20170603 ELK安装 (rpm包安装)

ELK安装

环境安装:

(a)、关闭firewall:

systemctl stop firewalld.service #停止firewall

systemctl disable firewalld.service #禁止firewall开机启动

firewall-cmd --state #查看默认防火墙状态(关闭后显示notrunning,开启后显示running)

(b)、iptables防火墙(这里iptables已经安装,下面进行配置)

vi/etc/sysconfig/iptables #编辑防火墙配置文件

1,elasticsearch

1),安装JDK

yum install java-1.8.0-openjdk -y

java -version            ##查看版本

2),

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.0.rpm

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.1.rpm

3),yum localinstall elasticsearch-5.4.0.rpm

4),

sudo systemctl daemon-reload      ##没有权限可以使用sudo刷新配置

sudo systemctl enable elasticsearch.service

sudo systemctl status elasticsearch.service

查看状态发现失败错误:服务会起不来,是node环境的问题,把之前的文件全部删掉,全新安装

[[email protected] local]# find / -name "elasticsearch" -exec  rm -rf {} \;

rpm -qa |grep elasticsearch

rpm -e --nodeps elasticsearch-5.4.0-1

5),重新安装后再查看状态已经出来了:

6),查看端口

查看端口

[[email protected] tmp]# lsof -i:9200

COMMAND  PID          USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

java    3994 elasticsearch  112u  IPv6  54287      0t0  TCP localhost:wap-wsp (LISTEN)

java    3994 elasticsearch  113u  IPv6  54288      0t0  TCP localhost:wap-wsp (LISTEN)

端口没监听在ipv4上。

看来下官方文档, elasticsearch默认监听在localhost上,修改配置文件,把127.0.0.1改为本机ip

[[email protected] elasticsearch]# vim elasticsearch.yml

network.host: 10.0.2.15

使用curl访问下

[[email protected] elasticsearch]# curl 10.0.2.15:9200

{

"name" : "Bulldozer",

"cluster_name" : "elasticsearch",

"version" : {

"number" : "2.2.1",

"build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",

"build_timestamp" : "2016-03-09T09:38:54Z",

"build_snapshot" : false,

"lucene_version" : "5.4.1"

},

"tagline" : "You Know, for Search"

}

使用浏览器访问

http://10.0.2.15:9200/

{

"name" : "Bulldozer",

"cluster_name" : "elasticsearch",

"version" : {

"number" : "2.2.1",

"build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",

"build_timestamp" : "2016-03-09T09:38:54Z",

"build_snapshot" : false,

"lucene_version" : "5.4.1"

},

"tagline" : "You Know, for Search"

}

7),修改IP和端口后浏览器查看能登入

Es常遇到的问题,

http://www.mamicode.com/info-detail-1663378.html

http://www.bubuko.com/infodetail-1898143.html

http://blog.csdn.net/weini1111/article/details/60468068

[[email protected] ~]# vim /etc/security/limits.conf

* soft nofile 65536

* hard nofile 131072

* soft nproc 2048

* hard nproc 4096

soft nproc: 可打开的文件描述符的最大数(软限制)            *号代表可执行

hard nproc: 可打开的文件描述符的最大数(硬限制)

soft nofile:单个用户可用的最大进程数量(软限制)

hard nofile:单个用户可用的最大进程数量(硬限制)

[[email protected] ~]# vim /etc/elasticsearch/jvm.options      ##根据实际系统 内存来配置

[[email protected] ~]# vim /etc/sysctl.conf

2, elasticesarch-head

1),安装node.js

CentOS7配置Nodejs环境安装记录

http://www.cnblogs.com/charles-dxb/p/5170209.html

linux下安装NPM管理工具

http://www.cnblogs.com/lovelylife/p/3503980.html

[[email protected] local]# curl --silent --location https://rpm.nodesource.com/setup_4.x | bash -

[[email protected] local]# yum install -y nodejs

2)安装phantomjs

[[email protected] src]# wget https://bbuseruploads.s3.amazonaws.com/fd96ed93-2b32-46a7-9d2b-ecbc0988516a/downloads/396e7977-71fd-4592-8723-495ca4cfa7cc/phantomjs-2.1.1-linux-x86_64.tar.bz2?Signature=35G3OMsJ6wyIIBjYhDIa5zG%2FGxE%3D&Expires=1496287129&AWSAccessKeyId=AKIAIWZLQBE7J6CD7UJA&versionId=null&response-content-disposition=attachment%3B%20filename%3D%22phantomjs-2.1.1-linux-x86_64.tar.bz2%22

