环境以及相关内核, 安装java包.
[root@gz3_elk_001 /]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@gz3_elk_001 /]# yum -y install java
[root@gz3_elk_001 /]# echo "vm.max_map_count=262144" >> /etc/sysctl.conf
[root@gz3_elk_001 /]# sysctl -p这里不用源码安装,是为了方便不写启动服务
如果用源码安装的话,可以把服务修改成相对应的目录跟用户就可以
下载
[root@gz3_elk_001 /]# cd /usr/local/src
[root@gz3_elk_001 /]# wget https://artifacts.elastic.co/downloads/kibana/kibana-7.4.2-x86_64.rpm
[root@gz3_elk_001 /]# wget https://artifacts.elastic.co/downloads/logstash/logstash-7.4.2.rpm
[root@gz3_elk_001 /]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-x86_64.rpm安装并设置开机启动服务
[root@gz3_elk_001 /]# cd /usr/local/src
[root@gz3_elk_001 /]# rpm -ivh elasticsearch-7.4.2-x86_64.rpm
[root@gz3_elk_001 /]# yum -y install logstash-7.4.2.rpm
[root@gz3_elk_001 /]# rpm -ivh kibana-7.4.2-x86_64.rpm
[root@gz3_elk_001 /]# systemctl enable elasticsearch.service kibana.service logstash.service
一,配置elasticsearch
生成密钥
[root@gz3_elk_001 /]# cd /usr/share/elasticsearch/bin/
[root@gz3_elk_001 /]# ./elasticsearch-certutil cert -out /etc/elasticsearch/elastic-certificates.p12 -pass ""此处有坑,得修改文件权限
[root@gz3_elk_001 /]# chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12 修改配置
[root@gz3_elk_001 /]# cp elasticsearch.yml elasticsearch.ymlback
[root@gz3_elk_001 /]# cd /etc/elasticsearch
[root@gz3_elk_001 /]# cat elasticsearch.yml|grep -v "#"
cluster.name: elk
node.name: node-1
node.master: true
node.data: true
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.3.44
http.port: 9200
discovery.seed_hosts: ["192.168.3.44"]
cluster.initial_master_nodes: ["192.168.3.44"]此处还有一个坑,还得修改权限
[root@gz3_elk_001 /]# chown elasticsearch:elasticsearch /data/elasticsearch测试启动
[root@gz3_elk_001 /]# systemctl restart elasticsearch.service
[root@gz3_elk_001 /]# systemctl status elasticsearch.service如果启动出错,到/var/log/elasticsearch/下看日志
以为系统强调安全性,所以需要配置xpack,修改elasticsearch.yml配置,开启xpack
[root@gz3_elk_001 /]# cat /etc/elasticsearch/elasticsearch.yml|grep -v "#"
cluster.name: elk
node.name: node-1
node.master: true
node.data: true
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.3.44
http.port: 9200
discovery.seed_hosts: ["192.168.3.44"]
cluster.initial_master_nodes: ["192.168.3.44"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12重启systemctl restart elasticsearch.service,然后生成默认的密码
[root@gz3_elk_001 /]# cd /usr/share/elasticsearch/bin/
[root@gz3_elk_001 /]# ./elasticsearch-setup-passwords auto
Changed password for user apm_system
PASSWORD apm_system = hyyhuxxx
Changed password for user kibana
PASSWORD kibana = HbwFY0xxx
Changed password for user logstash_system
PASSWORD logstash_system = nvrxxx
Changed password for user beats_system
PASSWORD beats_system = VvAhnxxx
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = yGNFRTxxx
Changed password for user elastic
PASSWORD elastic = czF01xx
记住以上的信息,后期要用
二,配置kibana
[root@gz3_elk_001 /]# cd /etc/kibana/
[root@gz3_elk_001 /]# cp kibana.yml kibana.ymlback
[root@gz3_elk_001 /]# cat kibana.yml |grep -v "#"|grep -v "^$"
server.port: 5601
server.host: "192.168.3.44"
elasticsearch.hosts: ["http://192.168.3.44:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "kOHyFxxxx"
i18n.locale: "zh-CN" i18n.locale: "zh-CN" 表示用中文版,界面比较友好
三.配置logstash
[root@gz3_elk_001 /]# cd /etc/logstash/
[root@gz3_elk_001 /]# cp logstash.yml logstash.ymlback
[root@gz3_elk_001 /]# cd /etc/logstash/conf.d
cat nginx_access.conf
input {
beats {
type => "nginx_access"
port => 5044
}
}
filter {
if[type] =="nginx_access" {
grok {
match => { "message" => "%{IP:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:time}\] \"%{WORD:method} %{D
ATA:url} HTTP/%{NUMBER:htt
p_version:float}\" %{NUMBER:response_code:int} %{NUMBER:body_sent:int} \"%{DATA:referrer}\" \"%{DATA:agent}\
" \"%{DATA:x_forwarded_
for}\"" }
remove_field => "message"
}
date {
match => ["time", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "@timestamp"
}
}
}
output {
if[type]=="nginx_access"{
elasticsearch {
hosts => ["http://192.168.3.44:9200"]
index => "nginx-access-%{+YYYY.MM.dd}"
user => "elastic"
password => "czF01xx"
}
}
}此处用过logstash_system这个账号密码,但是没成功
只能用最高权限的 elastic账号
验证配置是否正确
[root@gz3_elk_001 /]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf -t
Thread.exclusive is deprecated, use Thread::Mutex
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2019-11-27 14:59:29.515 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-27 14:59:31.841 [LogStash::Runner] Reflections - Reflections took 56 ms to scan 1 urls, producing 20 keys and 40 values
Configuration OK
[INFO ] 2019-11-27 14:59:32.487 [LogStash::Runner] runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash出现Configuration OK就说明配置Ok
[root@gz3_elk_001 /]# systemctl status logstash.service
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
Active: active (running) since 三 2019-11-27 16:12:15 CST; 2min 11s ago主服务器上的配置就配好了,这个时候可以登录kibana
使用elastic这个账号密码登录。
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
