Elastic Stack5.2.2升級到6.0.0註意事項
最近把Elastic Stack從5.2.2版本升級到6.0.0版本,性能確實有所提高,文檔記錄了升級過程中需要註意的一些問題。
架構圖
一、Filebeat
6.0版本filebeat prospectors中的document_type被禁用,原來的topic: ‘%{[type]}‘獲取文檔類型的方式不可用,但是引入了fields,後面映射模板也會用到。
1、document_type: yewuname 原來的Index名字為filebeat-yewuname-2018.01.19這樣的按照天分割的,升級後document_type不支持了,需要修改為字段加type的形式如下fields: document_type: yewuname
3、logstash生成index也需要由原來的index => "filebeat-%{type}-%{+YYYY.MM.dd}"改為index => "filebeat-%{[fields][document_type]}-%{+YYYY.MM.dd}",最終index命名為filebeat-yewuname-*
4、最後和Elasic支持人員溝通後得知,客戶端filebeat不升級也可以,不影響使用
二、Logstash
1、主要是自定義映射模板需要修改,模板這塊兒改動比較大,可以先使用默認的獲取格式後再修改,然後得出自己的模板運用,使用了geoip定位,相關類型需要修改,最終模板如下:
cat /etc/logstash/templates/nginx_template { "template" : "filebeat-*", "settings" : { "index.refresh_interval" : "5s", "index.number_of_shards": "8", "index.number_of_replicas": "1" }, "mappings": { "_default_": { "properties": { "@timestamp": { "type": "date" }, "@version": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "agent": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "beat": { "type": "object" }, "clientRealIp": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "geoip": { "properties": { "city_name": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "continent_code": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "country_code2": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "country_code3": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "country_name": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "dma_code": { "type": "long" }, "ip": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "latitude": { "type": "float" }, "location": { "type": "geo_point" }, "longitude": { "type": "float" }, "postal_code": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "region_code": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "region_name": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "timezone": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } } }, "http_host": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "method": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "referrer": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "request_uri": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "responsetime": { "type": "float" }, "size": { "type": "long" }, "status": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "type": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "upstreamhost": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } }, "url": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } } } } } } }
2、輸出到elasticsearch有些參數不支持了,需要註釋flush_size,否則會報錯The setting flush_size in plugin elasticsearch is obsolete and is no longer available. This setting is no longer available as we now try to restrict bulk requests to sane sizes. See the ‘Batch Sizes‘ section of the docs.
output {
elasticsearch {
hosts => ["192.168.88.240:9200","192.168.88.241:9200","192.168.88.242:9200","192.168.88.243:9200","192.168.88.244:9200"]
index => "filebeat-%{[fields][document_type]}-%{+YYYY.MM.dd}"
manage_template => true
template_overwrite => true
template_name => "nginx_template"
template => "/etc/logstash/templates/nginx_template"
#flush_size => 20000
#idle_flush_time => 5
}
} 三、Elasticsearch
主要變更是該版本的一個Index只支持一個type了
官方提供有滾動升級,按照這個步驟嘗試了下沒有成功,後刪數據硬升級,如果大家想嘗試,步驟如下
滾動升級
https://www.elastic.co/guide/en/elasticsearch/reference/5.6/rolling-upgrades.html
1、Disable shard allocation
例子:
curl -XPUT ‘192.168.88:9200/_cluster/settings?pretty‘ -H ‘Content-Type: application/json‘ -d‘
{
"transient": {
"cluster.routing.allocation.enable": "none"
}
}
‘例子:
curl -XPUT ‘192.168.88:9200/_cluster/settings?pretty‘ -H ‘Content-Type: application/json‘ -d‘
> {
> "transient": {
> "cluster.routing.allocation.enable": "none"
> }
> }
> ‘
{
"acknowledged" : true,
"persistent" : { },
"transient" : {
"cluster" : {
"routing" : {
"allocation" : {
"enable" : "none"
}
}
}
}
}2、Stop non-essential indexing and perform a synced flush (Optional)
curl -XPOST ‘192.168.88:9200/_flush/synced?pretty‘
可選的,忽略
3、Stop and upgrade a single node
/etc/init.d/elasticsearch stop
rpm -e elasticsearch-5.2.2-1.noarch
rpm -ivh elasticsearch-6.0.0.rpm
chkconfig --add elasticsearch
chkconfig elasticsearch on
cp elasticsearch.yml.rpmsave elasticsearch.yml
註意權限,卸載rpm包再安裝rpm包後elasticsearch的uid與gid會變化
chown elasticsearch:elasticsearch /data/eslog/ -R
chown elasticsearch:elasticsearch /data/esngx1/ -R
chown elasticsearch:elasticsearch /data/esngx2/ -R
4、Upgrade any plugins
沒有第三方插件,忽略
5、Start the upgraded node
curl -XGET ‘192.168.88:9200/_cat/nodes?pretty‘
6、Reenable shard allocation
curl -XPUT ‘192.168.88:9200/_cluster/settings?pretty‘ -H ‘Content-Type: application/json‘ -d‘
{
"transient": {
"cluster.routing.allocation.enable": "all"
}
}
‘7、Wait for the node to recover
curl -XGET ‘192.168.88:9200/_cat/health?pretty‘
curl -XGET ‘192.168.88:9200/_cat/recovery?pretty‘
8、Repeat
四、Kibana
1、index名字是字段type加通配
2、導出老visualize模板後所有的visualize裏面.raw改成.keyword,然後導入時dashboard需要與index一一對應
五、Grafana
同樣修改數據源的index名字與查詢語法.raw關鍵字為.keyword即可
六、Elastalert
由於https://github.com/Yelp/elastalert/releases 安裝部署是最新版本是v0.1.25還不支持elasticsearch6.0,後參考https://github.com/Yelp/elastalert/pull/1426 修
改/root/elastalert-0.1.25/elastalert目錄下elastalert.py、create_index.py、ruletypes.py、test_rule.py四個文件,最後安裝(備註以後安裝後可以直接復制該目錄到其他服務器上
安裝,不需要再修改源碼)
現在v0.1.26版本更新就支持elasticsearch6.0了,直接更新新版本就行。
七、其他的kafka、nginx等不需要調整。
Elastic Stack5.2.2升級到6.0.0註意事項