Logstash是一个开源的日志管理工具。
项目地址:http://logstash.net/
Logstash安装使用以下组件:
服务端:
- fqdn: dev.kanbier.lan (should be resolvable!)
- ip: 10.37.129.8
安装所需的软件
作者更喜欢使用RPM包来安装软件,要注意版本号,不要去追求时髦用最新的最伟大的,Elasticsearch的版本应该匹配Logstash的版本。
$ vi /etc/yum.repos.d/logstash.repo |
name=logstash repository for 1.4.x packages |
baseurl=http://packages.elasticsearch.org/logstash/1.4/centos |
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch |
$ vi /etc/yum.repos.d/elasticsearch.repo |
name=Elasticsearch repository for 1.0.x packages |
baseurl=http://packages.elasticsearch.org/elasticsearch/1.0/centos |
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch |
$ vi /etc/yum.repos.d/nginx.repo |
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ |
$ rpm -Uvh http://mirror.1000mbps.com/fedora-epel/6/i386/epel-release-6-8.noarch.rpm |
$ yum -y install elasticsearch redis nginx logstash |
启用Kibana
$ wget https://download.elasticsearch.org/kibana/kibana/kibana-3.0.0. tar .gz |
$ tar -xvzf kibana-3.0.0. tar .gz |
$ mv kibana-3.0.0 /usr/share/kibana3 |
我们需要告诉Kibana在哪里可以找到elasticsearch。打开配置文件并修改elasticsearch参数:
$ vi /usr/share/kibana3/config.js |
搜索“elasticsearch”参数,并对其进行修改以适应您的环境:
elasticsearch: "http://dev.kanbier.lan:9200" , |
您还可以修改default_route参数,默认打开logstash仪表板而不是Kibana欢迎页面:
default_route : '/dashboard/file/logstash.json' , |
通过web界面访问:
$ wget https://raw.github.com/elasticsearch/kibana/master/sample/nginx.conf |
$ mv nginx.conf /etc/nginx/conf.d/ |
$ vi /etc/nginx/conf.d/nginx.conf |
server_name dev.kanbier.lan; |
nginx配置如下:
server_name kibana.myhost.org; |
access_log /var/log/nginx/kibana.myhost.org.access.log; |
index index.html index.htm; |
proxy_pass http://127.0.0.1:9200; |
location ~ ^/.*/_aliases$ { |
proxy_pass http://127.0.0.1:9200; |
proxy_pass http://127.0.0.1:9200; |
location ~ ^/.*/_search$ { |
proxy_pass http://127.0.0.1:9200; |
location ~ ^/.*/_mapping { |
proxy_pass http://127.0.0.1:9200; |
location ~ ^/kibana-int/dashboard/.*$ { |
proxy_pass http://127.0.0.1:9200; |
proxy_pass http://127.0.0.1:9200; |
auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd; |
location ~ ^/kibana-int/temp.*$ { |
proxy_pass http://127.0.0.1:9200; |
proxy_pass http://127.0.0.1:9200; |
auth_basic_user_file /etc/nginx/conf.d/kibana.myhost.org.htpasswd; |
配置redis
配置Logstash
可以使用Logstash文档上的logstash-complex.conf文件,并不是很负责,包含:
- 从 /var/log目录读取文件
- 打开5544端口以启用直接接收远程系统日志消息
- 告诉logstash,利用本身的elasticsearch而不是嵌入的
$ vi /etc/logstash/conf.d/logstash-complex.conf |
# Wildcards work, here <img src= "http://www.denniskanbier.nl/blog/wp-includes/images/smilies/icon_smile.gif" alt= ":)" class = "wp-smiley" > |
path => [ "/var/log/*.log" , "/var/log/messages" , "/var/log/syslog" ] |
sincedb_path => "/opt/logstash/sincedb-access" |
match => [ "message" , "%{SYSLOGBASE2}" ] |
add_tag => [ "syslog" , "grokked" ] |
elasticsearch { host => "dev.kanbier.lan" } |
启动服务
$ service redis start; chkconfig redis on |
$ service elasticsearch start; chkconfig --add elasticsearch; chkconfig elasticsearch on |
$ service logstash start; chkconfig logstash on |
$ service nginx start; chkconfig nginx on |
对于rsyslog现在你可以将这些行添加到/ etc/ rsyslog.conf
$WorkDirectory /var/lib/rsyslog |
$ActionQueueFileName fwdRule1 |
$ActionQueueMaxDiskSpace 1g |
$ActionQueueSaveOnShutdown on |
$ActionQueueType LinkedList |
$ActionResumeRetryCount -1 |
如果有防火墙需要放开这些端口:
- port 80 (for the web interface)
- port 5544 (to receive remote syslog messages)
- port 6379 (for the redis broker)
- port 9200 (so the web interface can access elasticsearch)
![Logstash 日志管理工具 Elasticsearch](http://i1.static.ttlsa.com/www/2014/07/10/eGhoXzAxNjg=_027403-300x215.png)
译自:http://www.denniskanbier.nl/blog/logging/installing-logstash-on-rhel-and-centos-6