Elastic stack and Metricbeat
Page content
Install Elastic Stack(ELK stack) with docker
mbpr15:elk-wireshark cychong$ git clonehttps://github.com/deviantony/docker-elk.git
git: 'clonehttps://github.com/deviantony/docker-elk.git' is not a git command. See 'git --help'.
mbpr15:elk-wireshark cychong$ git clone https://github.com/deviantony/docker-elk.git
Cloning into 'docker-elk'...
remote: Counting objects: 1235, done.
remote: Total 1235 (delta 0), reused 0 (delta 0), pack-reused 1235
Receiving objects: 100% (1235/1235), 259.29 KiB | 77.00 KiB/s, done.
Resolving deltas: 100% (470/470), done.
mbpr15:elk-wireshark cychong$ cd elk
mbpr15:elk-wireshark cychong$ cd docker-elk/
mbpr15:docker-elk cychong$ ls
LICENSE elasticsearch logstash
README.md extensions
docker-compose.yml kibana
Install ELK with docker-compose
mbpr15:docker-elk cychong$ docker-compose up -d
Creating network "docker-elk_elk" with driver "bridge"
Building elasticsearch
Step 1/1 : FROM docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4
6.2.4: Pulling from elasticsearch/elasticsearch-oss
469cfcc7a4b3: Pull complete
8e27facfa9e0: Pull complete
cdd15392adc7: Pull complete
19ff08a29664: Pull complete
ddc4fd93fdcc: Pull complete
b723bede0878: Pull complete
Digest: sha256:2d9c774c536bd1f64abc4993ebc96a2344404d780cbeb81a8b3b4c3807550e57
Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.4
---> 3822ba554fe9
Successfully built 3822ba554fe9
Successfully tagged docker-elk_elasticsearch:latest
WARNING: Image for service elasticsearch was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building logstash
Step 1/1 : FROM docker.elastic.co/logstash/logstash-oss:6.2.4
6.2.4: Pulling from logstash/logstash-oss
469cfcc7a4b3: Already exists
b4cfa2eb1616: Pull complete
ec994fa6fa7f: Pull complete
ccf455902ac6: Pull complete
6d54f3767ae5: Pull complete
af0dd1a720da: Pull complete
457dbabd3f63: Pull complete
f2c481bd6da1: Pull complete
d04342e2b9a1: Pull complete
e8bca7e9b0d9: Pull complete
d0096563f301: Pull complete
Digest: sha256:28668a65f6b6a4f1e2abef7aa3fd3b9c8476a16aa5bebc1a9acf0f7de5b80eef
Status: Downloaded newer image for docker.elastic.co/logstash/logstash-oss:6.2.4
---> 0bade66b6bee
Successfully built 0bade66b6bee
Successfully tagged docker-elk_logstash:latest
WARNING: Image for service logstash was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Building kibana
Step 1/1 : FROM docker.elastic.co/kibana/kibana-oss:6.2.4
6.2.4: Pulling from kibana/kibana-oss
469cfcc7a4b3: Already exists
78e4c5fdc069: Pull complete
d9ecdaefa1b8: Pull complete
c8e48c8f74d7: Pull complete
1606c56cdbff: Pull complete
4e23ce1503d4: Pull complete
d36b703b3f90: Pull complete
da5da7625f92: Pull complete
Digest: sha256:1d1f9bac326bf276010df82a2b4593619f48a5207619e8817c8b20d5a1bb3547
Status: Downloaded newer image for docker.elastic.co/kibana/kibana-oss:6.2.4
---> 32510971af4e
Successfully built 32510971af4e
Successfully tagged docker-elk_kibana:latest
WARNING: Image for service kibana was built because it did not already exist. To rebuild this image you must use `docker-compose build` or `docker-compose up --build`.
Creating docker-elk_elasticsearch_1 ... done
Creating docker-elk_kibana_1 ... done
Creating docker-elk_logstash_1 ... done
mbpr15:docker-elk cychong$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4fc052e81fae docker-elk_logstash “/usr/local/bin/dock…” 9 minutes ago Up 9 minutes 5044/tcp, 0.0.0.0:5000->5000/tcp, 9600/tcp docker-elk_logstash_1
46f049297c7b docker-elk_kibana “/bin/bash /usr/loca…” 9 minutes ago Up 9 minutes 0.0.0.0:5601->5601/tcp docker-elk_kibana_1
8ff911ebab03 docker-elk_elasticsearch “/usr/local/bin/dock…” 9 minutes ago Up 9 minutes 0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp docker-elk_elasticsearch_1
mbpr15:docker-elk cychong$ curl http://localhost:9200
{
“name” : “npNAiWg”,
“cluster_name” : “docker-cluster”,
“cluster_uuid” : “7nY4KVvNS4epY4Z80NCUZw”,
“version” : {
“number” : “6.2.4”,
“build_hash” : “ccec39f”,
“build_date” : “2018-04-12T20:37:28.497551Z”,
“build_snapshot” : false,
“lucene_version” : “7.2.1”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}
Open http://localhost:5601 with browser
install metricbeats with docker - check the latest version from elastic.co
docker pull docker.elastic.co/beats/metricbeat:6.2.4
metricbeat 는 시스템 통계 정보를 수집해서 elasticsearch로 보내는 역할을 함.
