ELK安装
实验环境
| 系统 | IP |
|---|---|
| Centos7 | 180.76.xx.xxx |
1.安装jdk
// 解压
[root@master src]# tar xf jdk-8u333-linux-x64.tar.gz -C /usr/local/
[root@master local]# mv jdk1.8.0_333/ jdk
//配置环境变量
[root@master local]# cat >> /etc/profile << EOF
> export JAVA_HOME=/usr/local/jdk
> export PATH=$JAVA_HOME/bin:$PATH
> EOF
[root@master local]# source /etc/profile
[root@master local]# java -version
java version "1.8.0_333"
Java(TM) SE Runtime Environment (build 1.8.0_333-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.333-b02, mixed mode)
2. 安装elasticsearch
// 解压
[root@master local]# mkdir elk
[root@master src]# tar xf elasticsearch-8.4.3-linux-x86_64.tar.gz -C /usr/local/elk
[root@master elk]# mv elasticsearch-8.4.3/ elasticsearch
//创建文件存放目录,用户
[root@master elasticsearch]# mkdir -p /data/elasticsearch/data
[root@master elasticsearch]# mkdir -p /data/elasticsearch/log
[root@master elasticsearch]# useradd elk
[root@master elasticsearch]# id elk
uid=1001(elk) gid=1001(elk) groups=1001(elk)
[root@master elasticsearch]# echo 123456 | passwd --stdin elk
Changing password for user elk.
passwd: all authentication tokens updated successfully.
[root@master elasticsearch]# chown -R elk.elk /data/elasticsearch/data/
[root@master elasticsearch]# chown -R elk.elk /data/elasticsearch/log/
[root@master elasticsearch]# chown -R elk.elk /data/elasticsearch
//修改配置文件
[root@master config]# pwd
/usr/local/elk/elasticsearch/config
[root@master config]# vim elasticsearch.yml
node.name: node-1
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/log
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: ["node-1"]
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-methods : OPTIONS,HEAD,GET,POST,PUT,DELETE
http.cors.allow-headers : "X-Requested-With,Content-Type,Content-Length,X-User"
ingest.geoip.downloader.enabled: false
#xpack.ml.enabled: false
xpack.security.enabled: false
// 启动
[root@master elk]# su - elk
Last login: Mon Oct 10 16:28:26 CST 2022 on pts/0
[elk@master ~]$ /usr/local/elk/elasticsearch/bin/elasticsearch -d
warning: ignoring JAVA_HOME=/usr/local/jdk; using bundled JDK
[elk@master ~]$ ss -antlp | grep 92 *:*
LISTEN 0 128 [::]:9200 [::]:* usrs:(("java",pid=22822,fd=405))
LISTEN 0 128 [::]:9300 [::]:* usrs:(("java",pid=22822,fd=400))
[root@master config]# curl localhost:9200
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "RwcqGY_8S4yI9K1GH94UoQ",
"version" : {
"number" : "8.4.3",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "42f05b9372a9a4a470db3b52817899b99a76ee73",
"build_date" : "2022-10-04T07:17:24.662462378Z",
"build_snapshot" : false,
"lucene_version" : "9.3.0",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
},
"tagline" : "You Know, for Search"
}
3. 安装kabina
// 解压
[root@master src]# tar xf kibana-8.4.3-linux-x86_64.tar.gz -C /usr/local/elk/
[root@master elk]# mv kibana-8.4.3 kibana
//修改配置文件
[root@master elk]# cd kibana/config/
[root@master config]# cp kibana.yml kibana.yml.bak
[root@master config]# echo > kibana.yml
[root@master config]# vim kibana.yml
server.port: 5601
server.host: "180.76.xx.xx"
server.publicBaseUrl: "http://180.76.xx.xx:5601"
elasticsearch.hosts: ["http://180.76.xx.xxx:9200"]
i18n.locale: "zh-CN"
//启动
[root@master config]# nohup /usr/local/elk/kibana/bin/kibana --allow-root &
[root@master config]# ss -antl | grep 5601
LISTEN 0 128 180.76.xx.xx:5601 *:*
4.安装logstash
// 解压
[root@master src]# tar xf logstash-8.4.3-linux-x86_64.tar.gz -C /usr/local/elk/
[root@master elk]# mv logstash-8.4.3 logstash
// 修改配置文件
root@master logstash]# cd config/
[root@master config]# ls
jvm.options logstash-sample.conf pipelines.yml
log4j2.properties logstash.yml startup.options
[root@master config]# cp logstash-sample.conf logstash.conf
[root@master config]# vim logstash.conf
input {
beats {
port => 5044
}
}
filter {
grok{
match => { "message" => "\[%{TIMESTAMP_ISO8601:log.time}\]\ \-\ %{LOGLEVEL:log.level}\ %{NOTSPACE:log.path}:【id】:%{NOTSPACE:log.id}【method】:%{WORD:log.method}【uri】:%{PATH:log.url}【ip】:%{IPV4:log.ip}【code】:%{WORD:log.code}【errMsg】:%{GREEDYDATA:msg}" }
}
date {
match => [ "log.time" , "yyyy-MM-dd HH:mm:ss,S", "ISO8601" ]
}
geoip {
source => ["log.ip"]
target => ["geoip"]
fields => ["city_name","region_name","country_name","ip"]
}
mutate {
remove_field => ["timestamp","agent","ecs","host","architecture","hostname","os","ip","cloud.availability_zone","cloud.instance.id","cloud.instance.name","cloud.machine.type","cloud.provider","cloud.service.name"]
}
}
output {
#user => "elastic"
#password => "changeme"
if "user-log" in [tags]{
elasticsearch {
hosts => ["180.76.xx.xx:9200"]
manage_template => false
index => "logstash-user-log-%{+yyyy.MM.dd}"
}
}
stdout { codec => rubydebug }
}
//启动
[root@master config]# /usr/local/elk/logstash/bin/logstash -f /usr/local/elk/logstash/config/logstash.conf
5.安装filebeat
// 解压
[root@master src]# tar xf filebeat-8.4.3-linux-x86_64.tar.gz -C /usr/local/elk/
[root@master src]# mv filebeat-8.4.3 filebeat
//修改配置文件
