elk 部署

下载 Elastic 产品 | Elastic  官网下载

wget https://artifacts.elastic.co/downloads/logstash/logstash-7.8.0.tar.gz
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.8.0-linux-x86_64.tar.gz
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.8.0-linux-x86_64.tar.gz

vi /etc/security/limits.conf  #末尾追加
es soft nofile 65536
es hard nofile 65536
es soft nproc 65536
es hard nproc 65536

vi /etc/security/limits.d/20-nproc.conf  #将*改为用户名es
es          soft    nproc     4096
root       soft    nproc     unlimited

vi /etc/sysctl.conf
vm.max_map_count=655360
sysctl -p

tar -zxvf elasticsearch-7.8.0-linux-x86_64.tar.gz

vi /data/elasticsearch-7.8.0/config/elasticsearch.yml  #追加配置文件
discovery.type: single-node     #单节点模式
network.host: 0.0.0.0

useradd es

passwd es

chown -R es:es elasticsearch-7.8.0

cd /data/elasticsearch-7.8.0

su es

./elasticsearch -d

nohup bin/elasticsearch >/dev/null 2>&1&

curl 127.0.0.1:9200/_cluster/health?pretty

2.kibana安装部署

tar -zxvf kibana-7.8.0-linux-x86_64.tar.gz

vi /data/kibana-7.8.0-linux-x86_64/config/kibana.yml

server.host: 0.0.0.0      #任何ip都可访问

elasticsearch.hosts: ["http://10.100.10.190:9200"]         #elas服务地址

i18n.locale: "zh-CN"   #修改为中文

cd /data

chown -R es:es kibana-7.8.0-linux-x86_64

cd kibana-7.8.0-linux-x86_64/bin

su es

./kibana &          #后台启动 

nohup bin/kibana >/dev/null 2>&1&

3.logstash安装部署

wget https://artifacts.elastic.co/downloads/logstash/logstash-7.8.0.tar.gz

tar -zxvf logstash-7.8.0.tar.gz

cd logstash-7.8.0
bin/logstash -e 'input { stdin { }} output { stdout {} }'     #测试输出是否正常

4.filebeat安装部署

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.8.0-linux-x86_64.tar.gz

tar -zxvf filebeat-7.8.0-linux-x86_64.tar.gz

vi /data/filebeat-7.8.0-linux-x86_64/filebeat.yml  #filebeat.yml配置文件指定监听日志路径

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
  fields:
    level: debug
  tags: ["secure.log"]
  
- type: log
  enabled: true
  paths:
    - /data/logstash-7.8.0/logs/*.log
  fields:
    level: debug
  tags: ["logstash.log"]
  
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.logstash:
  hosts: ["10.100.10.190:5044"]
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

vi /data/logstash-7.8.0/config/logstash.conf       #logstash配置文件

input {
  beats {
    port => 5044
  }
}
 
output {
  if "secure.log" in [tags] {
    elasticsearch {
      hosts => ["http://10.100.10.190:9200"]
      index => "secure.log"
    }
  }
  else if "logstash.log" in [tags] {
    elasticsearch {
      hosts => ["http://10.100.10.190:9200"]
      index => "logstash.log"
    }
  }
}

 logstash启动

nohup /data/logstash-7.8.0/bin/logstash -f /data/logstash-7.8.0/config/logstash.conf --config.reload.automatic    #前台logstash启动测试

nohup bin/logstash -f config/logstash.conf >/dev/null 2>&1&   #后台启动

 filebeat启动

cd /data/filebeat-7.8.0-linux-x86_64 

sudo ./filebeat -e -c filebeat.yml -d "publish"        #前台启动filebeat

nohup ./filebeat -e -c filebeat.yml >/dev/null 2>&1&   #后台启动

 

 复制所有名称到dev tools 查询看是否有数据

 

 

 

 

 无过滤字段都会显示出来，实际只有两格，但是全部显示出来了

 

找出实际需要字段 message