[[email protected] src]# tar -jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/

tar (child): bzip2:无法 exec: 没有那个文件或目录

tar (child): Error is not recoverable: exiting now

tar: Child returned status 2

tar: Error is not recoverable: exiting now

缺少bzip2包

yum install -y bzip2

[[email protected] src]# vim /etc/profile

export PATH=/usr/local/phantomjs-2.1.1-linux-x86_64/bin:$PATH     ##配置文件后添加

[[email protected] src]# source /etc/profile

3),下载安装elasticsearch-head

[[email protected] src]# yum install -y git

[[email protected] src]# git clone git://github.com/mobz/elasticsearch-head.git

[[email protected] elasticsearch-head]# npm install

npm WARN package.json [email protected] license should be a valid SPDX license expression

[[email protected] elasticsearch-head]# npm run start

> [email protected] start /usr/local/src/elasticsearch-head

> grunt server

Running "connect:server" (connect) task

Waiting forever...

Started connect web server on http://localhost:9100

^C

[[email protected] elasticsearch-head]# npm run start

> [email protected] start /usr/local/src/elasticsearch-head

> grunt server

Running "connect:server" (connect) task

Waiting forever...

Started connect web server on http://localhost:9100

3,logStash部署与配置

1),[[email protected] local]# wget https://artifacts.elastic.co/downloads/logstash/logstash-5.4.0.rpm

https://artifacts.elastic.co/downloads/logstash/logstash-5.4.1.rpm

[[email protected] local]# yum localinstall logstash-5.4.0.rpm

生成SSL证书

由于我们将使用Filebeat将日志从我们的客户端服务器发送到我们的ELK服务器,我们需要创建一个SSL证书和密钥对。 Filebeat使用该证书来验证ELK Server的身份。使用以下命令创建将存储证书和私钥的目录:

使用以下命令(在ELK服务器的FQDN中替换)在适当的位置(/etc/pki/tls/ …)中生成SSL证书和私钥:

2),[[email protected] local]# cd /etc/pki/tls/

[[email protected] tls]# openssl req -subj ‘/CN=ELK_server_fqdn/‘ -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

3),之后创建logstash 的配置文件。如下:

[[email protected] tls]# vim /etc/logstash/conf.d/01-logstash-initial.conf

input {

beats {

port => 5000

type => "logs"

ssl => true

ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"

ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"

}

}

filter {

if [type] == "syslog-beat" {

grok {

match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }

add_field => [ "received_at", "%{@timestamp}" ]

add_field => [ "received_from", "%{host}" ]

}

geoip {

source => "clientip"

}

syslog_pri {}

date {

match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

}

}

}

output {

elasticsearch { }

stdout { codec => rubydebug }

}

4),启动logstash,并检查端口,配置文件里,我们写的是5000端口

[[email protected] logstash]# systemctl enable logstash

[[email protected] logstash]# systemctl start logstash

[[email protected] logstash]# systemctl status logstash

相关的配置可以查看配置文件的具体配置

5), 修改elasticsearch 配置文件

查看目录,创建文件夹es-01(名字不是必须的),logging.yml是自带的,elasticsearch.yml是创建的文件,内如见下:

[[email protected] logstash]# cd /etc/elasticsearch/

[[email protected] elasticsearch]# tree

.

├── elasticsearch.yml

├── jvm.options

├── log4j2.properties

└── scripts

1 directory, 3 files

[[email protected] elasticsearch]# ll

总用量 16

-rw-rw----. 1 root elasticsearch 2923 6月   1 19:12 elasticsearch.yml

-rw-rw----. 1 root elasticsearch 3117 4月  29 01:45 jvm.options

-rw-rw----. 1 root elasticsearch 4456 4月  29 01:45 log4j2.properties

drwxr-x---. 2 root elasticsearch    6 4月  29 01:45 scripts

[[email protected] elasticsearch]# mkdir es-01      ##创建一个文件夹

[[email protected] elasticsearch]# cd es-01/

[[email protected] es-01]# vim elasticsearch.yml

http:

port: 9200

network:

host: elk.test.com

node:

name: elk.test.com

path:

data: /etc/elasticsearch/data/es-01

5),重启elasticsearch、logstash服务。

[[email protected] ~]# systemctl (stop)start elasticsearch

[[email protected] es-01]# systemctl stop logstash

[[email protected] es-01]# systemctl start logstash

4,安装kibana

1)

