● 摘要:
ELK是當前很流行的日誌分析系統,Elasticsearch是一款基於Apache Lucene的開源分佈式引擎。Logstash是用於日誌的收集、轉換、並輸出到ES,其中有豐富的插件用於集成諸如Filebeat、Flume、Kafka、Log4J等各種外部數據源,還能輸出到各種目標存儲器中。Kibana是基於ES的分析與可視化平臺,我們可以通過Kibana在ES中搜索、查看各類索引並製作出各種圖表。另外如果需要增加安全性我們可以通過安裝X-Pack來實現。
● 安裝Elasticsearch 8臺虛擬機:
版本:Elasticsearch 5.5.0、jdk1.8.0_11
插件:X-Pack
安裝步驟參考鏈接:https://www.elastic.co/guide/en/elasticsearch/reference/current/_installation.html
1. curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.5.0.tar.gz
2. tar -xvf elasticsearch-5.5.0.tar.gz
3. vim confit/elasticsearch.yml
cluster.name: my-application
node.name: hostname
node.master: true
node.data: true
path.data: /opt/esuser/tools/data
path.logs: /opt/esuser/tools/logs
discovery.zen.ping.unicast.hosts: [“master”,”slaver01″, “slaver02”]
4. cd elasticsearch-5.5.0/bin
5. ./elasticsearch
● 安裝Kibana 1臺
版本:Kibana 5.5.0、jdk1.8.0_11
安裝步驟參考鏈接:https://www.elastic.co/guide/en/kibana/current/targz.html
1. wget https://artifacts.elastic.co/downloads/kibana/kibana-5.5.0-linux-x86_64.tar.gz
2. tar -xzf kibana-5.5.0-linux-x86_64.tar.gz
3. cd kibana/
4. vim kibana/config/kibana.yml
添加:elasticsearch.url: “http://192.168.0.181:9200”
5. ./bin/kibana
● 安裝X-Pack
版本:X-Pack 5.5.0、jdk1.8.0_11
安裝步驟參考鏈接:https://www.elastic.co/downloads/x-pack
網絡不好時,可先下載後安裝,參考鏈接:https://www.elastic.co/guide/en/x-pack/current/installing-xpack.html
1. Install X-Pack into Elasticsearch
bin/elasticsearch-plugin install x-pack
2. Start Elasticsearch
bin/elasticsearch
3. Install X-Pack into Kibana
bin/kibana-plugin install x-pack
4. Start Kibana
bin/kibana
5. Navigate to Kibana at http://localhost:5601/
6. Log in as the built-in elastic user with the password changeme.
● 生成傳輸加密證書
1. filebeat
openssl req -subj ‘/CN=192.168.0.181/’ -x509 -days $((100*365)) -batch -nodes -newkey rsa:2048 -keyout /opt/esuser/tools/logstash/key/filebeat-181.key -out /opt/esuser/tools/logstash/certs/filebeat-181.crt
2. logstash
openssl req -subj ‘/CN=192.168.0.181/’ -x509 -days $((100*365)) -batch -nodes -newkey rsa:2048 -keyout /opt/esuser/tools/logstash/key/logstash.key -out /opt/esuser/tools/logstash/certs/logstash.crt
如果filebeat報如下錯誤:
2017-07-18T14:45:37+08:00 ERR Connecting error publishing events (retrying): x509: cannot validate certificate for 192.168.0.181 because it doesn’t contain any IP SANs
則在文件中添加對應的IP,重新生成證書即可:vim /etc/pki/tls/openssl.cnf
[ v3_ca ]
subjectAltName = IP:192.168.0.181
● 安裝Logstash 3臺虛擬機
版本:Logstash 5.5.0、jdk1.8.0_11
安裝步驟參考鏈接:https://www.elastic.co/guide/en/logstash/current/installing-logstash.html
1. wget https://artifacts.elastic.co/downloads/logstash/logstash-5.5.0.tar.gz
2. tar -xvf logstash-5.5.0.tar.gz
3. 配置處理filebeat過來的數據 vim logstash/config/filebeat.conf:【Logstash】接收filebeat日誌配置
4. 啓動:bin/logstash -f config/filebeat.conf
至此ELK部署完成