1、kibana数据可视化——日志分析
[root@foundation50 network-scripts]# cd /mnt/pub/docs/elk/7.6/
[root@foundation50 7.6]# scp kibana-7.6.1-x86_64.rpm server4: 将安装包拷贝到server4上
[root@server4 ~]# rpm -ivh kibana-7.6.1-x86_64.rpm 安装
[root@server4 ~]# cd /etc/kibana/
[root@server4 kibana]# vim kibana.yml 编辑配置文件
[root@server4 kibana]# systemctl start kibana.service 启动
[root@server4 kibana]# netstat -antlupe | grep :5601 端口为5601
tcp 0 0 172.25.50.4:5601 0.0.0.0:* LISTEN 997 53471 4112/node
创建可视化
需要导入数据
然后再次创建可视化
可以将可视化保存
将可视化放到图形展示
示例2:用垂直条形图访问不同主机的访问量
创建可视化,选则垂直条形图
[root@server1 ~]# yum install -y httpd-tools 安装
[root@server2 ~]# yum install -y httpd-tools 安装
[root@server3 ~]# yum install -y httpd-tools 安装
[root@server1 ~]# ab -c1 -n 200 http://172.25.50.4/index.html server1压测访问200条
[root@server2 ~]# ab -c1 -n 300 http://172.25.50.4/index.html server2压测访问300条
[root@server3 ~]# ab -c1 -n 400 http://172.25.50.4/index.html server3压测访问400条
2、kibana监控
发现不可用,提示需要启用xpack安全验证
[root@server1 ~]# cd /usr/share/elasticsearch/
[root@server1 elasticsearch]# bin/elasticsearch-certutil ca 输出文件
Please enter the desired output file [elastic-stack-ca.p12]: 回车
Enter password for elastic-stack-ca.p12 : 回车
[root@server1 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 生成证书
Enter password for CA (elastic-stack-ca.p12) : 回车
Please enter the desired output file [elastic-certificates.p12]: 回车
Enter password for elastic-certificates.p12 : 回车
[root@server1 elasticsearch]# cp elastic-certificates.p12 /etc/elasticsearch/ 拷贝证书到elasticsearch目录
[root@server1 elasticsearch]# chown elasticsearch elastic-certificates.p12
[root@server1 elasticsearch]# scp elastic-certificates.p12 server2:/etc/elasticsearch/ 将证书拷贝到server2
elastic-certificates.p12 100% 3451 4.5MB/s 00:00
[root@server2 elasticsearch]# chown elasticsearch elastic-certificates.p12
[root@server1 elasticsearch]# scp elastic-certificates.p12 server3:/etc/elasticsearch/ 将证书拷贝到server3
elastic-certificates.p12 100% 3451 4.5MB/s 00:00
[root@server3 elasticsearch]# chown elasticsearch elastic-certificates.p12
[root@server1 ~]# cd /etc/elasticsearch/
[root@server1 elasticsearch]# vim elasticsearch.yml 在文件最后添加如下参数 , server2和server3进行同样的操作
xpack.security.enabled: true 激活xpack认证
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
[root@server1 elasticsearch]# systemctl restart elasticsearch.service 重启
[root@server1 ~]# cd /usr/share/elasticsearch/bin/ 进入bin目录
[root@server1 bin]# ./elasticsearch-setup-passwords interactive 进入交互式设置密码
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]: 输入密码,每个密码输入两次
Reenter password for [elastic]: elastic为kibana的管理员用户,拥有所有权限
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
[root@server4 ~]# cd /etc/kibana/
[root@server4 kibana]# vim kibana.yml 连接elaticsearch用户和密码设置
[root@server4 kibana]# systemctl restart kibana.service 重启
访问172.50.25.4:5601,需要用户名和密码
访问172.25.50.4:9000
访问172.25.50.4:9100,无法连接
解决方法如下:
[root@server1 ~]# cd /etc/elasticsearch/
[root@server1 elasticsearch]# vim elasticsearch.yml
[root@server1 elasticsearch]# systemctl restart elasticsearch.service 重启
