Logstash在第二个节点安装
logstash的安装
(1)上传logstash安装包,安装包可以在浏览器下载
[root@elk-2 ~]# rpm -ivh logstash-6.0.0.rpm
(2)修改配置文件查看logstash如何收集日志
例如:如何收集系统日志
修改配置文件
[root@elk-2 ~]# vi /etc/logstash/conf.d/syslog.conf
input { ##日志的源,从哪里收集这些日志
syslog {
type=> “system-syslog”
port=>10514
}
}
output { ##日志要输出到哪里,输出到屏幕上,输出到es
stdout {
codec=>rubydebug
}
}
创建软连接,方便之后使用logstash
[root@elk-2 ~]# ln -s /usr/share/logstash/bin/logstash /usr/bin
检查配置是否有错误
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK
[root@elk-2 ~]# vi /etc/rsyslog.conf
在#### RULES ####下添加
. @@192.168.200.69:10514
重启rsyslog服务
[root@elk-2 ~]# systemctl restart rsyslog
启动logstash服务
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf
不会退出因为我们定义了output,在当前终端下进行输出
[root@elk-2 ~]# vi /etc/logstash/conf.d/syslog.conf
input {
syslog {
type=> “system-syslog”
port=>10514
}
}
output {
stdout {
codec=>rubydebug
}
}
查看端口
[root@elk-2 ~]# netstat -ntpl
用elk-3登录elk-2
[root@elk-3 ~]# ssh root@elk-2
返回到elk-2,日志已产生,sshd是我们刚刚登陆的
ctrl+c退出终端
日志输出给es
更改配置文件
[root@elk-2 ~]# cat /etc/logstash/conf.d/syslog.conf
input {
syslog {
type=> "system-syslog"
port=>10514
}
}
output {
elasticsearch {
hosts => ["192.168.200.69:9200"]
index => "system-syslog-%{+YYYY.MM}"
}
}
还需要更改
[root@elk-2 ~]# vi /etc/logstash/logstash.yml
http.host: "192.168.200.69"使用内网ip
启动logstash
[root@elk-2 ~]# systemctl start logstash
权限更改
[root@elk-2 ~]# chown -R logstash /var/lib/logstash/
[root@elk-2 ~]# ll /var/lib/logstash
total 4
drwxr-xr-x. 2 logstash root 6 Feb 22 19:53 dead_letter_queue
drwxr-xr-x. 2 logstash root 6 Feb 22 19:53 queue
-rw-r--r--. 1 logstash root 36 Feb 22 20:05 uuid
查看端口
[root@elk-2 ~]# netstat -ntpl
查看是否收集到主机上的日志
[root@elk-1 ~]# curl '192.168.200.39:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open system-syslog-2021.02 lgPm4lSAS6y85GoNBqA2gA 5 1 5 0 114.6kb 57.3kb
green open .kibana 5QeBFEj2TR-QW5QT_bFvsQ 1 1 1 0 7.3kb 3.6kb
注释:system-syslog-2021.02为我们之前自己命名的
出现错误:收集不到日志
解决方法:到elk-2开启rsyslog,可以成功查看到收集到的日志
[root@elk-2 ~]# systemctl start rsyslog
到kibana 上索引
添加到kibana索引里
索引成功
出现错误
解决方法:更改时间
go之后
到elk-3
产生日志
[root@elk-2 ~]# ssh root@elk-2
The authenticity of host 'elk-2 (192.168.200.69)' can't be established.
ECDSA key fingerprint is b9:00:45:d9:07:8d:6e:1a:10:d6:af:2d:20:77:16:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'elk-2,192.168.200.69' (ECDSA) to the list of known hosts.
root@elk-2's password:
Last login: Mon Feb 22 20:11:46 2021 from elk-3
刷新kibana,查看