centos7 安裝elk日誌分析系統

無風的雨發表於2017-12-13

架構圖
這裡寫圖片描述
Elasticsearch:搜尋,提供分散式全文搜尋引擎;
Logstash: 日誌收集,管理,儲存;
Kibana :日誌的過濾web 展示;
Filebeat:監控日誌檔案、轉發,其已取代 logstash forwarder;

一、準備工作
設定 yum源,採用官網提供的源
https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html
下載並安裝公共簽名金鑰:

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

建立yum的repo檔案

vim    /etc/yum.repos.d/elasticsearch.repo

內容如下

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

二、elasticsearch安裝
elasticsearch依賴Java開發環境支援,先安裝JDK。

yum -y install java-1.8.0-openjdk

檢視java安裝情況
這裡寫圖片描述

安裝Elasticsearch

yum -y install elasticsearch
systemctl start elasticsearch

ElasticSearch預設的對外服務的HTTP埠是9200,節點間互動的TCP埠是9300。

ss -tlnp |grep -E '9200|9300'

這裡寫圖片描述
測試服務

curl -X GET http://localhost:9200

這裡寫圖片描述
三、安裝Logstash

yum -y install logstash
systemctl start logstash

四、安裝Kibana

yum -y install kibana
systemctl start kibana

五、瀏覽器http://localhost:5601
這裡寫圖片描述
六、配置nginx 訪問

vim /etc/nginx/conf.d/kibana.conf

server {
    listen       80;
    server_name  kb.com;
    access_log  /var/log/nginx/kibana.aniu.co.access.log;
    error_log   /var/log/nginx/kibana.aniu.co.access.log;
    #auth_basic "Restricted Access";
    #auth_basic_user_file /etc/nginx/htpasswd.users;
    location / {
        proxy_pass http://localhost:5601;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
systemctl reload nginx

訪問 http://kb.com

這裡寫圖片描述
七、安裝filebeat

yum  -y install  filebeat 
systemctl start filebeat 
systemctl enable filebeat

配置 Filebeat
vim /etc/filebeat/filebeat.yml ##配置filebeat

#============= Filebeat prospectors ===============
filebeat.prospectors:
- input_type: log
  enabled: true #更改為true以啟用此prospectors配置。
  paths:
    #- /var/log/*.log
    - /var/log/messages
#==================== Outputs =====================
#------------- Elasticsearch output ---------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]
#---------------- Logstash output -----------------
output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5044"]

注意:要註釋以下兩行
這裡寫圖片描述
output.elasticsearch和output.logstash只能同時開啟一個
並且設定
enabled: true #更改為true以啟用此prospectors配置。

systemctl restart filebeat

八、配置logstash
建立配置檔案
vim /etc/logstash/conf.d/01-logstash-initial.conf

input {
  beats {
    port => 5044
    type => "logs"
  }
}

filter {
  #if [type] == "sy" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    geoip {
      source => "clientip"
    }
    syslog_pri {}
    date {
      match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
 # }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

檢視埠
ss -tlnp|grep -E ‘5044|9600’
這裡寫圖片描述
驗證logstash配置檔案

/usr/share/logstash/bin/logstash  -f /etc/logstash/conf.d/01-logstash-initial.conf --config.test_and_exit

顯示Configuration OK 證明配置成功
如果報錯:WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using –path.settings. Continuing using
解決辦法:

cd /usr/share/logstash
ln -s /etc/logstash ./config

九、配置kibana
新增索引
這裡寫圖片描述
檢視狀態圖
這裡寫圖片描述

參考資料:
https://www.elastic.co/guide/index.html
http://www.cnblogs.com/hanyifeng/p/5509985.html
http://blog.51cto.com/wangzhijian/1878636#comment

相關文章