20170603 ELK安装 (rpm包安装)

ELK安装

环境安装：

(a)、关闭firewall：

systemctl stop firewalld.service #停止firewall

systemctl disable firewalld.service #禁止firewall开机启动

firewall-cmd --state #查看默认防火墙状态（关闭后显示notrunning，开启后显示running）

(b)、iptables防火墙（这里iptables已经安装，下面进行配置）

vi/etc/sysconfig/iptables #编辑防火墙配置文件

1,elasticsearch

1），安装JDK

yum install java-1.8.0-openjdk -y

java -version            ##查看版本

2），

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.0.rpm

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.1.rpm

3），yum localinstall elasticsearch-5.4.0.rpm

4），

sudo systemctl daemon-reload      ##没有权限可以使用sudo刷新配置

sudo systemctl enable elasticsearch.service

sudo systemctl status elasticsearch.service

查看状态发现失败错误：服务会起不来，是node环境的问题，把之前的文件全部删掉，全新安装

[[email protected] local]# find / -name "elasticsearch" -exec  rm -rf {} \;

rpm -qa |grep elasticsearch

rpm -e --nodeps elasticsearch-5.4.0-1

5），重新安装后再查看状态已经出来了：

6），查看端口

查看端口

[[email protected] tmp]# lsof -i:9200

COMMAND  PID          USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

java    3994 elasticsearch  112u  IPv6  54287      0t0  TCP localhost:wap-wsp (LISTEN)

java    3994 elasticsearch  113u  IPv6  54288      0t0  TCP localhost:wap-wsp (LISTEN)

端口没监听在ipv4上。

看来下官方文档， elasticsearch默认监听在localhost上，修改配置文件，把127.0.0.1改为本机ip

[[email protected] elasticsearch]# vim elasticsearch.yml

network.host: 10.0.2.15

使用curl访问下

[[email protected] elasticsearch]# curl 10.0.2.15:9200

{

"name" : "Bulldozer",

"cluster_name" : "elasticsearch",

"version" : {

"number" : "2.2.1",

"build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",

"build_timestamp" : "2016-03-09T09:38:54Z",

"build_snapshot" : false,

"lucene_version" : "5.4.1"

},

"tagline" : "You Know, for Search"

}

使用浏览器访问

http://10.0.2.15:9200/

{

"name" : "Bulldozer",

"cluster_name" : "elasticsearch",

"version" : {

"number" : "2.2.1",

"build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",

"build_timestamp" : "2016-03-09T09:38:54Z",

"build_snapshot" : false,

"lucene_version" : "5.4.1"

},

"tagline" : "You Know, for Search"

}

7），修改IP和端口后浏览器查看能登入

Es常遇到的问题，

http://www.mamicode.com/info-detail-1663378.html

http://www.bubuko.com/infodetail-1898143.html

http://blog.csdn.net/weini1111/article/details/60468068

[[email protected] ~]# vim /etc/security/limits.conf

* soft nofile 65536

* hard nofile 131072

* soft nproc 2048

* hard nproc 4096

soft nproc: 可打开的文件描述符的最大数(软限制)            *号代表可执行

hard nproc： 可打开的文件描述符的最大数(硬限制)

soft nofile：单个用户可用的最大进程数量(软限制)

hard nofile：单个用户可用的最大进程数量(硬限制)

[[email protected] ~]# vim /etc/elasticsearch/jvm.options      ##根据实际系统 内存来配置

[[email protected] ~]# vim /etc/sysctl.conf

2, elasticesarch-head

1),安装node.js

CentOS7配置Nodejs环境安装记录

http://www.cnblogs.com/charles-dxb/p/5170209.html

linux下安装NPM管理工具

http://www.cnblogs.com/lovelylife/p/3503980.html

[[email protected] local]# curl --silent --location https://rpm.nodesource.com/setup_4.x | bash -