다양한 모듈들이 modules.d 디렉토리 아래 위치하고, metricbeats.yml은 수집한 정보를 보낼 위치를 변경하는 정도면 기본적인 동작을 확인할 수 있음.
mbpr15:metricbeat-6.2.4-darwin-x86_64 cychong$ tree -f modules.d/
modules.d
├── modules.d/aerospike.yml.disabled
├── modules.d/apache.yml.disabled
├── modules.d/ceph.yml.disabled
├── modules.d/couchbase.yml.disabled
├── modules.d/docker.yml.disabled
├── modules.d/dropwizard.yml.disabled
├── modules.d/elasticsearch.yml.disabled
├── modules.d/etcd.yml.disabled
├── modules.d/golang.yml.disabled
├── modules.d/graphite.yml.disabled
├── modules.d/haproxy.yml.disabled
├── modules.d/http.yml.disabled
├── modules.d/jolokia.yml.disabled
├── modules.d/kafka.yml.disabled
├── modules.d/kibana.yml.disabled
├── modules.d/kubernetes.yml.disabled
├── modules.d/logstash.yml.disabled
├── modules.d/memcached.yml.disabled
├── modules.d/mongodb.yml.disabled
├── modules.d/mysql.yml.disabled
├── modules.d/nginx.yml.disabled
├── modules.d/php_fpm.yml.disabled
├── modules.d/postgresql.yml.disabled
├── modules.d/prometheus.yml.disabled
├── modules.d/rabbitmq.yml.disabled
├── modules.d/redis.yml.disabled
├── modules.d/system.yml
├── modules.d/uwsgi.yml.disabled
├── modules.d/vsphere.yml.disabled
├── modules.d/windows.yml.disabled
└── modules.d/zookeeper.yml.disabled
0 directories, 31 files
아래에서 hosts의 기본값은 localhost이므로, 필요한 경우 elasticisearch가 동작하고 있는 특정 서버의 IP로 변경한다.
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["192.168.1.70:9200"]
MBPr15와 mini2 에서 각각 metricbeat를 실행해서 metric 정보를 elasticsearch로 보내도록 함.
아래는 기본 yml인 metricbeat.yml에서 위 output부분만 수정하여 memphis.yml로 저장후 사용
mbpr15:metricbeat-6.2.4-darwin-x86_64 cychong$ sudo ./metricbeat -e -c memphis.yml
mini2:metricbeat-6.2.4-darwin-x86_64 cychong$ ./metricbeat -e -c mini2.yaml
이렇게 하면 화면에 주기적으로 elasticsearch로 보내는 정보를 출력한다.(전체 정보는 아닐 듯….) 이렇게 옵션을 주면 화면에 별도의 로그 출력이 없다.
sudo metricbeat -e > /dev/null 2>&1 &
이걸 하긴 했는데 굳이 따로 할 필요는 없는 듯. Kibana에 default dashboard를 생성하는 거라고 하는데(다시 확인해 보자)
sudo ./metricbeat setup -c memphis.yml
mbpr15:~ cychong$ curl -XGET 'localhost:9200/_cat/indices?v&pretty'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open metricbeat-6.2.4-2018.06.01 2WRn5ddLRAm5E7J56pwRXA 5 1 127340 0 35.8mb 35.8mb
yellow open metricbeat-6.2.4-2018.05.31 8dsKJT4ASEadN9CD9-uQ-A 5 1 136 0 317.2kb 317.2kb
green open .kibana tCI5Fu5BTda1gpDNm1cCeQ 1 0 126 14 316.8kb 316.8kb
system 정보를 얻어오는 거라 root 권한이 필요할 듯 한데 지금은 MBPr15에서는 루트 권한으로 그리고 mini2에서는 그냥 개인 계정으로 실행 중
Kibana dashboard
System overview
Host overview - MBPr15
Host overview - mini2
xcode command line update하느라 힘든 mini2. 위 그림보다 CPU utilization이 올라갔다.
On ubuntu
Linux의 경우 deb이나 rpm 패키지를 이용해서 설치할 수 있다. 이 경우 패키지가 설치되면 아래 위치에서 beat 관련 파일을 확인할 수 있다.
$ ls -al /usr/share/metricbeat/
total 228
drwxr-xr-x 4 root root 4096 6월 1 08:48 ./
drwxr-xr-x 404 root root 16384 6월 1 09:32 ../
drwxr-xr-x 2 root root 4096 6월 1 08:48 bin/
-rw-r--r-- 1 root root 41 4월 13 05:25 .build_hash.txt
drwxrwxr-x 4 root root 4096 6월 1 08:48 kibana/
-rw-r--r-- 1 root root 583 4월 13 05:25 LICENSE.txt
-rw-r--r-- 1 root root 190678 4월 13 05:25 NOTICE.txt
-rw-r--r-- 1 root root 806 4월 13 05:25 README.md