案例准备
1. 规划节点
表1 节点规划
IP | 主机名 | 节点 |
---|---|---|
192.168.80.101 | elk-1 | Elasticsearch/Kibana |
192.168.80.102 | elk-2 | Elasticsearch/Logstash |
192.168.80.103 | elk-3 | Elasticsearch |
1. 基础环境配置
(1)三台主机修改主机名
elk-1节点:
[root@localhost ~]# hostnamectl set-hostname elk-1
[root@localhost ~]# bash
elk-2节点:
[root@localhost ~]# hostnamectl set-hostname elk-2
[root@localhost ~]# bash
elk-3节点:
[root@localhost ~]# hostnamectl set-hostname elk-3
[root@localhost ~]# bash
(2)三台主机配置主机名映射(以第一台节点为例,三个节点都要配置)
[root@elk-1 ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.80.101 elk-1
192.168.80.102 elk-2
192.168.80.103 elk-3
(3)三台主机安装JDK环境(以第一台节点为例)
配置centos源,安装java
[root@elk-1 ~]# vi /etc/yum.repos.d/http.repo
[centos]
name=centos
baseurl=http://172.30.26.55/centos/
gpgcheck=0
enabled=1
[root@elk-1 ~]# yum install -y java-1.8.0-openjdk java-1.8.0-openjdk-devel
(4)下载软件包关闭防火墙与内核隔离
[root@localhost ~]# curl -O http://172.30.26.55/%E7%A7%81%E6%9C%89%E4%BA%91/ELK%E6%97%A5%E5%BF%97%E5%88%86%E6%9E%90%E7%B3%BB%E7%BB%9F%E9%83%A8%E7%BD%B2/elk.tar.gz
[root@localhost ~]# tar zxf elk.tar.gz
[root@localhost ~]# systemctl stop firewalld && sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config && setenforce 0
2. 部署Elasticserach
(1)三台主机安装Elasticserach(以第一台主机为例)
将提供的elasticsearch-6.0.0.rpm包分别下载至三台主机的/root目录下,并使用命令进行安装(三台主机均安装)。
[root@elk-1 ~]# rpm -ivh elasticsearch-6.0.0.rpm
警告:elasticsearch-6.0.0.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
正在升级/安装...
1:elasticsearch-0:6.0.0-1 ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
(2)三台主机分别配置Elasticserach
配置elasticsearch的配置文件,配置文件在/etc/elasticsearch/elasticsearch.yml。
elk-1节点:
[root@elk-1 ~]# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: ELK //取消注释,配置elasticsearch集群名称
node.name: elk-1 //配置节点名,默认随机指定一个name列表中名字,该列表在Elasticserach的jar包中config文件夹里name.txt文件中
node.master: true //添加指定该节点是否有资格被选举成为node
node.data: false //添加指定该节点是否有资格被选举成为node,Elasticserach是默认集群中的第一台机器为master,如果这台机挂了就会重新选举master,其他两节点为false。
network.host: 192.168.80.101 //设置绑定的ip地址,可以是ipv4或ipv6的,默认为0.0.0.0。
http.port: 9200 //启动的Elasticserach对外访问的http端口,默认9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"] //设置集群中master节点的初始列表,可以通过这些节点来自动发现新加入集群的节点。
elk-2节点(参数说明不再详细写出):
[root@elk-2 ~]# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: ELK
node.name: elk-2
node.master: false
node.data: true
network.host: 192.168.80.102
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"]
elk-3节点(参数说明不再详细写出):
[root@elk-3 ~]# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: ELK
node.name: elk-3
node.master: false
node.data: true
network.host: 192.168.80.103
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"]
(3)三台主机启动服务(以第一台节点为例)
使用命令启动服务,并设置开机自启,最后使用命令查看进行及端口号(三台主机均查询)。
[root@elk-1 ~]# systemctl start elasticsearch && systemctl enable elasticsearch
[root@elk-1 ~]# ps -ef |grep elasticsearch
elastic+ 16785 1 96 09:26 ? 00:00:08 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -server -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/elasticsearch -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -p /var/run/elasticsearch/elasticsearch.pid --quiet
root 16834 16620 0 09:26 pts/0 00:00:00 grep --color=auto elasticsearch
[root@elk-1 ~]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1086/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1708/master
