LInux单机部署ELK日志收集
centos7
cpu:1核
内存:8G
#安装vim,wget,net-tools
设置主机名:
vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.204.131 elk-log-server
wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" http://download.oracle.com/otn-pub/java/jdk/8u131-b11/d54c1d3a095b4ff2b6607d096fa80163/jdk-8u131-linux-x64.rpm wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.8.0.rpm wget https://artifacts.elastic.co/downloads/logstash/logstash-6.8.0.rpm wget https://artifacts.elastic.co/downloads/kibana/kibana-6.8.0-x86_64.rpm
2.2安装jdk1.8
rpm -ivh jdk-8u131-linux-x64.rpm
rpm -ivh elasticsearch-6.8.0.rpm
vim /etc/elasticsearch/elasticsearch.yml
根据下面内容修改,wq保存
#集群名称 cluster.name: test-cluster #节点名称 node.name: elk-log-server #数据存放路径 path.data: /var/lib/elasticsearch #数据存放路径 #日志存放路径 path.logs: /var/log/elasticsearch #监听IP network.host: 192.168.204.131 #监听端口 http.port: 9200 #集群各主机地址,单机模式就一个本机IP discovery.zen.ping.unicast.hosts: ["192.168.204.131"]
systemctl start elasticsearch netstat -tunlp|grep java tcp6 0 0 192.168.204.131:9200 :::* LISTEN 5176/java tcp6 0 0 192.168.204.131:9300 :::* LISTEN 5176/java
curl 192.168.204.131:9200
显示如下:
{ "name" : "elk-log-server", "cluster_name" : "test-cluster", "cluster_uuid" : "ujFldL0eTjqDFC-5oqATaw", "version" : { "number" : "6.2.4", "build_hash" : "ccec39f", "build_date" : "2018-04-12T20:37:28.497551Z", "build_snapshot" : false, "lucene_version" : "7.2.1", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search" }
firewall-cmd --add-port=9200/tcp --permanent firewall-cmd --reload
rpm -ivh logstash-6.8.0.rpm
vim /etc/logstash/logstash.yml
根据下面内容修改,wq保存
#数据存放路径 path.data: /var/lib/logstash #监听IP http.host: "192.168.204.131" #监听的端口 http.port: 9600 #日志路径 path.logs: /var/log/logstash
chown -R logstash /var/log/logstash/ /var/lib/logstash/
vim /etc/logstash/conf.d/syslog.conf
内容如下:
input{ syslog{ type => "system-syslog" port => 10000 } } #输出到elastcisearch output{ elasticsearch{ hosts => ["192.168.204.131:9200"] #elasticsearch服务地址 index => "system-syslog-%{+YYYY.MM}" #创建的索引 } }
ln -s /usr/share/logstash/bin/logstash /usr/local/bin/ logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties Configuration OK
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/syslog.conf --config.reload.automatic
启动服务,并查看端口:
systemctl start logstash
netstat -tunlp|grep java
内容如下:
tcp6 0 0 192.168.204.131:9600 :::* LISTEN 92196/java tcp6 0 0 :::10000 :::* LISTEN 92196/java tcp6 0 0 192.168.204.131:9200 :::* LISTEN 24309/java tcp6 0 0 192.168.204.131:9300 :::* LISTEN 24309/java udp 0 0 0.0.0.0:10000 0.0.0.0:* 92196/java
9600是logstash监听端口,10000是系统日志收集输入端口
curl http://192.168.204.131:9200/_cat/indices
显示如下:
yellow open system-syslog-2019.07 REp7fM_gSaquo9PX2_sREQ 5 1 10 0 58.9kb 58.9kb
curl http://192.168.204.131:9200/system-syslog-2019.07?pretty
说明logstash与elasticsearch之间通讯正常
rpm -ivh kibana-6.8.0-x86_64.rpm
vim /etc/kibana/kibana.yml
根据下面内容修改,wq保存
i18n.locale: "zh-CN" #监听端口 server.port: 5601 #监听IP server.host: 192.168.204.131 #elastcisearch服务地址 elasticsearch.url: "http://192.168.204.131:9200" #日志路径 logging.dest: /var/log/kibana/kibana.log
mkdir /var/log/kibana/ chown -R kibana /var/log/kibana/
firewall-cmd --add-port=5601/tcp --permanent firewall-cmd --reload
systemctl start kibana netstat -tunlp|grep 5601 tcp 0 0 192.168.204.131:5601 0.0.0.0:* LISTEN 7511/node
六、访问页面
6.1浏览器访问http://192.168.204.131:5601
6.2在kibana上创建索引
刚才Logstash中创建手机系统日志的配置文件,现在在Kibana上创建索引
系统管理--索引模式
在索引模式中输入之前配置的system-syslog-*,表示匹配所有以system-syslog-开头的索引
下一步,开始配置过滤条件,这里以时间戳为条件字段
创建索引模式
显示了所有系统日志收集的字段,点击发现,可以配置显示的字段
