安装 logstash
1、修改主机名
[root@localhost ~]# hostnamectl set-hostname logstash
2、同步时间
[root@logstash ~]# yum install -y chrony.x86_64
[root@logstash ~]# systemctl restart chronyd.service
[root@logstash ~]# chronyc sources -v
3、安装jdk
软件包:https://pan.baidu.com/s/1p0-R7eiTZCd8QVzxS2WPaQ
密码:d5ft
[root@logstash ~]# tar -xvf jdk-13.0.2_linux-x64_bin.tar.gz -C /usr/local/
[root@logstash ~]# cd /usr/local/
[root@logstash ~]# ln -s jdk-13.0.2/ java
# 添加 java 环境变量
[root@logstash ~]# vim /etc/profile
export JAVA_HOME=/usr/local/java
export PATH=$JAVA_HOME/bin:$PATH
# 重载环境变量
[root@logstash ~]# source /etc/profile
4、修改文件限制
[root@logstash ~]# cat >>/etc/security/limits.conf <<-EOF
* soft nofile 65536
* hard nofile 65536
* soft nproc 32000
* hard nproc 32000
elk soft memlock unlimited
elk hard memlock unlimited
EOF
[root@logstash ~]# cat >>/etc/systemd/system.conf<<-EOF
DefaultLimitNOFILE=65536
DefaultLimitNPROC=32000
DefaultLimitMEMLOCK=infinity
EOF
[root@logstash ~]# cat >>/etc/sysctl.conf<<-EOF
vm.max_map_count=655360
fs.file-max=655360
vm.swappiness=0
EOF
5、给elk添加免密
[root@es-master ~]# useradd elk
[root@es-master ~]# visudo
elk ALL=(ALL) NOPASSWD: ALL
6、创建 logstash 环境
[root@logstash ~]# su - elk
[elk@logstash ~]$ sudo mkdir /usr/local/elkapp && sudo mkdir -p /usr/local/elkdata/logstash/{data,logs} && chown -R elk:elk /usr/local/elkapp && sudo chown -R elk:elk /usr/local/elkdata
7、安装Logstash
[elk@logstash ~]$ sudo cd /usr/local/src && sudo tar -xvf logstash-7.8.0.tar.gz -C /usr/local/elkapp && sudo ln -s /usr/local/elkapp/logstash-7.8.0 /usr/local/elkapp/logstash && sudo chown -R elk:elk /usr/local/elkapp && sudo chown -R elk:elk /usr/local/elkdata
8、配置Logstash
[elk@logstash ~]$ sudo vim /usr/local/elkapp/logstash-7.8.0/config/logstash.yml
path.data: /usr/local/elkdata/logstash/data
path.logs: /usr/local/elkdata/logstash/logs
9、配置输入输出
[elk@logstash ~]$ sudo vim /usr/local/elkapp/logstash-7.8.0/config/input-output.conf
input {
redis {
data_type => "list"
key => "logstash"
host => "10.11.66.189"
port => 6379
threads => 5
codec => "json"
}
}
filter {
}
output {
elasticsearch {
h1osts => ["10.11.66.180:9200","10.11.66.181:9200","10.11.66.182.139:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
document_type => "%{type}"
}
stdout {
}
}
10、配置 pipelines.yml
[elk@logstash ~]$ sudo cp /usr/local/elkapp/logstash-7.8.0/configpipelines.yml{,.bak}
[elk@logstash ~]$ sudo vim /usr/local/elkapp/logstash-7.8.0/config/pipelines.yml
- pipeline.id: id1
pipeline.workers: 1
path.config: "/usr/local/elkapp/logstash-7.8.0/config/input-output.conf"
11、配置开机启动
[elk@logstash ~]$ sudo vim /etc/systemd/system/logstash.service
# 内容如下
[Unit]
Description=logstash
[Service]
User=elk
Group=elk
LimitMEMLOCK=infinity
LimitNOFILE=100000
LimitNPROC=100000
ExecStart=/usr/local/elkapp/logstash/bin/logstash
[Install]