tcp6 0 0 192.168.80.101:9300 :::* LISTEN 16785/java
tcp6 0 0 :::22 :::* LISTEN 1086/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1708/master
tcp6 0 0 192.168.80.101:9200 :::* LISTEN 16785/java
三台主机如果有进程存在或者能够发现9200和9300端口暴露,则服务启动成功。
(4)检查集群状态
elk-1节点:
[root@elk-1 ~]# curl '192.168.80.101:9200/_cluster/health?pretty'
{
"cluster_name" : "ELK", //集群名称
"status" : "green", //集群健康状态,green为健康,yellow或者red则是集群有问题
"timed_out" : false //是否超时,
"number_of_nodes" : 3, //集群中节点数
"number_of_data_nodes" : 2, //集群中data节点数量
"active_primary_shards" : 0,
"active_shards" : 0,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
3. 部署Kibana
(1)第一台主机安装kibana
将提供的kibana-6.0.0-x86_64.rpm包下载至第一台主机的/root目录下,其他主机无需下载,并使用命令进行安装。
[root@elk-1 ~]# rpm -ivh kibana-6.0.0-x86_64.rpm
警告:kibana-6.0.0-x86_64.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:kibana-6.0.0-1 ################################# [100%]
(2)配置Kibana
配置kibana的配置文件,配置文件在/etc/kibana/kibana.yml,在配置文件增加或修改以下内容:
[root@elk-1 ~]# cat /etc/kibana/kibana.yml |grep -v ^#
server.port: 5601
server.host: 192.168.80.101
elasticsearch.url: "http://192.168.80.101:9200"
(3)启动Kibana
[root@elk-1 ~]# systemctl start kibana && systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
[root@elk-1 ~]# ps -ef |grep kibana
kibana 17079 1 36 09:36 ? 00:00:03 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
root 17109 16620 3 09:36 pts/0 00:00:00 grep --color=auto kibana
[root@elk-1 ~]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1086/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1708/master
tcp 0 0 192.168.80.101:5601 0.0.0.0:* LISTEN 17079/node
tcp6 0 0 192.168.80.101:9300 :::* LISTEN 16911/java
tcp6 0 0 :::22 :::* LISTEN 1086/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1708/master
tcp6 0 0 192.168.80.101:9200 :::* LISTEN 16911/java
启动后如果有进程或者能够发现5601端口暴露则服务启动成功,并可以通过浏览器访问地址http://192.168.80.101:5601/,能够看到如图所示的页面。
案例准备
1. 规划节点
表1 节点规划
IP | 主机名 | 节点 |
---|---|---|
192.168.80.101 | elk-1 | Elasticsearch/Kibana |
192.168.80.102 | elk-2 | Elasticsearch/Logstash |
192.168.80.103 | elk-3 | Elasticsearch |
1. 基础环境配置
(1)三台主机修改主机名
elk-1节点:
[root@localhost ~]# hostnamectl set-hostname elk-1
[root@localhost ~]# bash
elk-2节点:
[root@localhost ~]# hostnamectl set-hostname elk-2
[root@localhost ~]# bash
elk-3节点:
[root@localhost ~]# hostnamectl set-hostname elk-3
[root@localhost ~]# bash
(2)三台主机配置主机名映射(以第一台节点为例,三个节点都要配置)
[root@elk-1 ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.80.101 elk-1
192.168.80.102 elk-2
192.168.80.103 elk-3
(3)三台主机安装JDK环境(以第一台节点为例)
配置centos源,安装java
[root@elk-1 ~]# vi /etc/yum.repos.d/http.repo
[centos]
name=centos
baseurl=http://172.30.26.55/centos/
gpgcheck=0
enabled=1
[root@elk-1 ~]# yum install -y java-1.8.0-openjdk java-1.8.0-openjdk-devel
(4)下载软件包关闭防火墙与内核隔离
[root@localhost ~]# curl -O http://172.30.26.55/%E7%A7%81%E6%9C%89%E4%BA%91/ELK%E6%97%A5%E5%BF%97%E5%88%86%E6%9E%90%E7%B3%BB%E7%BB%9F%E9%83%A8%E7%BD%B2/elk.tar.gz
[root@localhost ~]# tar zxf elk.tar.gz
[root@localhost ~]# systemctl stop firewalld && sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config && setenforce 0
2. 部署Elasticserach
(1)三台主机安装Elasticserach(以第一台主机为例)
将提供的elasticsearch-6.0.0.rpm包分别下载至三台主机的/root目录下,并使用命令进行安装(三台主机均安装)。
[root@elk-1 ~]# rpm -ivh elasticsearch-6.0.0.rpm
警告:elasticsearch-6.0.0.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
正在升级/安装...