[[email protected] local]# yum install -y nodejs

2）安装phantomjs

[[email protected] src]# wget https://bbuseruploads.s3.amazonaws.com/fd96ed93-2b32-46a7-9d2b-ecbc0988516a/downloads/396e7977-71fd-4592-8723-495ca4cfa7cc/phantomjs-2.1.1-linux-x86_64.tar.bz2?Signature=35G3OMsJ6wyIIBjYhDIa5zG%2FGxE%3D&Expires=1496287129&AWSAccessKeyId=AKIAIWZLQBE7J6CD7UJA&versionId=null&response-content-disposition=attachment%3B%20filename%3D%22phantomjs-2.1.1-linux-x86_64.tar.bz2%22

[[email protected] src]# tar -jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/

tar (child): bzip2：无法 exec: 没有那个文件或目录

tar (child): Error is not recoverable: exiting now

tar: Child returned status 2

tar: Error is not recoverable: exiting now

缺少bzip2包

yum install -y bzip2

[[email protected] src]# vim /etc/profile

export PATH=/usr/local/phantomjs-2.1.1-linux-x86_64/bin:$PATH     ##配置文件后添加

[[email protected] src]# source /etc/profile

3），下载安装elasticsearch-head

[[email protected] src]# yum install -y git

[[email protected] src]# git clone git://github.com/mobz/elasticsearch-head.git

[[email protected] elasticsearch-head]# npm install

npm WARN package.json [email protected] license should be a valid SPDX license expression

[[email protected] elasticsearch-head]# npm run start

> [email protected] start /usr/local/src/elasticsearch-head

> grunt server

Running "connect:server" (connect) task

Waiting forever...

Started connect web server on http://localhost:9100

^C

[[email protected] elasticsearch-head]# npm run start

> [email protected] start /usr/local/src/elasticsearch-head

> grunt server

Running "connect:server" (connect) task

Waiting forever...

Started connect web server on http://localhost:9100

3，logStash部署与配置

1），[[email protected] local]# wget https://artifacts.elastic.co/downloads/logstash/logstash-5.4.0.rpm

https://artifacts.elastic.co/downloads/logstash/logstash-5.4.1.rpm

[[email protected] local]# yum localinstall logstash-5.4.0.rpm

生成SSL证书

由于我们将使用Filebeat将日志从我们的客户端服务器发送到我们的ELK服务器，我们需要创建一个SSL证书和密钥对。 Filebeat使用该证书来验证ELK Server的身份。使用以下命令创建将存储证书和私钥的目录：

使用以下命令（在ELK服务器的FQDN中替换）在适当的位置（/etc/pki/tls/ …）中生成SSL证书和私钥：

2），[[email protected] local]# cd /etc/pki/tls/

[[email protected] tls]# openssl req -subj ‘/CN=ELK_server_fqdn/‘ -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

3），之后创建logstash 的配置文件。如下：

[[email protected] tls]# vim /etc/logstash/conf.d/01-logstash-initial.conf

input {

beats {

port => 5000

type => "logs"

ssl => true

ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"

ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"

}

}

filter {

if [type] == "syslog-beat" {

grok {

match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }

add_field => [ "received_at", "%{@timestamp}" ]

add_field => [ "received_from", "%{host}" ]

}

geoip {

source => "clientip"

}

syslog_pri {}

date {

match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

}

}

}

output {

elasticsearch { }

stdout { codec => rubydebug }

}

4），启动logstash，并检查端口，配置文件里，我们写的是5000端口

[[email protected] logstash]# systemctl enable logstash

[[email protected] logstash]# systemctl start logstash

[[email protected] logstash]# systemctl status logstash

相关的配置可以查看配置文件的具体配置

5）， 修改elasticsearch 配置文件

查看目录，创建文件夹es-01（名字不是必须的）,logging.yml是自带的，elasticsearch.yml是创建的文件，内如见下：

[[email protected] logstash]# cd /etc/elasticsearch/

[[email protected] elasticsearch]# tree

.