WantedBy=multi-user.target
[elk@logstash ~]$ sudo systemctl daemon-reload
[elk@logstash ~]$ sudo systemctl start logstash
12、测试 logstash
1、查看9600端口状态
[elk@logstash ~]$ ss -anput | grep 9600
tcp LISTEN 0 50 ::ffff:127.0.0.1:9600 :::* users:(("java",pid=6263,fd=84))
13、logstash 演示用法
先停止服务
[elk@logstash conf.d]$ sudo systemctl stop logstash.service
1、示例1:标准输入输出
配置文件
[elk@logstash conf.d]$ vim test.conf
input {
stdin {}
}
output {
stdout {
codec => rubydebug
}
}
测试
[elk@logstash config]$ logstash -f ./conf.d/test.conf
/usr/local/elkapp/logstash-7.8.0/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"host" => "logstash",
"@version" => "1",
"message" => "haha wql",
"@timestamp" => 2020-07-08T13:53:51.695Z
}
安装kibana
软件包:https://pan.baidu.com/s/1p0-R7eiTZCd8QVzxS2WPaQ
密码:d5ft
1、安装
[elk@logstash elkapp]$ cd /usr/local/src
[elk@logstash elkapp]$ sudo tar -xvf kibana-7.8.0-linux-x86_64.tar.gz -C /usr/local/elkapp
[elk@logstash elkapp]$ cd /usr/local/elkapp/
[elk@logstash elkapp]$ sudo ln -s kibana-7.8.0-linux-x86_64/ kibana
[elk@logstash elkapp]$ sudo chown -R elk.elk /usr/local/elk*
2、配置Kibana
[root@logstash ~]# vim /usr/local/elkapp/kibana-7.8.0-linux-x86_64/config/kibana.yml
server.port: 5601
server.host: "10.11.66.195"
elasticsearch.hosts: ["http://10.11.66.180:9200"]
3、配置开机启动
[root@logstash ~]# vim /etc/systemd/system/kibana.service
[Unit]
Description=kibana
[Service]
User=elk
Group=elk
LimitMEMLOCK=infinity
LimitNOFILE=100000
LimitNPROC=100000
ExecStart=/usr/local/elkapp/kibana/bin/kibana
[Install]
WantedBy=multi-user.target
[root@logstash ~]# systemctl daemon-reload
[root@logstash ~]# systemctl start kibana
[root@logstash ~]# systemctl status kibana
4、测试
[root@logstash ~]# ps aux | grep kibanaelk 24414 106 13.4 1362348 412304 ? Ssl 08:15 0:22 /usr/local/elkapp/kibana/bin/../node/bin/node /usr/local/elkapp/kibana/bin/../src/cli
root 24782 0.0 0.0 112708 972 pts/0 S+ 08:16 0:00 grep --color=auto kibana
[root@logstash ~]# ss -anput | grep 5601
tcp LISTEN 0 128 10.11.66.195:5601 *:* users:(("node",pid=25316,fd=18))
5、汉化 Kibana
[root@logstash ~]# vim /usr/local/elkapp/kibana/config/kibana.yaml
i18n.locale: "zh-CN"
6、图形界面
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-dkO8LB8i-1596544798207)(C:assets\1594216682889.png)]
安装 Redis
软件包:https://pan.baidu.com/s/1p0-R7eiTZCd8QVzxS2WPaQ
密码:d5ft
1、安装环境依赖
[root@redis ~]# yum install gcc gcc-c++ -y
[root@redis ~]# cd /usr/local
[root@redis ~]# tar -xvf redis-5.0.5.tar.gz
[root@redis ~]# cd redis-5.0.5
[root@redis ~]# make
[root@redis ~]# make install
2、设置开机启动
[root@redis ~]# ./utils/install_server.sh
3、启动
[root@redis ~]# systemctl daemon-reload
[root@redis ~]# systemctl start redis_6379
[root@redis ~]# systemctl status redis_6379.service
[root@redis ~]# vim /etc/redis/6379.conf
bind 0.0.0.0
protected-mode no