1:elasticsearch-0:6.0.0-1 ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
(2)三台主机分别配置Elasticserach
配置elasticsearch的配置文件,配置文件在/etc/elasticsearch/elasticsearch.yml。
elk-1节点:
[root@elk-1 ~]# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: ELK //取消注释,配置elasticsearch集群名称
node.name: elk-1 //配置节点名,默认随机指定一个name列表中名字,该列表在Elasticserach的jar包中config文件夹里name.txt文件中
node.master: true //添加指定该节点是否有资格被选举成为node
node.data: false //添加指定该节点是否有资格被选举成为node,Elasticserach是默认集群中的第一台机器为master,如果这台机挂了就会重新选举master,其他两节点为false。
network.host: 192.168.80.101 //设置绑定的ip地址,可以是ipv4或ipv6的,默认为0.0.0.0。
http.port: 9200 //启动的Elasticserach对外访问的http端口,默认9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"] //设置集群中master节点的初始列表,可以通过这些节点来自动发现新加入集群的节点。
elk-2节点(参数说明不再详细写出):
[root@elk-2 ~]# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: ELK
node.name: elk-2
node.master: false
node.data: true
network.host: 192.168.80.102
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"]
elk-3节点(参数说明不再详细写出):
[root@elk-3 ~]# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: ELK
node.name: elk-3
node.master: false
node.data: true
network.host: 192.168.80.103
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"]
(3)三台主机启动服务(以第一台节点为例)
使用命令启动服务,并设置开机自启,最后使用命令查看进行及端口号(三台主机均查询)。
[root@elk-1 ~]# systemctl start elasticsearch && systemctl enable elasticsearch
[root@elk-1 ~]# ps -ef |grep elasticsearch
elastic+ 16785 1 96 09:26 ? 00:00:08 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -server -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/elasticsearch -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -p /var/run/elasticsearch/elasticsearch.pid --quiet
root 16834 16620 0 09:26 pts/0 00:00:00 grep --color=auto elasticsearch
[root@elk-1 ~]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1086/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1708/master
tcp6 0 0 192.168.80.101:9300 :::* LISTEN 16785/java
tcp6 0 0 :::22 :::* LISTEN 1086/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1708/master
tcp6 0 0 192.168.80.101:9200 :::* LISTEN 16785/java
三台主机如果有进程存在或者能够发现9200和9300端口暴露,则服务启动成功。
(4)检查集群状态
elk-1节点:
[root@elk-1 ~]# curl '192.168.80.101:9200/_cluster/health?pretty'
{
"cluster_name" : "ELK", //集群名称
"status" : "green", //集群健康状态,green为健康,yellow或者red则是集群有问题
"timed_out" : false //是否超时,
"number_of_nodes" : 3, //集群中节点数
"number_of_data_nodes" : 2, //集群中data节点数量
"active_primary_shards" : 0,
"active_shards" : 0,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
3. 部署Kibana
(1)第一台主机安装kibana
将提供的kibana-6.0.0-x86_64.rpm包下载至第一台主机的/root目录下,其他主机无需下载,并使用命令进行安装。
[root@elk-1 ~]# rpm -ivh kibana-6.0.0-x86_64.rpm
警告:kibana-6.0.0-x86_64.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:kibana-6.0.0-1 ################################# [100%]
(2)配置Kibana
配置kibana的配置文件,配置文件在/etc/kibana/kibana.yml,在配置文件增加或修改以下内容:
[root@elk-1 ~]# cat /etc/kibana/kibana.yml |grep -v ^#
server.port: 5601
server.host: 192.168.80.101
elasticsearch.url: "http://192.168.80.101:9200"
(3)启动Kibana
[root@elk-1 ~]# systemctl start kibana && systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
[root@elk-1 ~]# ps -ef |grep kibana
kibana 17079 1 36 09:36 ? 00:00:03 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
root 17109 16620 3 09:36 pts/0 00:00:00 grep --color=auto kibana
[root@elk-1 ~]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1086/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1708/master
tcp 0 0 192.168.80.101:5601 0.0.0.0:* LISTEN 17079/node
tcp6 0 0 192.168.80.101:9300 :::* LISTEN 16911/java
tcp6 0 0 :::22 :::* LISTEN 1086/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1708/master
tcp6 0 0 192.168.80.101:9200 :::* LISTEN 16911/java
