526互联

安装elk日志监控系统

发布时间 2023-05-17 16:56:49作者: me小怪兽

下载安装包稳定版本

elasticsearch-7.17.10-linux-x86_64.tar.gz  # https://www.elastic.co/downloads/past-releases/elasticsearch-7-17-10
logstash-7.17.10-linux-x86_64.tar.gz     # https://www.elastic.co/downloads/past-releases/logstash-7-17-10
kibana-7.17.10-linux-x86_64.tar.gz       # https://www.elastic.co/downloads/past-releases/kibana-7-17-10
jdk1.8.0_351.tar.gz               #jdk8版本以上

172.16.1.12:server端安装elasticsearch、kibana、jdk

172.16.1.2:agent端安装logstash、jdk ,每个主机都需要安装一个logstash

1、安装jdk

# tar zxvf jdk1.8.0_351.tar.gz -C /usr/local/  #解压

# vim /etc/profile  #系统环境变量
export JAVA_HOME=/usr/local/jdk1.8.0_351
export JAVA_HOME=$JAVA_HOME/jre
export PATH=$PATH:$JAVA_HOME/bin
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:JAVA_HOME/lib/tools.jar

# source /etc/profile  #刷新加载

  # java -version  #验证
  openjdk version "1.8.0_351"
  OpenJDK Runtime Environment (build 1.8.0_351-b08)
  OpenJDK 64-Bit Server VM (build 25.351-b08, mixed mode)

2、安装es

mkdir /usr/local/elk  #创建目录,方便管理
tar -zxvf elasticsearch-7.17.10-linux-x86_64.tar.gz -C /usr/local/elk  #解压
cd /usr/local/elk  #进入
mv elasticsearch-7.17.10 elasticsearch  #重命名
adduser es  #创建用户echo 1234 |passwd --stdin es  #更改密码
mkdir /usr/local/elk/elasticsearch/data  #创建数据存放目录
chown -R es:es /usr/local/elk/elasticsearch  #将ES所解压的目录授予此对应的用户

系统配置

编辑vi /etc/security/limits.conf,追加以下内容;
# 设置当前ES用户的最大文件数(这里也可以使用*,表示所有的用户)
echo "elasticsearch soft nofile 65536" >> /etc/security/limits.conf
echo "elasticsearch hard nofile 65536" >> /etc/security/limits.conf
修改配置文件sysctl.conf:
vi /etc/sysctl.conf
# 修改下述配置, 如果没有就在文件末尾添加:
echo "vm.max_map_count=655360" >> /etc/sysctl.conf
# 执行命令使修改生效:
sysctl -p

修改配置文件elasticsearch.yml

vim /usr/local/elk/elasticsearch/config/elasticsearch.yml
添加以下内容:
cluster.name: my-application
node.name: node_01
path.data: /usr/local/elk/elasticsearch/data
path.logs: /usr/local/elk/elasticsearch/logs
network.host: 172.16.1.12
http.port: 20003
bootstrap.system_call_filter: false
bootstrap.memory_lock: false
cluster.initial_master_nodes: ["node_01"]

添加es服务

 vim /usr/lib/systemd/system/elasticsearch.service

[Unit]
Description=elasticsearch
After=network.target

[Service]
Type=forking
#启动用户
User=es
#jdk位置
Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/jdk1.8.0_351/bin"
#启动指令
ExecStart=/usr/local/elk/elasticsearch/bin/elasticsearch -d
PrivateTmp=true
# 指定此进程可以打开的最大文件数
LimitNOFILE=65536
# 指定此进程可以打开的最大进程数
LimitNPROC=65536
# 最大虚拟内存
LimitAS=infinity
# 最大文件大小
LimitFSIZE=infinity
# 超时设置 0-永不超时
TimeoutStopSec=0
# SIGTERM是停止java进程的信号
KillSignal=SIGTERM
# 信号只发送给给JVM
KillMode=process
# java进程不会被杀掉
SendSIGKILL=no
# 正常退出状态
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

启动es

#重新加载
systemctl daemon-reload
#开机自启动
systemctl enable elasticsearch.service
#启动服务
systemctl start elasticsearch.service
#查看服务状态
systemctl status elasticsearch.service

查看端口,进程

netstat -tunlp |grep 20003
tcp6       0      0 172.16.1.12:20003       :::*                    LISTEN      26703/java

3、安装 logstash

在被收集端安装logstash,提前安装jdk这里省略

上传,解压

tar -zxvf logstash-7.17.10-linux-x86_64.tar.gz -C /usr/local/elk/
cd /usr/local/elk/
mv logstash-7.17.10 logstash

创建日志搜索配置文件

vim /usr/local/elk/logstash/bin/config.conf

 

input {

file {
path => "/var/log/messages"  #日志目录
type => "messages_log_172.16.1.2"  #自定义名称
start_position => "beginning"  #默认
}

file {
path => "/var/log/secure"
type => "secure_log_172.16.1.2"
start_position => "beginning"
}

}

output {

if [type] == "messages_log_172.16.1.2"{
elasticsearch {
hosts => ["172.16.1.12:20003"]  #es的地址
index => "messages_log_172.16.1.2-%{+YYYY.MM.dd}"
}
}

if [type] == "secure_log_172.16.1.2"{
elasticsearch {
hosts => ["172.16.1.12:20003"]
index => "secure_log_172.16.1.2-%{+YYYY.MM.dd}"
}
}
}

启动

vim /usr/local/logstash/bin/startup.sh  #启动脚本

nohup /usr/local/logstash/bin/logstash -f config.conf >/dev/null 2>&1 &
chmod +x /usr/local/logstash/bin/startup.sh  #添加支持权限
sh /usr/local/logstash/bin/startup.sh      #启动

查看

ps aux |grep logstash

4、安装kibana

解压

tar zxvf kibana-7.17.10-linux-x86_64.tar.gz -C /usr/local/elk
cd /usr/local/elk
mv kibana-7.17.10 kibana

 

编辑配置文件

vim /usr/local/elk/kibana/config/kibana.yml

server.port: 20006  #启动端口
server.host: "172.16.1.12"  #kibana地址
elasticsearch.hosts: ["http://172.16.1.12:20003"]  #es地址
kibana.index: ".kibana"  #默认
i18n.locale: "zh-CN"    #开启中文

 

保存退出
启动kibana

vim /usr/local/elk/kibana/bin/startup.sh

nohup /usr/local/elk/kibana/bin/kibana --allow-root &

chmod +x /usr/local/elk/kibana/bin/startup.sh

sh /usr/local/elk/kibana/bin/startup.sh

检查

netstat -tunlp |grep 20006
tcp 0 0 172.16.1.12:20006 0.0.0.0:* LISTEN 30710/node

 

到这里,3个组件都正常启动的情况下,可以访问kibana页面啦

http://172.16.1.12:20006/

 添加索引

 

 创建索引模式

 

 

进行查看