[root@master log]# cd /usr/local/elk/filebeat/
[root@master filebeat]# ls
fields.yml filebeat.yml LICENSE.txt NOTICE.txt
filebeat filebeat.yml.bak module README.md
filebeat.reference.yml kibana modules.d
[root@master filebeat]# vim filebeat.yml
# ============================== Filebeat inputs ===============================
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
multiline.pattern: '^\[[0-9]+-[0-9]+-[0-9]+ [0-9]+:[0-9]+:[0-9]+\]'
multiline.negate: true
multiline.match: after
tags: ["user-log"]
# ============================== Filebeat modules ==============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
# ======================= Elasticsearch template setting =======================
setup.template.settings:
index.number_of_shards: 1
# ================================== General ===================================
#tags: ["service-X", "web-tier"]
#fields:
# env: staging
# ================================= Dashboards =================================
#setup.dashboards.url:
# =================================== Kibana ===================================
setup.kibana:
host: "180.76.xx.xx:5601"
# =============================== Elastic Cloud ================================
# ================================== Outputs ===================================
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
# Array of hosts to connect to.
#hosts: ["180.76.xx.xx:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
#username: "elastic"
#password: "changeme"
# ------------------------------ Logstash Output -------------------------------
output.logstash:
hosts: ["180.76.xx.xx:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
# ================================== Logging ===================================
# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug
# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]
# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default.
# Set to true to enable the monitoring reporter.
#monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:
# ============================== Instrumentation ===============================
# Instrumentation support for the filebeat.
#instrumentation:
# Set to true to enable instrumentation of filebeat.
#enabled: false
# Environment in which filebeat is running on (eg: staging, production, etc.)
#environment: ""
# APM Server hosts to report instrumentation results to.
#hosts:
# - http://localhost:8200
# API Key for the APM Server(s).
# If api_key is set then secret_token will be ignored.
#api_key:
# Secret token for the APM Server(s).
#secret_token:
# ================================= Migration ==================================
# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true
// 启动
[root@master filebeat]# nohup /usr/local/elk/filebeat/filebeat -c /usr/local/elk/filebeat/filebeat.yml &
[root@master filebeat]# ps -ef | grep file
dbus 567 1 0 Aug16 ? 00:03:10 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 727 7400 2 15:27 pts/0 00:00:00 /usr/local/elk/filebeat/filebeat -c /usr/local/elk/filebeat/filebeat.yml
root 794 7400 0 15:28 pts/0 00:00:00 grep --color=auto file
elk 22822 1 2 09:55 pts/0 00:08:27 /usr/local/elk/elasticsearch/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -Djava.security.manager=allow -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-UNNAMED -Xms256m -Xmx256m -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-16899149156724258888 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=data -XX:ErrorFile=logs/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=logs/gc.log:utctime,pid,tags:filecount=32,filesize=64m -XX:MaxDirectMemorySize=134217728 -XX:G1HeapRegionSize=4m -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=15 -Des.distribution.type=tar --module-path /usr/local/elk/elasticsearch/lib --add-modules=jdk.net -m org.elasticsearch.server/org.elasticsearch.bootstrap.Elasticsearch
6.设置密码
// 修改elasticsearch配置文件
[root@master elasticsearch]# vim config/elasticsearch.yml
node.name: node-1
cluster.name: es-cluster
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/log
network.host: 0.0.0.0
cluster.initial_master_nodes: ["node-1"]
discovery.seed_hosts: ["0.0.0.0"]
http.port: 9200
http.cors.enabled: true
xpack.security.enrollment.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-methods : OPTIONS,HEAD,GET,POST,PUT,DELETE
http.cors.allow-headers : "X-Requested-With,Content-Type,Content-Length,X-User"
ingest.geoip.downloader.enabled: false
#xpack.ml.enabled: false
xpack.security.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: /usr/local/elk/elasticsearch/config/certs/http.p12
truststore.path: /usr/local/elk/elasticsearch/config/certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: /usr/local/elk/elasticsearch/config/certs/elastic-certificates.p12
truststore.path: /usr/local/elk/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: none
//配置密码
版权声明:本文为weixin_46634416原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。