启动后如果有进程或者能够发现5601端口暴露则服务启动成功,并可以通过浏览器访问地址http://192.168.80.101:5601/,能够看到如图所示的页面。
4. 部署Logstash
(1)安装Logstash
将提供的logstash-6.0.0.rpm包下载到第二台主机的/root目录下,其他主机无需下载,并使用命令进行安装。
[root@elk-2 ~]# rpm -ivh logstash-6.0.0.rpm
警告:logstash-6.0.0.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:logstash-1:6.0.0-1 ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
Successfully created system startup script for Logstash
(2)配置Logstash
配置/etc/logstash/logstash.yml,修改增加第190行如下:
[root@elk-2 ~]# vi /etc/logstash/logstash.yml
http.host: "192.168.80.102" //第二台主机IP
配置logstash收集syslog日志:
[root@elk-2 ~]# vi /etc/logstash/conf.d/syslog.conf
input {
file {
path => "/var/log/messages"
type => "systemlog"
start_position => "beginning"
stat_interval => "3"
}
}
output {
if [type] == "systemlog" {
elasticsearch {
hosts => ["192.168.80.101:9200"]
#这里的地址为第一台主机地址
index => "system-log-%{+YYYY.MM.dd}"
}
}
}
检测配置文件是否错误:
[root@elk-2 ~]# chmod 644 /var/log/messages //给这个文件赋权限,如果不给权限,则无法读取日志
[root@elk-2 ~]# ln -s /usr/share/logstash/bin/logstash /usr/bin
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK //结果显示OK则证明没问题
参数说明:
● --path.settings 用于指定logstash的配置文件所在的目录。
● -f 指定需要被检测的配置文件的路径。
● --config.test_and_exit 指定检测完之后就退出,不然就会直接启动了。
(3)启动Logstash
[root@elk-2 ~]# systemctl start logstash && systemctl enable logstash
[root@elk-2 ~]# ps -ef |grep logstash
logstash 3070 1 99 09:47 ? 00:00:04 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -Djava.awt.headless=true -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -Xmx1g -Xms256m -Xss2048k -Djffi.boot.library.path=/usr/share/logstash/vendor/jruby/lib/jni -Xbootclasspath/a:/usr/share/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/usr/share/logstash/vendor/jruby -Djruby.lib=/usr/share/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main /usr/share/logstash/lib/bootstrap/environment.rb logstash/runner.rb --path.settings /etc/logstash
root 3102 2559 0 09:47 pts/1 00:00:00 grep --color=auto logstash
[root@elk-2 ~]# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1078/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1322/master
tcp6 0 0 192.168.80.102:9200 :::* LISTEN 2725/java
tcp6 0 0 192.168.80.102:9300 :::* LISTEN 2725/java
tcp6 0 0 :::22 :::* LISTEN 1078/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1322/master
tcp6 0 0 192.168.80.102:9600 :::* LISTEN 3070/java
如果启动服务后,有进程但是没有9600端口,是因为权限问题或者未完全启动,等待1分钟若没启动则使用以下方法解决,之前我们以root的身份在终端启动过logstash,所以产生的相关文件的属组属主都是root,解决方法如下:
[root@elk-2 ~]# ll /var/lib/logstash/
total 0
drwxr-xr-x. 2 root root 6 Feb 10 09:00 dead_letter_queue
drwxr-xr-x. 2 root root 6 Feb 10 09:00 queue
[root@elk-2 ~]# chown -R logstash /var/lib/logstash/
[root@elk-2 ~]# ll /var/lib/logstash/
total 0
drwxr-xr-x. 2 logstash root 6 Feb 10 09:00 dead_letter_queue
drwxr-xr-x. 2 logstash root 6 Feb 10 09:00 queue
[root@elk-2 ~]# systemctl restart logstash
[root@elk-2 ~]# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nam
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1273/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1084/master
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 580/rpcbind
tcp6 0 0 192.168.80.102:9200 :::* LISTEN 15918/java
tcp6 0 0 192.168.80.102:9300 :::* LISTEN 15918/java
tcp6 0 0 :::22 :::* LISTEN 1273/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1084/master
tcp6 0 0 192.168.80.102:9600 :::* LISTEN 18724/java
tcp6 0 0 :::111 :::* LISTEN 580/rpcbind
启动完毕后,让syslog产生日志,用第三台主机登录elk-2机器,登录后退出。
[root@elk-3 ~]# ssh elk-2
The authenticity of host 'elk-2 (192.168.80.102)' can't be established.
ECDSA key fingerprint is SHA256:nJT1L6Cz5MvNxC/ib2Rk+WN6Q/a3E3yi/67VwVOjt5k.
