ELK日誌分析系統

ELK日誌分析系統

配置ELK

安裝elasticsearch

[root@centos01 ~]# rz
z waiting to receive.**B0100000023be50
[root@centos01 ~]# ls
anaconda-ks.cfg initial-setup-ks.cfg
elasticsearch-5.6.16.rpm simkai.ttf
[root@centos01 ~]# yum -y install local elasticsearch-5.6.16.rpm

[root@centos02 ~]# rz
z waiting to receive.**B0100000023be50
[root@centos02 ~]# ls
anaconda-ks.cfg elasticsearch-5.6.16.rpm initial-setup-ks.cfg
[root@centos02 ~]# yum -y install local elasticsearch-5.6.16.rpm

備份elasticsearch主配置文件
[root@centos01 ~]# cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak

編輯elasticsearch主配置文件
[root@centos01 ~]# vi /etc/elasticsearch/elasticsearch.yml
18 cluster.name: ELK
25 node.name: centos01
57 network.host: 192.168.100.10
71 discovery.zen.ping.unicast.hosts: [“centos01”, “centos02”]

配置hosts文件解析計算機名
[root@centos01 ~]# vi /etc/hosts
192.168.100.10 centos01
192.168.100.20 centos02

配置守護進程運行elasticsearch
[root@centos01 ~]# systemctl daemon-reload

啓動服務設置開機自動啓動
[root@centos01 ~]# systemctl start elasticsearch.service
[root@centos01 ~]# systemctl enable elasticsearch.service
[root@centos01 ~]# /etc/init.d/elasticsearch start

監聽9200端口
[root@centos01 ~]# netstat -anptu | grep 9200
tcp6 0 0 192.168.100.10:9200 ::😗 LISTEN 3185/java

客戶端訪問

安裝elasticsearch-head圖形化管理ELK工具

[root@centos01 ~]# rz

[root@centos01 ~]# ls
anaconda-ks.cfg initial-setup-ks.cfg simkai.ttf
elasticsearch-5.6.16.rpm node-v4.2.2-linux-x64.tar.gz

安裝node，安裝在/usr/local/node
[root@centos01 ~]# tar zxvf node-v4.2.2-linux-x64.tar.gz -C /usr/local/
[root@centos01 ~]# cd /usr/local/
[root@centos01 local]# mv node-v4.2.2-linux-x64/ node
[root@centos01 local]# ls
bin etc games include lib lib64 libexec node sbin share src

連接管理命令（優化）
[root@centos01 local]# ln -s /usr/local/node/bin/npm /usr/local/bin/npm
[root@centos01 local]# ln -s /usr/local/node/bin/node /usr/local/bin/node

配置環境變量加載node
[root@centos01 ~]# vi /etc/profile
export NODE_HOME=/usr/local/node
export PATH=$PATH:$NODE_HOME/bin
export NODE_PATH=$NODE_HOME/lib/node_modules/

[root@centos01 ~]# source /etc/profile

配置安裝源
[root@centos01 ~]# git clone git://github.com/mobz/elasticsearch-head.git

將elasticsearch-head圖形化管理ELK工具複製到第二臺
[root@centos01 ~]# scp -r /root/elasticsearch-head/ [email protected]:/root

修改elasticsearch主配置文件
[root@centos01 ~]# vi /etc/elasticsearch/elasticsearch.yml
62 http.cors.enabled: true
63 http.cors.allow-origin: “*”

重啓服務
[root@centos01 ~]# /etc/init.d/elasticsearch stop
[root@centos01 ~]# /etc/init.d/elasticsearch start

監聽端口
[root@centos01 ~]# netstat -anptu | grep 9200
tcp6 0 0 192.168.100.10:9200 ::😗 LISTEN 4565/java

安裝elasticsearch-head

修改安裝位置
[root@centos01 ~]# mv elasticsearch-head/ /usr/local/

安裝grunt-cli
[root@centos01 ~]# cd /usr/local/elasticsearch-head/
[root@centos01 elasticsearch-head]# npm install -g grunt-cli

