實驗環境:我係統的系統是CentOS6.5的系統,ip爲192.168.137.191。安裝的所有軟件都是官網下載的RPM包,軟件分別是Elasticsearch,Logstash,Kibana還有JDK(JRE)。因爲Logstash是依賴JDK的所以這個必須安裝,在這裏安裝JRE就可以了,但是我有下載好的JDK包就直接使用了。在實驗開始之前依然是要調整服務器時間的。
在此次實驗裏面我將所有的RPM包都放在了/opt/路徑下了,而且在安裝的時候並沒有指定安裝路徑。
#rpm -ivh jdk-8u102-linux-x64.rpm
Preparing... ########################################### [100%] 1:jdk1.8.0_102 ########################################### [100%] Unpacking JAR files... tools.jar... plugin.jar... javaws.jar... deploy.jar... rt.jar... jsse.jar... charsets.jar... localedata.jar...
#rpm -ivh elasticsearch-2.3.4.rpm
warning: elasticsearch-2.3.4.rpm: Header V4 RSA/SHA1 Signature, key ID d88e42b4: NOKEY Preparing... ########################################### [100%] Creating elasticsearch group... OK Creating elasticsearch user... OK 1:elasticsearch ########################################### [100%] ### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using chkconfig sudo chkconfig --add elasticsearch ### You can start elasticsearch service by executing sudo service elasticsearch start
#cd /usr/share/elasticsearch/
#./bin/plugin install mobz/elasticsearch-head
安裝head插件,這是負責集羣管理的插件
-> Installing mobz/elasticsearch-head... Trying https://github.com/mobz/elasticsearch-head/archive/master.zip ... Downloading ............................................................................DONE Verifying https://github.com/mobz/elasticsearch-head/archive/master.zip checksums if available ... NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify) Installed head into /usr/share/elasticsearch/plugins/head
#./bin/plugin install lmenezes/elasticsearch-kopf
安裝kopf插件,在elasticsearch搜索查詢日誌的插件
-> Installing lmenezes/elasticsearch-kopf... Trying https://github.com/lmenezes/elasticsearch-kopf/archive/master.zip ... Downloading ..................................................................................DONE Verifying https://github.com/lmenezes/elasticsearch-kopf/archive/master.zip checksums if available ... NOTE: Unable to verify checksum for downloaded plugin (unable to find .sha1 or .md5 file to verify) Installed kopf into /usr/share/elasticsearch/plugins/kopf
#mkdir /es/data -p
#mkdir /es/logs -p
#cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak
將原有的配置文件備份
#vim /etc/elasticsearch/elasticsearch.yml
因爲配置文件內都是註釋掉的內容直接在最下面添加如下內容
cluster.name: es node.name: node-0 path.data: /es/data path.logs: /es/logs network.host: 192.168.137.191 network.port: 9200
#chkconfig --add elasticsearch
#chkconfig elasticsearch on
因爲是rpm包安裝的所以啓動腳本都有的在/etc/init.d/目錄下
#chown -R elasticsearch.elasticsearch elasticsearch/
#chown -R elasticsearch.elasticsearch /etc/elasticsearch/
#chown -R elasticsearch.elasticsearch /es
將安裝文件,配置文件歸屬給elasticsearch用戶,因爲服務啓動都是依賴於elasticsearch用戶的
#service elasticsearch start
啓動elasticsearch服務
#netstat -luntp
看到下面開始監聽來了9200和9300的端口就表示成功了
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 982/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1058/master tcp 0 0 ::ffff:192.168.137.191:9200 :::* LISTEN 1920/java tcp 0 0 ::ffff:192.168.137.191:9300 :::* LISTEN 1920/java tcp 0 0 :::22 :::* LISTEN 982/sshd tcp 0 0 ::1:25 :::* LISTEN 1058/master
在瀏覽器地址欄輸入http://192.168.137.191:9200/ 就會出現如下信息
{
"name" : "node-0",
"cluster_name" : "es",
"version" : {
"number" : "2.3.4",
"build_hash" : "e455fd0c13dceca8dbbdbb1665d068ae55dabe3f",
"build_timestamp" : "2016-06-30T11:24:31Z",
"build_snapshot" : false,
"lucene_version" : "5.5.0"
},
"tagline" : "You Know, for Search"
}以上elasticsearch就安裝好了,下面開始安裝kibana。
#rpm -ivh kibana-4.5.3-1.x86_64.rpm
安裝kibana安裝包
#chkconfig --add kibana
#chkconfig kibana on
RPM包就是這點好,自動生成啓動文件
#service kibana start
啓動kibana
#netstat -luntp
發現系統開始監聽5601端口了表示kibana正常啓動了
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 982/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1058/master tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 2095/node tcp 0 0 ::ffff:192.168.137.191:9200 :::* LISTEN 1920/java tcp 0 0 ::ffff:192.168.137.191:9300 :::* LISTEN 1920/java tcp 0 0 :::22 :::* LISTEN 982/sshd tcp 0 0 ::1:25 :::* LISTEN 1058/master
下面開始安裝logstash。
#rpm -ivh logstash-all-plugins-2.3.4-1.noarch.rpm
安裝logstash
#vim /etc/logstash/conf.d/logstash-test.conf
創建一個logstash的配置文件,測試一下,文件內輸入一下內容
input { stdin { } }
output {
elasticsearch {hosts => "192.168.137.191" }
stdout { codec=> rubydebug }
}#/opt/logstash/bin/logstash --configtest -f /etc/logstash/conf.d/logstash-test.conf
測試配置文件是否正常,出現如下內容表示正常
Configuration OK
#/opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash-test.conf
使用-f命令指定配置文件,然後輸入hello world後系統會打印出輸入的內容,使用ctrl+c終止執行
#curl 'http://192.168.137.191:9200/_search?pretty'
輸入以上命令後會打印出所有ES接收到的信息
完成以上操作就證明ELK都已經安裝好了,但是ES還是不能接受日誌,下面調試一些配置文件讓ELK工作起來
#vim /opt/kibana/config/kibana.yml
kibana配置文件內都是被註釋的內容直接在最下面添加如下內容即可
server.port: 5601 server.host: "192.168.137.191" elasticsearch.url: "http://192.168.137.191:9200" kibana.defaultAppId: "discover" elasticsearch.requestTimeout: 300000 elasticsearch.shardTimeout: 0
#service kibana restart
重啓kibana
#vim /etc/logstash/conf.d/logstash-local.conf
重新創建一個logstash的配置文件,讓本機的messages和secure日誌信息通過5944(我就試試)端口傳到ES裏面
input {
file {
type => "syslog"
path => ["/var/log/messages", "/var/log/secure" ]
}
syslog {
type => "syslog"
port => "5944"
}
}
output {
elasticsearch { hosts => "192.168.137.191" }
stdout { codec => rubydebug }
}#/opt/logstash/bin/logstash --configtest /etc/logstash/conf.d/logstash-local.conf
測試配置文件的語法格式
#nohup /opt/logstash/bin/logstash -f /etc/logstash/conf.d/logstash-local.conf &
使用後臺靜默的方式啓動logstash
點擊綠色的創建按鈕
看到以上界面就證明創建索引完成了可以按照如下操作了。
點擊Discover按鈕後就可以查看日誌了,如果提示沒有日誌的話就點擊右上角的按鈕修改顯示日誌的時間
稍後更新ELK收集nginx日誌的方法