ECDSA key fingerprint is MD5:10:0c:b0:88:e6:03:76:cb:53:0b:ea:97:5e:b7:8f:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'elk-2,192.168.80.102' (ECDSA) to the list of known hosts.
root@elk-2's password: //输入密码
Last login: Thu Feb 10 01:34:28 2022 from 192.168.0.112
[root@elk-2 ~]#
[root@elk-2 ~]# logout
Connection to elk-2 closed.
5. Kibana检索日志
(1)Kibana上查看日志
之前部署kibana完成后,还没有检索日志。现在logstash部署完成,我们回到第一台主机上查看日志索引,执行命令如下:
[root@elk-1 ~]# curl '192.168.80.102:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana 8lkGjZC7RCCv-yuGpzXx6w 1 1 1 0 7.3kb 3.6kb
green open system-log-2024.04.09 bbXTH0PURR6Efrfcv_nhVA 5 1 7329 0 3.5mb 1.7mb
获取\删除指定索引详细信息:
[root@elk-1 ~]# curl -XGET/DELETE '192.168.80.102:9200/system-log-2024.04.09?pretty' //此处的system-log-2024.04.09是上面步骤查看出的日志索引名称
[root@elk-1 ~]# curl -XGET/DELETE '192.168.80.102:9200/system-log-2024.04.09?pretty'
{
"system-log-2024.04.09" : {
"aliases" : { },
"mappings" : {
"systemlog" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"host" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"message" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"path" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"type" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
},
"settings" : {
"index" : {
"creation_date" : "1712627260396",
"number_of_shards" : "5",
"number_of_replicas" : "1",
"uuid" : "bbXTH0PURR6Efrfcv_nhVA",
"version" : {
"created" : "6000099"
},
"provided_name" : "system-log-2024.04.09"
}
}
}
}
(2)Web页面配置
浏览器访问192.168.80.101:5601,到kibana上配置,索引的目录为:system-log-2022.02.10,修改完成后点击“Create”按钮,如图3所示。
配置完成后,点击左上角的“Discover”,进入“Discover”页面后如果出现以下提示,则是代表无法查找到日志信息,如图所示:
Kibana服务已经成功检索主机的日志信息,并反馈在页面。
4. 部署Logstash
(1)安装Logstash
将提供的logstash-6.0.0.rpm包下载到第二台主机的/root目录下,其他主机无需下载,并使用命令进行安装。
[root@elk-2 ~]# rpm -ivh logstash-6.0.0.rpm
警告:logstash-6.0.0.rpm: 头V4 RSA/SHA512 Signature, 密钥 ID d88e42b4: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:logstash-1:6.0.0-1 ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
Successfully created system startup script for Logstash
(2)配置Logstash
配置/etc/logstash/logstash.yml,修改增加第190行如下:
[root@elk-2 ~]# vi /etc/logstash/logstash.yml
http.host: "192.168.80.102" //第二台主机IP
配置logstash收集syslog日志:
[root@elk-2 ~]# vi /etc/logstash/conf.d/syslog.conf
input {
file {
path => "/var/log/messages"
type => "systemlog"
start_position => "beginning"
stat_interval => "3"
}
}
output {
if [type] == "systemlog" {
elasticsearch {
hosts => ["192.168.80.101:9200"]
#这里的地址为第一台主机地址
index => "system-log-%{+YYYY.MM.dd}"
}
}
}
检测配置文件是否错误:
[root@elk-2 ~]# chmod 644 /var/log/messages //给这个文件赋权限,如果不给权限,则无法读取日志
[root@elk-2 ~]# ln -s /usr/share/logstash/bin/logstash /usr/bin
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK //结果显示OK则证明没问题
参数说明:
● --path.settings 用于指定logstash的配置文件所在的目录。
● -f 指定需要被检测的配置文件的路径。
● --config.test_and_exit 指定检测完之后就退出,不然就会直接启动了。
(3)启动Logstash
[root@elk-2 ~]# systemctl start logstash && systemctl enable logstash
[root@elk-2 ~]# ps -ef |grep logstash
logstash 3070 1 99 09:47 ? 00:00:04 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -Djava.awt.headless=true -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -Xmx1g -Xms256m -Xss2048k -Djffi.boot.library.path=/usr/share/logstash/vendor/jruby/lib/jni -Xbootclasspath/a:/usr/share/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/usr/share/logstash/vendor/jruby -Djruby.lib=/usr/share/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main /usr/share/logstash/lib/bootstrap/environment.rb logstash/runner.rb --path.settings /etc/logstash