[root@centos01 ~]# vi /usr/local/elasticsearch-head/Gruntfile.js

檢查grunt是否安裝成功
[root@centos01 elasticsearch-head]# grunt -version
grunt-cli v1.3.2

修改elasticsearch-head配置文件
[root@centos01 ~]# vim /usr/local/elasticsearch-head/Gruntfile.js
99 keepalive: true,
100 hostname: “*”

修改elasticsearch-head
[root@centos01 ~]# vim /usr/local/elasticsearch-head/_site/app.js
4374 this.base_uri = this.config.base_uri || this.prefs.get(“app-base_uri”) || “http://192.168.100.10:9200”;

安裝npm
[root@centos01 ~]# cd /usr/local/elasticsearch-head/
[root@centos01 elasticsearch-head]# npm install

啓動服務
[root@centos01 elasticsearch-head]# grunt server&

重新啓動elasticsearch服務
[root@centos01 ~]# /etc/init.d/elasticsearch restart

客戶端訪問驗證


安裝logstash
安裝logstash，兩種方法，一種使用網絡源安裝，第二種通過本地rpm包上傳

使用rz命令上傳logstash-5.1.1.tar.gz 軟件包，使用網絡源安裝

[root@centos01 ~]# tar zxvf logstash-5.1.1.tar.gz -C /usr/local/
[root@centos01 local]# mv logstash-5.1.1/ logstash
[root@centos01 ~]# yum -y install logstash

第二種方法：
使用rz命令上傳logstash-5.5.1.rpm 軟件包

[root@centos01 ~]# rpm -ivh logstash-5.5.1.rpm

優化安裝命令
[root@centos01 ~]# ln -s /usr/share/logstash/bin/logstash /usr/local/bin/

配置存儲數據目錄
[root@centos01 ~]# mkdir -p /usr/share/logstash/config
[root@centos01 ~]# ln -s /etc/logstash/* /usr/share/logstash/config/

啓動logstash
[root@centos01 ~]# systemctl start logstash
[root@centos01 ~]# systemctl enable logstash

寫入測試數據測試日誌服務器
[root@centos01 ~]# logstash -e ‘input { stdin {} } output { stdout {} }’

[root@centos01 ~]# logstash -e ‘input { stdin {} } output { stdout { codec=> rubydebug } }’

[root@centos01 ~]# logstash -e ‘input { stdin {} } output { elasticsearch { hosts=>[“192.168.100.10:9200”] } }’

安裝kibana

安裝kibana，使用rz命令上傳kibana-5.5.1-x86_64.rpm軟件包

[root@centos01 ~]# rpm -ivh kibana-5.5.1-x86_64.rpm

修改kibana主配置文件，備份主配置文件
[root@centos01 ~]# cp /etc/kibana/kibana.yml /etc/kibana/kibana.yml.bak
[root@centos01 ~]# vim /etc/kibana/kibana.yml
server.port: 5601
server.host: “0.0.0.0”
elasticsearch.url: “http://192.168.100.10:9200”
kibana.index: “.kibana”

啓動服務設置服務開機自動啓動
[root@centos01 ~]# systemctl start kibana
[root@centos01 ~]# systemctl enable kibana

客戶端訪問驗證，默認端口號5601

配置監控客戶端

安裝logstash，通過rz命令上傳logstash-5.5.1.rpm軟件包

[root@centos03 ~]# rpm -ivh logstash-5.5.1.rpm

安裝apache
[root@centos03 ~]# yum -y install httpd
[root@centos03 ~]# systemctl start httpd
[root@centos03 ~]# systemctl enable httpd

配置監控apache的錯誤日誌

[root@centos03 ~]# vim /etc/logstash/conf.d/apache_error.conf
input {
file {
path => “/var/log/httpd/error_log”
type => “error”
start_position => “beginning”
}
}
output {
if [type] == “error”{
elasticsearch {
hosts => [“192.168.100.10:9200”]
index => “apache_error-%{+YYYY.MM.dd}”

}
}
}

啓動服務設置服務開機自動啓動
[root@centos03 ~]# systemctl start logstash
[root@centos03 ~]# systemctl enable logstash

啓動監控apache服務器
[root@centos03 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/apache_error.conf

開臺客戶端訪問驗證