├── elasticsearch.yml

├── jvm.options

├── log4j2.properties

└── scripts

1 directory, 3 files

[[email protected] elasticsearch]# ll

总用量 16

-rw-rw----. 1 root elasticsearch 2923 6月   1 19:12 elasticsearch.yml

-rw-rw----. 1 root elasticsearch 3117 4月  29 01:45 jvm.options

-rw-rw----. 1 root elasticsearch 4456 4月  29 01:45 log4j2.properties

drwxr-x---. 2 root elasticsearch    6 4月  29 01:45 scripts

[[email protected] elasticsearch]# mkdir es-01      ##创建一个文件夹

[[email protected] elasticsearch]# cd es-01/

[[email protected] es-01]# vim elasticsearch.yml

http:

port: 9200

network:

host: elk.test.com

node:

name: elk.test.com

path:

data: /etc/elasticsearch/data/es-01

5），重启elasticsearch、logstash服务。

[[email protected] ~]# systemctl （stop）start elasticsearch

[[email protected] es-01]# systemctl stop logstash

[[email protected] es-01]# systemctl start logstash

4，安装kibana

1）

[[email protected] local]# wget https://artifacts.elastic.co/downloads/kibana/kibana-5.4.0-x86_64.rpm

2），[[email protected] local]# yum localinstall kibana-5.4.0-x86_64.rpm -y

3），[[email protected] local]# systemctl enable kibana

Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.

4），[[email protected] local]# systemctl start kibana

[[email protected] local]# systemctl status kibana

检查kibana服务运行（Kibana默认 进程名：node ，端口5601）

5），[[email protected] local]# netstat -lnpt

修改防火墙，对外开放tcp/5601

[[email protected] local]# firewall-cmd --permanent --add-port=5601/tcp

FirewallD is not running       ##防火墙没有开可以不设置

[[email protected] elk]# firewall-cmd --reload

success

[[email protected] elk]# firewall-cmd --list-all

[[email protected] local]# vim /etc/kibana/kibana.yml   ##修改配置文件

浏览器访问http://192.168.3.194:5601

5, 客户端部署filebeat

filebeat客户端是一个轻量级的，从服务器上的文件收集日志资源的工具，这些日志转发到处理到Logstash服务器上。该Filebeat客户端使用安全的Beats协议与Logstash实例通信。lumberjack协议被设计为可靠性和低延迟。Filebeat使用托管源数据的计算机的计算资源，并且Beats输入插件尽量减少对Logstash的资源需求。

1),[[email protected] local]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.4.0-x86_64.rpm

[[email protected] local]# yum localinstall filebeat-5.4.0-x86_64.rpm

[[email protected] certs]# scp [email protected]:/etc/pki/tls/certs/logstash-forwarder.crt /etc/pki/tls/certs/                      ##拷贝ELK节点上的证书logstash-forwarder.crt 到客户端

[[email protected] filebeat]# cd /etc/filebeat/

[[email protected] filebeat]# tree

.

├── filebeat.full.yml

├── filebeat.template-es2x.json

├── filebeat.template-es6x.json

├── filebeat.template.json

└── filebeat.yml

0 directories, 5 files

2),修改的文件有3个，filebeat.yml，是定义连接logstash 服务器的配置。conf.d目录下的2个配置文件是自定义监控日志的，下面看下各自的内容：

filebeat.yml

[[email protected] filebeat]# mkdir conf.d

[[email protected] filebeat]# vim conf.d/authlogs.yml

filebeat:

prospectors:

- paths:

- /var/log/secure

encoding: plain

fields_under_root: false

input_type: log

ignore_older: 24h

document_type: syslog-beat

scan_frequency: 10s

harvester_buffer_size: 16384

tail_files: false

force_close_files: false

backoff: 1s

max_backoff: 1s

backoff_factor: 2

partial_line_waiting: 5s

max_bytes: 10485760

[[email protected] filebeat]# vim conf.d/syslogs.yml

filebeat:

prospectors:

- paths:

- /var/log/messages

encoding: plain

fields_under_root: false

input_type: log

ignore_older: 24h

document_type: syslog-beat

scan_frequency: 10s

harvester_buffer_size: 16384

tail_files: false

force_close_files: false

backoff: 1s

max_backoff: 1s

backoff_factor: 2

partial_line_waiting: 5s

max_bytes: 10485760

修改完成后，启动filebeat服务

插入仪表板