访问:http://172.25.50.4:9100/?auth_user=elastic&auth_password=westos
logstash认证连接
[root@server4 ~]# cd /etc/logstash/conf.d/
[root@server4 conf.d]# vim apache.conf 编辑
[root@server4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/apache.conf 运行
[root@foundation50 network-scripts]# ab -c1 -n 100 http://172.25.50.4/index.html 压测100
kibana监控配置
在指定的es集群的节点上安装metricbeat
[root@foundation50 network-scripts]# cd /mnt/pub/docs/elk/7.6/
[root@foundation50 7.6]# scp metricbeat-7.6.1-x86_64.rpm server1:
[root@server1 ~]# rpm -ivh metricbeat-7.6.1-x86_64.rpm 安装
在 Metricbeat 中启用并配置 Elasticsearch x-pack 模块
[root@server1 ~]# cd /etc/metricbeat/
[root@server1 metricbeat]# cd modules.d/ 模块目录
couchdb.yml.disabled php_fpm.yml.disabled
docker.yml.disabled postgresql.yml.disabled
dropwizard.yml.disabled prometheus.yml.disabled
elasticsearch-xpack.yml.disabled rabbitmq.yml.disabled
elasticsearch.yml.disabled redis.yml.disabled
envoyproxy.yml.disabled sql.yml.disabled
etcd.yml.disabled stan.yml.disabled
golang.yml.disabled statsd.yml.disabled
googlecloud.yml.disabled system.yml
[root@server1 modules.d]# metricbeat modules enable elasticsearch-xpack 激活elasticsearch-xpack 模块
Enabled elasticsearch-xpack
[root@server1 modules.d]# vim elasticsearch-xpack.yml 编辑模块文件
配置 Metricbeat 以发送至监测集群
换句话说就是Metricbeat将监控本机的数据发送到那去
[root@server1 ~]# cd /etc/metricbeat
[root@server1 metricbeat]# vim metricbeat.yml 编辑metricbeat主配置文件
[root@server1 metricbeat]# systemctl enable --now metricbeat.service 启动
查看es平台,可以发现server1已经配置好,server2、server3用同样的方法配置
kibans节点日志采集插件——filebeat
官网
进入官网选择所需模块,按照官网配置
[root@foundation50 isos]# cd /mnt/pub/docs/elk/7.6/
[root@foundation50 7.6]# scp filebeat-7.6.1-x86_64.rpm server1: 拷贝filebeat到server1
[root@server1 ~]# rpm -ivh filebeat-7.6.1-x86_64.rpm 安装
[root@server1 ~]# cd /etc/filebeat/
[root@server1 filebeat]# cd modules.d/ 模块 ,这里面有很多服务的日志模块
activemq.yml.disabled ibmmq.yml.disabled netflow.yml.disabled
apache.yml.disabled icinga.yml.disabled nginx.yml.disabled
auditd.yml.disabled iis.yml.disabled osquery.yml.disabled
aws.yml.disabled iptables.yml.disabled panw.yml.disabled
azure.yml.disabled kafka.yml.disabled postgresql.yml.disabled
cef.yml.disabled kibana.yml.disabled rabbitmq.yml.disabled
cisco.yml.disabled logstash.yml.disabled redis.yml.disabled
coredns.yml.disabled misp.yml.disabled santa.yml.disabled
elasticsearch.yml.disabled mongodb.yml.disabled suricata.yml.disabled
envoyproxy.yml.disabled mssql.yml.disabled system.yml.disabled
googlecloud.yml.disabled mysql.yml.disabled traefik.yml.disabled
haproxy.yml.disabled nats.yml.disabled zeek.yml.disabled
现在我们监控整个es集群的日志
[root@server1 modules.d]# filebeat modules enable elasticsearch 激活elasticsearch模块
Enabled elasticsearch
[root@server1 modules.d]# vim elasticsearch.yml 编辑
[root@server1 ~]# cd /etc/filebeat
[root@server1 filebeat]# vim filebeat.yml
[root@server1 filebeat]# systemctl enable --now filebeat.service 启动
ES集群检索存入大量的数据会有问题,需要进行索引生命周期配置管理
![在这里插入图片描述](https://img-blog.csdnimg.cn/f2061ea95a104be5835f20a485f5a3a7.png#pic_center