root 3102 2559 0 09:47 pts/1 00:00:00 grep --color=auto logstash
[root@elk-2 ~]# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1078/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1322/master
tcp6 0 0 192.168.80.102:9200 :::* LISTEN 2725/java
tcp6 0 0 192.168.80.102:9300 :::* LISTEN 2725/java
tcp6 0 0 :::22 :::* LISTEN 1078/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1322/master
tcp6 0 0 192.168.80.102:9600 :::* LISTEN 3070/java
如果启动服务后,有进程但是没有9600端口,是因为权限问题或者未完全启动,等待1分钟若没启动则使用以下方法解决,之前我们以root的身份在终端启动过logstash,所以产生的相关文件的属组属主都是root,解决方法如下:
[root@elk-2 ~]# ll /var/lib/logstash/
total 0
drwxr-xr-x. 2 root root 6 Feb 10 09:00 dead_letter_queue
drwxr-xr-x. 2 root root 6 Feb 10 09:00 queue
[root@elk-2 ~]# chown -R logstash /var/lib/logstash/
[root@elk-2 ~]# ll /var/lib/logstash/
total 0
drwxr-xr-x. 2 logstash root 6 Feb 10 09:00 dead_letter_queue
drwxr-xr-x. 2 logstash root 6 Feb 10 09:00 queue
[root@elk-2 ~]# systemctl restart logstash
[root@elk-2 ~]# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nam
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1273/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1084/master
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 580/rpcbind
tcp6 0 0 192.168.80.102:9200 :::* LISTEN 15918/java
tcp6 0 0 192.168.80.102:9300 :::* LISTEN 15918/java
tcp6 0 0 :::22 :::* LISTEN 1273/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1084/master
tcp6 0 0 192.168.80.102:9600 :::* LISTEN 18724/java
tcp6 0 0 :::111 :::* LISTEN 580/rpcbind
启动完毕后,让syslog产生日志,用第三台主机登录elk-2机器,登录后退出。
[root@elk-3 ~]# ssh elk-2
The authenticity of host 'elk-2 (192.168.80.102)' can't be established.
ECDSA key fingerprint is SHA256:nJT1L6Cz5MvNxC/ib2Rk+WN6Q/a3E3yi/67VwVOjt5k.
ECDSA key fingerprint is MD5:10:0c:b0:88:e6:03:76:cb:53:0b:ea:97:5e:b7:8f:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'elk-2,192.168.80.102' (ECDSA) to the list of known hosts.
root@elk-2's password: //输入密码
Last login: Thu Feb 10 01:34:28 2022 from 192.168.0.112
[root@elk-2 ~]#
[root@elk-2 ~]# logout
Connection to elk-2 closed.
5. Kibana检索日志
(1)Kibana上查看日志
之前部署kibana完成后,还没有检索日志。现在logstash部署完成,我们回到第一台主机上查看日志索引,执行命令如下:
[root@elk-1 ~]# curl '192.168.80.102:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana 8lkGjZC7RCCv-yuGpzXx6w 1 1 1 0 7.3kb 3.6kb
green open system-log-2024.04.09 bbXTH0PURR6Efrfcv_nhVA 5 1 7329 0 3.5mb 1.7mb
获取\删除指定索引详细信息:
[root@elk-1 ~]# curl -XGET/DELETE '192.168.80.102:9200/system-log-2024.04.09?pretty' //此处的system-log-2024.04.09是上面步骤查看出的日志索引名称
[root@elk-1 ~]# curl -XGET/DELETE '192.168.80.102:9200/system-log-2024.04.09?pretty'
{
"system-log-2024.04.09" : {
"aliases" : { },
"mappings" : {
"systemlog" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"host" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"message" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"path" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"type" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
},
"settings" : {
"index" : {
"creation_date" : "1712627260396",
"number_of_shards" : "5",
"number_of_replicas" : "1",
"uuid" : "bbXTH0PURR6Efrfcv_nhVA",
"version" : {
"created" : "6000099"
},
"provided_name" : "system-log-2024.04.09"
}
}
}
}
(2)Web页面配置
浏览器访问192.168.80.101:5601,到kibana上配置,索引的目录为:system-log-2022.02.10,修改完成后点击“Create”按钮,如图3所示。
配置完成后,点击左上角的“Discover”,进入“Discover”页面后如果出现以下提示,则是代表无法查找到日志信息,如图所示:
Kibana服务已经成功检索主机的日志信息,并反馈在页面。