安装配置Kibana和Logstash
一、安装配置Kibana
1、安装
之前安装elasticsearch的时候已经配置好了yum源可直接用
[root@elk-1 ~]# yum install -y kibana
也可以下载rpm包安装
2、配置
[root@elk-1 ~]# vi /etc/kibana/kibana.yml (向文件力添加以下几行内容)
[root@elk-1 ~]# egrep -v '^$|^#' /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.200.70"
elasticsearch.url: "http://192.168.200.70:9200"
[root@elk-1 ~]# systemctl start kibana (启动)
[root@elk-1 ~]# ps -ef | grep kibana (查看进程是否存在)
kibana 4376 1 99 10:28 ? 00:00:10 /usr/share/kibana/bin/../node/bin/node --no-warnings --max-http-header-size=65536 /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
root 4391 4140 0 10:28 pts/0 00:00:00 grep --color=auto kibana
[root@elk-1 ~]# netstat -lntp |grep node (查看端口是否开启)
tcp 0 0 192.168.200.70:5601 0.0.0.0:* LISTEN 4376/node
3、进入浏览器访问
二、安装配置logstash
(在elk-2节点上安装)
1、安装
[root@elk-2 ~]# yum install -y logstash
或者
使用rpm包,下载地址
2、logstash收集系统日志 (配置日志输出到屏幕上)
配置/etc/logstash/conf.d/syslog.conf文件
文件是新建文件需要自己添加以下内容,(建立的文件要求放在conf.d下并且以 .conf结尾)
[root@elk-2 ~]# vi /etc/logstash/conf.d/syslog.conf
input { ## 指定去哪里收集日志
syslog {
type => "system-syslog"
port => 10514
}
}
output { ## 日志输出到哪里
stdout {
codec => rubydebug
}
}
~
~
~
~
~
"/etc/logstash/conf.d/syslog.conf" [New] 12L, 123C written
检查配置文件是否有问题
建立一个软链接一方便用logstash命令
[root@elk-2 ~]# ln -s /usr/share/logstash/bin/logstash /usr/bin
检查刚刚的文件是否有错误
据说有OK就可以
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2021-03-05T16:57:02,919][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/var/lib/logstash/queue"}
[2021-03-05T16:57:02,950][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/var/lib/logstash/dead_letter_queue"}
[2021-03-05T16:57:03,603][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK
[2021-03-05T16:57:08,853][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
标准的
检测是否监听到10514端口
添加*.* @@192.168.200.80:10514在#### RULES ####下,IP填自己的
[root@elk-2 ~]# vi /etc/rsyslog.conf
······ 前面的省略
#### RULES ####
*.* @@192.168.200.80:10514
重启 rsyslog服务
[root@elk-2 ~]# systemctl restart rsyslog
启动logstash服务
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2021-03-05T17:02:50,539][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2021-03-05T17:02:50,566][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.8.14"}
[2021-03-05T17:02:50,609][INFO ][logstash.agent ] No persistent UUID file found. Generating new UUID {:uuid=>"e1585b8a-dbb8-44f0-9024-2a0debb59465", :path=>"/var/lib/logstash/uuid"}
[2021-03-05T17:02:56,830][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>2, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2021-03-05T17:02:57,224][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x2f4516b3 run>"}
[2021-03-05T17:02:57,289][INFO ][logstash.inputs.syslog ] Starting syslog tcp listener {:address=>"0.0.0.0:10514"}
[2021-03-05T17:02:57,294][INFO ][logstash.inputs.syslog ] Starting syslog udp listener {:address=>"0.0.0.0:10514"}
[2021-03-05T17:02:57,312][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2021-03-05T17:02:57,603][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2021-03-05T17:03:01,699][INFO ][logstash.inputs.syslog ] new connection {:client=>"192.168.200.80:35625"}
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"facility_label" => "clock",
"severity" => 5,
"host" => "192.168.200.80",
"@timestamp" => 2021-03-05T09:03:01.000Z,
"timestamp" => "Mar 5 17:03:01",
"@version" => "1",
"severity_label" => "Notice",
"type" => "system-syslog",
"pid" => "3669",
"priority" => 77,
"message" => "Job `cron.weekly' started\n",
"program" => "anacron",
"facility" => 9,
"logsource" => "elk-2"
}
{
"facility_label" => "clock",
"severity" => 5,
"host" => "192.168.200.80",
"@timestamp" => 2021-03-05T09:03:01.000Z,
"timestamp" => "Mar 5 17:03:01",
"@version" => "1",
"severity_label" => "Notice",
"type" => "system-syslog",
"pid" => "3669",
"priority" => 77,
"message" => "Job `cron.weekly' terminated\n",
"program" => "anacron",
"facility" => 9,
"logsource" => "elk-2"
}
{
"facility_label" => "security/authorization",
"severity" => 6,
"host" => "192.168.200.80",
"@timestamp" => 2021-03-05T09:05:06.000Z,
"timestamp" => "Mar 5 17:05:06",
"@version" => "1",
"severity_label" => "Informational",
"type" => "system-syslog",
"pid" => "4962",
"priority" => 86,
"message" => "Accepted password for root from 192.168.200.90 port 34878 ssh2\n",
"program" => "sshd",
"facility" => 10,
"logsource" => "elk-2"
}
······
自己不会推出,可以Ctrl+C推出
3、配置日志输出给elasticsearch
修改刚刚配置的文件
[root@elk-2 ~]# vi /etc/logstash/conf.d/syslog.conf
stdout {
codec => rubydebug
}
input {
syslog {
type => "system-syslog"
port => 10514
}
}
output { ## 修改输出到哪里
elasticsearch {
hosts => ["192.168.200.80:9200"] ## 这里IP写自己的IP
index => "system-syslog-%{+YYYY.MM}"
}
}
~
~
"/etc/logstash/conf.d/syslog.conf" 13L, 183C written
配置logstash本身的一个文件
[root@elk-2 ~]# vi /etc/logstash/logstash.yml
添加
http:host: "192.168.200.80"
然后重启logstash服务
[root@elk-2 ~]# systemctl start logstash
查看9600和10514端口是否开启
[root@elk-2 ~]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1513/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1989/master
tcp6 0 0 192.168.200.80:9200 :::* LISTEN 3942/java
tcp6 0 0 :::10514 :::* LISTEN 4887/java
tcp6 0 0 192.168.200.80:9300 :::* LISTEN 3942/java
tcp6 0 0 :::22 :::* LISTEN 1513/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1989/master
tcp6 0 0 127.0.0.1:9600 :::* LISTEN 4887/java
上主服务器查看索引信息
[root@elk-1 ~]# curl '192.168.200.70:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana 3_bxLRpQTu2QUGhAROS6sw 1 1 1 0 7.3kb 3.6kb
green open system-syslog-2020.11 7TpxxLo4TOuQxqpqdkC2Zw 5 1 4 0 10.9kb 466b
将system-syslog-*输入进去,点击create
这样即表示索引成功
去discocer(发现)查看日志
要保证虚拟机哈浏览器时间一致,才能索引出日志
4、更新日志
elk-3登录elk-2更新日志
[root@elk-3 ~]# ssh root@elk-2
root@elk-2's password:
Last login: Thu Nov 26 07:39:20 2020 from elk-3