elk系統全部採用5.0版本
1、elk是依賴於java環境,所以要先安裝jdk,主意elk5.0版本所需要的jdk必須在1.8以上
2、安裝elasticsearch
yum -y install elasticsearch-5.0.1.rpm mkdir -pv /elk/{data,logs} //創建es存儲的數據和日誌文件 chown -R elasticsearch.elasticsearch /elk/* //修改屬主屬組
修改es配置文件:
vim /etc/elasticsearch/elasticsearch.yml 1cluster.name: my-application 2node.name: node-1 3path.data: /elk/data 4path.logs: /elk/logs 5network.host: 0.0.0.0 6http.port: 9200
修改文件限制
vim /etc/security/limits.d/90-nproc.conf
* 改爲2048即可
修改jvm參數
vim /etc/elasticsearch/jvm.options -Xms512m -Xmx512m 此參數根據實際內存調整
啓動elasticsearch,查看9200,9300端口是否啓用
3、安裝kibana
[root@node2 ~]# yum -y install kibana-5.0.1-x86_64.rpm
修改kibana配置文件
[root@node2 ~]# vim /etc/kibana/kibana.yml 1server.port: 5601 2server.host: "0.0.0.0" 3elasticsearch.url: "http://localhost:9200" 4kibana.index: ".kibana"
啓動kibana,查看端口5601是否開啓
4、安裝logstash
[root@node2 ~]# yum -y install logstash-5.0.1.rpm
編輯第一個測試文檔
[root@node2~]# cat /etc/logstash/conf.d/test.conf
input { stdin {} } output { stdout { codec =>"rubydebug" } }
測試:
[root@node2 ~]# /usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d/test.conf
-t:標識測試配置文件但並不啓動
-f:表示用哪一個測試文件
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs to console
Configuration OK
14:08:51.310 [LogStash::Runner] INFO logstash.runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
出現警告信息:因爲在/usr/share/logstash的目錄下沒有找到config文件
解決方法:創建一個軟連接
[root@node2 ~]# ln -sv /etc/logstash /usr/share/logstash/config
修改配置文件:
[root@node2~]# cat /etc/logstash/conf.d/test.conf
input { redis { host =>"192.168.0.224" port => 6379 key => "syslog" type =>"message1" data_type =>"list" } } output { stdout { codec =>"rubydebug" } elasticsearch { hosts =>["localhost:9200"] } }
4、編譯安裝redis
先安裝gcc
[root@node2 ~]# yum -y install gcc [root@node2 ~]# tar xf redis-3.0.7.tar.gz -C /app/tools/ [root@node2 ~]# cd /app/tools/redis-3.0.7/ [root@node2 ~]# make
啓動redis-server
[root@node2 redis-3.0.7]# /app/tools/redis-3.0.7/src/redis-server &
查看6379端口是否打開
5、安裝filebeat
[root@node2 ~]# yum -y install filebeat-5.0.1-x86_64.rpm [root@node2 ~]# vim /etc/filebeat/filebeat.yml paths: #- /var/log/*.log - /var/log/messages output.redis: hosts: ["192.168.0.224"] //redis的地址 port: 6379 //redis的端口 key: "syslog" //redis的索引名
6、測試
[root@node2 ~]# service filebeat start
進入redis,查看是否有數據壓入
[root@node2 ~]# /app/tools/redis-3.0.7/src/redis-cli
127.0.0.1:6379> llen syslog
(integer) 1255
啓動logstash
[root@node2 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
如果定義的配置文件有問題,查看logstash日誌
[root@node2 ~]# tail /var/log/logstash/logstash-plain.log
配置正確後可以查看redis的syslog索引
[root@node2 ~]# /app/tools/redis-3.0.7/src/redis-cli
127.0.0.1:6379> llen syslog
(integer) 0
127.0.0.1:6379>
就此elk+redis+filebeat搭建完畢