ELK安装
环境安装:
(a)、关闭firewall:
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动
firewall-cmd --state #查看默认防火墙状态(关闭后显示notrunning,开启后显示running)
(b)、iptables防火墙(这里iptables已经安装,下面进行配置)
vi/etc/sysconfig/iptables #编辑防火墙配置文件
1,elasticsearch
1),安装JDK
yum install java-1.8.0-openjdk -y
java -version ##查看版本
2),
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.0.rpm
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.1.rpm
3),yum localinstall elasticsearch-5.4.0.rpm
4),
sudo systemctl daemon-reload ##没有权限可以使用sudo刷新配置
sudo systemctl enable elasticsearch.service
sudo systemctl status elasticsearch.service
查看状态发现失败错误:服务会起不来,是node环境的问题,把之前的文件全部删掉,全新安装
[[email protected] local]# find / -name "elasticsearch" -exec rm -rf {} \;
rpm -qa |grep elasticsearch
rpm -e --nodeps elasticsearch-5.4.0-1
5),重新安装后再查看状态已经出来了:
6),查看端口
查看端口
[[email protected] tmp]# lsof -i:9200
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 3994 elasticsearch 112u IPv6 54287 0t0 TCP localhost:wap-wsp (LISTEN)
java 3994 elasticsearch 113u IPv6 54288 0t0 TCP localhost:wap-wsp (LISTEN)
端口没监听在ipv4上。
看来下官方文档, elasticsearch默认监听在localhost上,修改配置文件,把127.0.0.1改为本机ip
[[email protected] elasticsearch]# vim elasticsearch.yml
network.host: 10.0.2.15
使用curl访问下
[[email protected] elasticsearch]# curl 10.0.2.15:9200
{
"name" : "Bulldozer",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "2.2.1",
"build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",
"build_timestamp" : "2016-03-09T09:38:54Z",
"build_snapshot" : false,
"lucene_version" : "5.4.1"
},
"tagline" : "You Know, for Search"
}
使用浏览器访问
http://10.0.2.15:9200/
{
"name" : "Bulldozer",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "2.2.1",
"build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",
"build_timestamp" : "2016-03-09T09:38:54Z",
"build_snapshot" : false,
"lucene_version" : "5.4.1"
},
"tagline" : "You Know, for Search"
}
7),修改IP和端口后浏览器查看能登入
Es常遇到的问题,
http://www.mamicode.com/info-detail-1663378.html
http://www.bubuko.com/infodetail-1898143.html
http://blog.csdn.net/weini1111/article/details/60468068
[[email protected] ~]# vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
soft nproc: 可打开的文件描述符的最大数(软限制) *号代表可执行
hard nproc: 可打开的文件描述符的最大数(硬限制)
soft nofile:单个用户可用的最大进程数量(软限制)
hard nofile:单个用户可用的最大进程数量(硬限制)
[[email protected] ~]# vim /etc/elasticsearch/jvm.options ##根据实际系统 内存来配置
[[email protected] ~]# vim /etc/sysctl.conf
2, elasticesarch-head
1),安装node.js
http://www.cnblogs.com/charles-dxb/p/5170209.html
http://www.cnblogs.com/lovelylife/p/3503980.html
[[email protected] local]# curl --silent --location https://rpm.nodesource.com/setup_4.x | bash -
[[email protected] local]# yum install -y nodejs
2)安装phantomjs
[[email protected] src]# tar -jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/
tar (child): bzip2:无法 exec: 没有那个文件或目录
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
缺少bzip2包
yum install -y bzip2
[[email protected] src]# vim /etc/profile
export PATH=/usr/local/phantomjs-2.1.1-linux-x86_64/bin:$PATH ##配置文件后添加
[[email protected] src]# source /etc/profile
3),下载安装elasticsearch-head
[[email protected] src]# yum install -y git
[[email protected] src]# git clone git://github.com/mobz/elasticsearch-head.git
[[email protected] elasticsearch-head]# npm install
npm WARN package.json [email protected] license should be a valid SPDX license expression
[[email protected] elasticsearch-head]# npm run start
> [email protected] start /usr/local/src/elasticsearch-head
> grunt server
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
^C
[[email protected] elasticsearch-head]# npm run start
> [email protected] start /usr/local/src/elasticsearch-head
> grunt server
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
3,logStash部署与配置
1),[[email protected] local]# wget https://artifacts.elastic.co/downloads/logstash/logstash-5.4.0.rpm
https://artifacts.elastic.co/downloads/logstash/logstash-5.4.1.rpm
[[email protected] local]# yum localinstall logstash-5.4.0.rpm
生成SSL证书
由于我们将使用Filebeat将日志从我们的客户端服务器发送到我们的ELK服务器,我们需要创建一个SSL证书和密钥对。 Filebeat使用该证书来验证ELK Server的身份。使用以下命令创建将存储证书和私钥的目录:
使用以下命令(在ELK服务器的FQDN中替换)在适当的位置(/etc/pki/tls/ …)中生成SSL证书和私钥:
2),[[email protected] local]# cd /etc/pki/tls/
[[email protected] tls]# openssl req -subj ‘/CN=ELK_server_fqdn/‘ -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
3),之后创建logstash 的配置文件。如下:
[[email protected] tls]# vim /etc/logstash/conf.d/01-logstash-initial.conf
input {
beats {
port => 5000
type => "logs"
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "syslog-beat" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
geoip {
source => "clientip"
}
syslog_pri {}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { }
stdout { codec => rubydebug }
}
4),启动logstash,并检查端口,配置文件里,我们写的是5000端口
[[email protected] logstash]# systemctl enable logstash
[[email protected] logstash]# systemctl start logstash
[[email protected] logstash]# systemctl status logstash
相关的配置可以查看配置文件的具体配置
5), 修改elasticsearch 配置文件
查看目录,创建文件夹es-01(名字不是必须的),logging.yml是自带的,elasticsearch.yml是创建的文件,内如见下:
[[email protected] logstash]# cd /etc/elasticsearch/
[[email protected] elasticsearch]# tree
.