[[email protected] local]# wget https://artifacts.elastic.co/downloads/kibana/kibana-5.4.0-x86_64.rpm

2),[[email protected] local]# yum localinstall kibana-5.4.0-x86_64.rpm -y

3),[[email protected] local]# systemctl enable kibana

Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.

4),[[email protected] local]# systemctl start kibana

[[email protected] local]# systemctl status kibana

检查kibana服务运行(Kibana默认 进程名:node ,端口5601)

5),[[email protected] local]# netstat -lnpt

修改防火墙,对外开放tcp/5601

[[email protected] local]# firewall-cmd --permanent --add-port=5601/tcp

FirewallD is not running       ##防火墙没有开可以不设置

[[email protected] elk]# firewall-cmd --reload

success

[[email protected] elk]# firewall-cmd --list-all

[[email protected] local]# vim /etc/kibana/kibana.yml   ##修改配置文件

浏览器访问http://192.168.3.194:5601

5, 客户端部署filebeat

filebeat客户端是一个轻量级的,从服务器上的文件收集日志资源的工具,这些日志转发到处理到Logstash服务器上。该Filebeat客户端使用安全的Beats协议与Logstash实例通信。lumberjack协议被设计为可靠性和低延迟。Filebeat使用托管源数据的计算机的计算资源,并且Beats输入插件尽量减少对Logstash的资源需求。

1),[[email protected] local]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.4.0-x86_64.rpm

[[email protected] local]# yum localinstall filebeat-5.4.0-x86_64.rpm

[[email protected] certs]# scp [email protected]:/etc/pki/tls/certs/logstash-forwarder.crt /etc/pki/tls/certs/                      ##拷贝ELK节点上的证书logstash-forwarder.crt 到客户端

[[email protected] filebeat]# cd /etc/filebeat/

[[email protected] filebeat]# tree

.

├── filebeat.full.yml

├── filebeat.template-es2x.json

├── filebeat.template-es6x.json

├── filebeat.template.json

└── filebeat.yml

0 directories, 5 files

2),修改的文件有3个,filebeat.yml,是定义连接logstash 服务器的配置。conf.d目录下的2个配置文件是自定义监控日志的,下面看下各自的内容:

filebeat.yml

[[email protected] filebeat]# mkdir conf.d

[[email protected] filebeat]# vim conf.d/authlogs.yml

filebeat:

prospectors:

- paths:

- /var/log/secure

encoding: plain

fields_under_root: false

input_type: log

ignore_older: 24h

document_type: syslog-beat

scan_frequency: 10s

harvester_buffer_size: 16384

tail_files: false

force_close_files: false

backoff: 1s

max_backoff: 1s

backoff_factor: 2

partial_line_waiting: 5s

max_bytes: 10485760

[[email protected] filebeat]# vim conf.d/syslogs.yml

filebeat:

prospectors:

- paths:

- /var/log/messages

encoding: plain

fields_under_root: false

input_type: log

ignore_older: 24h

document_type: syslog-beat

scan_frequency: 10s

harvester_buffer_size: 16384

tail_files: false

force_close_files: false

backoff: 1s

max_backoff: 1s

backoff_factor: 2

partial_line_waiting: 5s

max_bytes: 10485760

修改完成后,启动filebeat服务

插入仪表板

时间: 2024-09-30 21:02:14

20170603 ELK安装 (rpm包安装)的相关文章

YUM安装rpm包安装后本地不清楚的方法

[[email protected] yum.repos.d]# sed -i 's#keepcache=0#keepcache=1#g' /etc/yum.conf [[email protected] yum.repos.d]# grep keepcache /etc/yum.conf keepcache=1 [[email protected] yum.repos.d]# tree /var/cache/yum///rpm包默认存放路径 /var/cache/yum/ |-- addons

centos6.7安装rpm包安装gcc

到下面网站下载rpm包 http://rpm.pbone.net/index.php3/ rpm -ivh libstdc++-devel-4.4.7-17.el6.x86_64.rpm --nodeps --force rpm -ivh ppl-0.10.2-11.el6.x86_64.rpm --nodeps --force rpm -ivh cloog-ppl-0.15.7-1.2.el6.x86_64.rpm --nodeps --force rpm -ivh mpfr-2.4.1-6.

