elk是由三個組件三臺機器可以,一臺機器也可以,內存最低4G,需要java環境
rpm -ivh jdk-8u20-linux-x64.rpm
rpm -ivh elasticsearch-6.6.0.rpm
rpm -ivh logstash-6.6.0.rpm
rpm -ivh kibana-6.6.0-x86_64.rpm
1.修改elasticsearch配置,並啓動
systemctl start elasticsearch
查看端口
2.logstash配置收集系統日誌,編寫收集日誌的文件
vim /etc/logstash/conf.d/system.conf
input { #input日誌輸入模塊
file {
path => "/var/log/messages"
type => "system-log"
start_position => "beginning"
}
}
#fileter日誌的過濾模塊
output { #output日誌的輸出模塊
elasticsearch {
hosts => "192.168.117.48:9200"
index => "system_log-%{+YYYY.MM.dd}"
}
}
加權限
chmod 777/var/log/messages
啓動logstash
systemctl start logstash
查看端口9600是否監聽,這個端口比較慢,耐心等待
若未監聽可以查看日誌是否有錯誤
tail -f /var/log/logstash/logstash-plain.log
3.配置kibana,並啓動
稍等片刻後查看5601端口是否監聽,監聽後直接訪問即可