├── elasticsearch.yml
├── jvm.options
├── log4j2.properties
└── scripts
1 directory, 3 files
[[email protected] elasticsearch]# ll
总用量 16
-rw-rw----. 1 root elasticsearch 2923 6月 1 19:12 elasticsearch.yml
-rw-rw----. 1 root elasticsearch 3117 4月 29 01:45 jvm.options
-rw-rw----. 1 root elasticsearch 4456 4月 29 01:45 log4j2.properties
drwxr-x---. 2 root elasticsearch 6 4月 29 01:45 scripts
[[email protected] elasticsearch]# mkdir es-01 ##创建一个文件夹
[[email protected] elasticsearch]# cd es-01/
[[email protected] es-01]# vim elasticsearch.yml
http:
port: 9200
network:
host: elk.test.com
node:
name: elk.test.com
path:
data: /etc/elasticsearch/data/es-01
5),重启elasticsearch、logstash服务。
[[email protected] ~]# systemctl (stop)start elasticsearch
[[email protected] es-01]# systemctl stop logstash
[[email protected] es-01]# systemctl start logstash
4,安装kibana
1)
[[email protected] local]# wget https://artifacts.elastic.co/downloads/kibana/kibana-5.4.0-x86_64.rpm
2),[[email protected] local]# yum localinstall kibana-5.4.0-x86_64.rpm -y
3),[[email protected] local]# systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
4),[[email protected] local]# systemctl start kibana
[[email protected] local]# systemctl status kibana
检查kibana服务运行(Kibana默认 进程名:node ,端口5601)
5),[[email protected] local]# netstat -lnpt
修改防火墙,对外开放tcp/5601
[[email protected] local]# firewall-cmd --permanent --add-port=5601/tcp
FirewallD is not running ##防火墙没有开可以不设置
[[email protected] elk]# firewall-cmd --reload
success
[[email protected] elk]# firewall-cmd --list-all
[[email protected] local]# vim /etc/kibana/kibana.yml ##修改配置文件
浏览器访问http://192.168.3.194:5601
5, 客户端部署filebeat
filebeat客户端是一个轻量级的,从服务器上的文件收集日志资源的工具,这些日志转发到处理到Logstash服务器上。该Filebeat客户端使用安全的Beats协议与Logstash实例通信。lumberjack协议被设计为可靠性和低延迟。Filebeat使用托管源数据的计算机的计算资源,并且Beats输入插件尽量减少对Logstash的资源需求。
1),[[email protected] local]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.4.0-x86_64.rpm
[[email protected] local]# yum localinstall filebeat-5.4.0-x86_64.rpm
[[email protected] certs]# scp [email protected]:/etc/pki/tls/certs/logstash-forwarder.crt /etc/pki/tls/certs/ ##拷贝ELK节点上的证书logstash-forwarder.crt 到客户端
[[email protected] filebeat]# cd /etc/filebeat/
[[email protected] filebeat]# tree
.
├── filebeat.full.yml
├── filebeat.template-es2x.json
├── filebeat.template-es6x.json
├── filebeat.template.json
└── filebeat.yml
0 directories, 5 files
2),修改的文件有3个,filebeat.yml,是定义连接logstash 服务器的配置。conf.d目录下的2个配置文件是自定义监控日志的,下面看下各自的内容:
filebeat.yml
[[email protected] filebeat]# mkdir conf.d
[[email protected] filebeat]# vim conf.d/authlogs.yml
filebeat:
prospectors:
- paths:
- /var/log/secure
encoding: plain
fields_under_root: false
input_type: log
ignore_older: 24h
document_type: syslog-beat
scan_frequency: 10s
harvester_buffer_size: 16384
tail_files: false
force_close_files: false
backoff: 1s
max_backoff: 1s
backoff_factor: 2
partial_line_waiting: 5s
max_bytes: 10485760
[[email protected] filebeat]# vim conf.d/syslogs.yml
filebeat:
prospectors:
- paths:
- /var/log/messages
encoding: plain
fields_under_root: false
input_type: log
ignore_older: 24h
document_type: syslog-beat
scan_frequency: 10s
harvester_buffer_size: 16384
tail_files: false
force_close_files: false
backoff: 1s
max_backoff: 1s
backoff_factor: 2
partial_line_waiting: 5s
max_bytes: 10485760
修改完成后,启动filebeat服务
插入仪表板