ELK(使用RPM包安装配置ELK)

1,安装环境查看 2,下载rmp包 下载地址:https://www.elastic.co/cn/downloads 分别下载最新rmp包 elasticsearch-6.2.4.rpm logstash-6.2.4.rpm kibana-6.2.4-x86_64.rpm 下载地址 https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.rpm https://artifacts.elastic.co/do

RPM包安装LAMP及httpd虚拟机SSL实现

简单罗列基础命令,只分享我的想法! 目的:通过RPM包安装LAMP,提供两个虚拟主机,一个用于WordPress,一个用于phpMyAdmin,为后一个提供ssl访问方式. 环境是vmware的虚拟机CentOS6.6,实机win7,后面的测试会用到win7上面的浏览器,已经把虚拟机中CentOS中的两个httpd的虚拟机的名字加入到win7的hosts文件中. 1.  修改yum源,指向CentOS的系统光盘,需要使用RPM包,配置如下: 图1 2.  安装apache的httpd,直接yum

Linux-rpm命令-查看已安装软件包信息及未安装rpm包信息

博文说明[前言]: 本文将通过个人口吻介绍rpm命令,包括查看已安装软件包信息及未安装rpm包信息. 在目前时间点[2017年6月12号]下,所掌握的技术水平有限,可能会存在不少知识理解不够深入或全面,望大家指出问题共同交流,在后续工作及学习中如发现本文内容与实际情况有所偏差,将会完善该博文内容. 正文: RPM常用命令中的各种缩写选项,其实是有依据的,弄明白之后,其实很好玩,我们可以参考下方:q=queryp=packagei=infol=listf=filec=conf... 一:查看系统已

安装rpm包报db3 error

在linux服务器上安装RZSZ工具时,找到rpm包, 安装时,报错: 是rpm 数据库出现了error,到rpm database库下,[[email protected] CentOS]# cd /var/lib/rpm/ [[email protected]/var/lib/rpm]#ls Basenames    __db.002  Dirnames     Installtid   Packages        Pubkeys         Sha1header Conflictn

linux笔记   rpm包安装与卸载,chaxun

rpm== redhat package manager 1.rpm安装与卸载 安装一个rpm包 #rpm -ivh /dir/包名.rpm -i 安装 -v 可视化 -h 显示安装进度 -force 强制安装,比如安装包已安装过使用它将覆盖原来的文件和其他文件安装. -nodeps 安装包依赖其他包时,即使其他包没安装,也要安装此包(这样安装的安装包不完整需要接着安装其依赖包) 卸载:rpm -e 包名 升级安装包:rpm -Uvh 2.rpm 查询 #rpm -q rpm包名 -qa 查看系

使用RPM包安装、配置和拆卸MySQL

通过rpm包安装.配置及卸载mysql的详细过程. 以MySQL-server-4.0.14-0.i386.rpm为例,放在/usr/src目录下 cd /usr/src rpm -ivh MySQL-server-4.0.14-0.i386.rpm 安装完成后在/usr/share/mysql目录中会有一个mysql的启动脚本mysql.server及示例配置文件等(如my-huge.cnf.my-large.cnf.my-medium.cnf) 拷贝一个示例配置文件作为mysql的配置文件:

fedora22用rpm包安装配置postgresql数据库

严格内网环境,无网络连接,新装fedora 22系统,无任何其他配置. 安装 1.安装环境: 操作系统:fedora 22 数据库:postgresql-9.4 安装过程使用root用户 2.安装包: postgresql94-libs-9.4.4-1PGDG.f22.x86_64.rpm postgresql94-9.4.4-1PGDG.f22.x86_64.rpm postgresql94-server-9.4.4-1PGDG.f22.x86_64.rpm 3.严格按照顺序安装: rpm -