elk系统全部采用5.0版本
1、elk是依赖于java环境,所以要先安装jdk,主意elk5.0版本所需要的jdk必须在1.8以上
2、安装elasticsearch
yum -y install elasticsearch-5.0.1.rpm
mkdir -pv /elk/{data,logs} //创建es存储的数据和日志文件
chown -R elasticsearch.elasticsearch /elk/* //修改属主属组
修改es配置文件:
vim /etc/elasticsearch/elasticsearch.yml
1cluster.name: my-application
2node.name: node-1
3path.data: /elk/data
4path.logs: /elk/logs
5network.host: 0.0.0.0
6http.port: 9200
修改文件限制
vim /etc/security/limits.d/90-nproc.conf
* 改为2048即可
修改jvm参数
]# vim /etc/elasticsearch/jvm.options
-Xms512m
-Xmx512m
此参数根据实际内存调整
启动elasticsearch,查看9200,9300端口是否启用
3、安装kibana
[[email protected] ~]# yum -y install kibana-5.0.1-x86_64.rpm
修改kibana配置文件
[[email protected] ~]# vim /etc/kibana/kibana.yml
1server.port: 5601
2server.host: "0.0.0.0"
3elasticsearch.url: "http://localhost:9200"
4kibana.index: ".kibana"
启动kibana,查看端口5601是否开启
4、安装logstash
[[email protected] ~]# yum -y install logstash-5.0.1.rpm
编辑第一个测试文档
[[email protected]~]# cat /etc/logstash/conf.d/test.conf
input {
stdin {}
}
output {
stdout {
codec =>"rubydebug"
}
}
测试:
[[email protected] ~]# /usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d/test.conf
-t:标识测试配置文件但并不启动
-f:表示用哪一个测试文件
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs to console
Configuration OK
14:08:51.310 [LogStash::Runner] INFO logstash.runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
出现警告信息:因为在/usr/share/logstash的目录下没有找到config文件
解决方法:创建一个软连接
[[email protected] ~]# ln -sv /etc/logstash /usr/share/logstash/config
修改配置文件:
[[email protected]~]# cat /etc/logstash/conf.d/test.conf
input {
redis {
host =>"192.168.0.224"
port => 6379
key => "syslog"
type =>"message1"
data_type =>"list"
}
}
output {
stdout {
codec =>"rubydebug"
}
elasticsearch {
hosts =>["localhost:9200"]
}
}
4、编译安装redis
先安装gcc
[[email protected] ~]# yum -y install gcc
[[email protected] ~]# tar xf redis-3.0.7.tar.gz -C /app/tools/
[[email protected] ~]# cd /app/tools/redis-3.0.7/
[[email protected] ~]# make
启动redis-server
[[email protected] redis-3.0.7]# /app/tools/redis-3.0.7/src/redis-server &
查看6379端口是否打开
5、安装filebeat
[[email protected] ~]# yum -y install filebeat-5.0.1-x86_64.rpm
[[email protected] ~]# vim /etc/filebeat/filebeat.yml
paths:
#- /var/log/*.log
- /var/log/messages
output.redis:
hosts: ["192.168.0.224"] //redis的地址
port: 6379 //redis的端口
key: "syslog" //redis的索引名
6、测试
[[email protected] ~]# service filebeat start
进入redis,查看是否有数据压入
[[email protected] ~]# /app/tools/redis-3.0.7/src/redis-cli
127.0.0.1:6379> llen syslog
(integer) 1255
启动logstash
[[email protected] ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
如果定义的配置文件有问题,查看logstash日志
[[email protected] ~]# tail /var/log/logstash/logstash-plain.log
配置正确后可以查看redis的syslog索引
[[email protected] ~]# /app/tools/redis-3.0.7/src/redis-cli
127.0.0.1:6379> llen syslog
(integer) 0
127.0.0.1:6379>
就此elk+redis+filebeat搭建完毕