elk是由三个组件三台机器可以,一台机器也可以,内存最低4G,需要java环境
rpm -ivh jdk-8u20-linux-x64.rpm
rpm -ivh elasticsearch-6.6.0.rpm
rpm -ivh logstash-6.6.0.rpm
rpm -ivh kibana-6.6.0-x86_64.rpm
1.修改elasticsearch配置,并启动
systemctl start elasticsearch
查看端口
2.logstash配置收集系统日志,编写收集日志的文件
vim /etc/logstash/conf.d/system.conf
input { #input日志输入模块
file {
path => "/var/log/messages"
type => "system-log"
start_position => "beginning"
}
}
#fileter日志的过滤模块
output { #output日志的输出模块
elasticsearch {
hosts => "192.168.117.48:9200"
index => "system_log-%{+YYYY.MM.dd}"
}
}
加权限
chmod 777/var/log/messages
启动logstash
systemctl start logstash
查看端口9600是否监听,这个端口比较慢,耐心等待
若未监听可以查看日志是否有错误
tail -f /var/log/logstash/logstash-plain.log
3.配置kibana,并启动
稍等片刻后查看5601端口是否监听,监听后直接访问即可
