http: // localhost: 9200, you'll see this information.
{
"name" : "ry1EXQC",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "ZMYVLV-eR-G5hBrQ6QmSGA",
"version" : {
"number" : "6.2.4",
"build_hash" : "ccec39f",
"build_date" : "2018-04-12T20:37:28.497551Z",
"build_snapshot" : false,
"lucene_version" : "7.2.1",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
Logstash Logstash is an open source server-side data processing pipeline. It captures data from a huge number of sources at the same time, transforms it, and sends it to your favorite hangar (stash). The recommended stash is, of course, Elasticsearch.
This time, Logstash 6.2.4 will be used.
$ brew install logstash
$ brew services start logstash
Logstash actually works in conjunction with the config. You need to place a different config for each scene. You should be able to run Kibana with this for the time being, so I will explain in detail later.
Kibana Kibana is an easy visualization tool for Elasticsearch data.
This time I will use Kibana 6.2.4.
$ brew install kibana
First, you'll find kibana.yml
.
$ brew info kibana
I think that such information will come out.
...(Blah Blah Blah)...
Config: /usr/local/etc/kibana/
...(Blah Blah Blah)...
kibana.yml
is under the path in Config
.
Open it and change server.port
and ʻelasticsearch.url` to the ones you actually use. This time, I set it like this with the default settings.
...(Blah Blah Blah)...
server.port: 5601
...(Blah Blah Blah)...
elasticsearch.url: "http://localhost:9200”
...(Blah Blah Blah)...
If you can do this, you should be able to see it from http: // localhost: 5601 / status. A screen like this will appear.
This time, we will create a tool to send logs to Elasticsearch by TCP.
I think that some IDE will automatically generate a Maven project, but please use it. There is no problem if it is generated in this way. For your reference. The package name this time is log4j2.local (actually anything is fine).
In other words, it's the contents of pom.xml
.
Add the following to the dependencies
tag.
pom.xml
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.8.2</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.8.2</version>
</dependency>
</dependencies>
In other words, it is the contents of log4j2.xml
. Log4j2 decides where to send the log accordingly.
This time, of course, it will be sent to Elasticsearch via Logstash, but considering the ease of debugging, I made it output to Console for the time being.
log4j2.xml
<configuration status="OFF">
<appenders>
<Socket name="Logstash" host="localhost" port="9601" protocol="TCP">
<PatternLayout pattern="%d|%t|%p|%c|%L|%m%n" />
</Socket>
<Console name="Console" target="SYSTEM_OUT">
<PatternLayout pattern="%d|%t|%p|%c|%L|%m%n" />
</Console>
</appenders>
<loggers>
<root level="all">
<AppenderRef ref="Logstash"/>
<appender-ref ref="Console"/>
</root>
</loggers>
</configuration>
If you want to personalize, please refer to ** This page **.
This is the behavior to output the log.
Main.java
package log4j2.local;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.ThreadContext;
public class Main {
private static Logger logger = LogManager.getLogger("test");
public static void main(String[] args) {
logger.error("Error message");
}
}
When you do this, you'll see a log like this in the Console. (Of course, it is not saved in Elasticsearch because it is not connected to Logstash yet.)
2018-09-12 12:55:13,962|main|ERROR|test|13|Error message
You can use any path you like and create logstash-tcp.conf. (Since it is tcp communication, I just gave it this name.)
By default, Logstash can use all ports 9600-9700
, so this time we will use port 9601. (Be sure to use the same port ** as the <Socket>
tag of log4j2.xml
.)
logstash-tcp.conf
input {
tcp {
host => "localhost"
port => "9601"
mode => "server"
type => "eslocallogger"
}
}
filter {
mutate{
split => ["message","|"]
add_field => {
"Datetime" => "%{[message][0]}"
}
add_field => {
"Classname" => "%{[message][1]}"
}
add_field => {
"Level" => "%{[message][2]}"
}
add_field => {
"Logger" => "%{[message][3]}"
}
add_field => {
"Message" => "%{[message][5]}"
}
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => "localhost:9200"
}
}
I used Filter to separate the Schemas here, but the default columns are automatically parsed even if I don't use them.
(Here, the error messages that come into Logstash are separated by |
.)
$ brew services stop logstash
$ logstash -f ./logstash-tcp.conf --experimental-java-execution
With the --experimental-java-execution
flag, it will run on the JAVA engine.
For more information, please see ** Meet the New Logstash Java Execution Engine **. Certainly, that will greatly increase the throughput.
Console
2018-09-12 18:05:39,737|main|ERROR|test|13|Error message
Logstash Console
[2018-09-12T18:05:40,464][DEBUG][logstash.pipeline ] Pushing flush onto pipeline {:pipeline_id=>"main", :thread=>"#<Thread:0x5caa3237 sleep>"}
{
"Level" => "ERROR",
"@timestamp" => 2018-09-12T09:05:39.847Z,
"Logger" => "test",
"port" => 60614,
"message" => [
[0] "2018-09-12 18:05:39,737",
[1] "main",
[2] "ERROR",
[3] "test",
[4] "13",
[5] "Error message"
],
"type" => "eslocallogger",
"Message" => "Error message",
"Datetime" => "2018-09-12 18:05:39,737",
"host" => "localhost",
"@version" => "1",
"Classname" => "main"
}
Kibana
If you go to Kibana's ** Management ** screen and reload, you should see a screen like this.
Go to Next step
, set filter
to @timestamp
and click Create index pattern
to start index visualization.
When you enter the Discover
screen, you can see the data on the time axis.
For details, please refer to ** How to use Kibana **.
Installing the ELK Stack on Mac OS X ElasticSearch + Logstash + Kibana + log4j2 Official 6.1.1 Edition Anguist Arrangement Use like LogStash Filter Elastic Stack
Recommended Posts