[root@redis ~]# systemctl restart redis_6379
Cerebro Elasticsearch监控
1、创建用户
[root@redis ~]# useradd -s /sbin/nologin cerebro
2、安装 jdk
软件包:https://pan.baidu.com/s/1p0-R7eiTZCd8QVzxS2WPaQ
密码:d5ft
[root@redis ~]# tar xf jdk-8u201-linux-x64.tar.gz -C /usr/local/
[root@redis ~]# cd /usr/local/
[root@redis ~]# ln -s jdk1.8.0_201/ java
[root@redis ~]# vim /etc/profile
export JAVA_HOME=/usr/local/java
export PATH=$JAVA_HOME/bin:$PATH
[root@redis ~]# source /etc/profile
[root@redis ~]# java -version
3、安装Cerebro
软件包:https://pan.baidu.com/s/1p0-R7eiTZCd8QVzxS2WPaQ
密码:d5ft
[root@redis ~]# mkdir /opt/cerebro
[root@redis ~]# tar -xvf cerebro-0.9.2 .tgz -C /opt/cerebro
[root@redis ~]# ln -s /opt/cerebro/cerebro-0.9.2 /opt/cerebro/current
[root@redis ~]# chown -R cerebro.cerebro /opt/cerebro
4、配置
[root@redis ~]# mkdir /home/cerebro/data
[root@redis ~]# chown -R cerebro.cerebro /home/cerebro
[root@redis ~]# mv /opt/cerebro/current/conf/application.conf{,.bak}
[root@redis ~]# vim /opt/cerebro/current/conf/application.conf
secret="ki:s:[[@=Ag?QI`W2jMwkY:eqvrJ]JqoJyi2axj3ZvOv^/KavOT4ViJSv?6YY4[N"
basePath="/"
pidfile.path="/opt/cerebro/current/cerebro.pid"
data.path="/home/cerebro/data/cerebro.db"
es={
gzip=true
}
auth={
type: basic
settings: {
username="admin"
password="1234.com"
}
}
hosts=[
{
host="http://10.11.66.180:9200"
name="es_log"
}
]
5、启动
[root@redis ~]# /opt/cerebro/cerebro-0.9.2/bin/cerebro
6、创建system启动
[root@redis ~]# vim /etc/systemd/system/cerebro.service
[Unit]
Description=Cerebro
After=network.target
[Service]
Type=folking
PIDFile=/opt/cerebro/current/cerebro.pid
User=cerebro
Group=cerebro
LimitNOFILE=65535
ExecStart=/opt/cerebro/current/bin/cerebro -Dconfig.file=/opt/cerebro/current/conf/application.conf
Restart=on-failure
WorkingDirectory=/opt/cerebro/current
[Install]
WantedBy=multi-user.target
[root@redis ~]# systemctl daemon-reload
[root@redis ~]# systemctl start cerebro
[root@redis ~]# systemctl status cerebro
7、访问
[root@redis ~]# vim /etc/systemd/system/cerebro.service
http = {
port = "9000"
address = "10.11.66.184"
}
安装 Filebeat
软件包:https://pan.baidu.com/s/1p0-R7eiTZCd8QVzxS2WPaQ
密码:d5ft
1、下载 tar 安装
[root@redis ~]# cd /usr/local/src
[root@redis src~]# tar -xf filebeat-7.8.0-linux-x86_64.tar.gz -C /usr/local/
[root@redis src]# cd /usr/local/filebeat-7.8.0-linux-x86_64
[root@redis local]# ln -s filebeat-7.8.0-linux-x86_64/ filebeat
[root@redis filebeat-7.8.0-linux-x86_64]# ./filebeat -e -c filebeat.yml
2、设置开机启动
[root@redis ~]# vim /etc/systemd/system/filebeat.service
[Unit]
Description=filebeat server daemon
Documentation= /usr/local/filebeat/filebeat -help
Wants=network-online.target
After=network-online.target
[Service]
User=root
Group=root
Environment="BEAT_CONFIG_OPTS=-c /usr/local/filebeat/filebeat.yml"
ExecStart= /usr/local/filebeat/filebeat $BEAT_CONFIG_OPTS
Restart=always
[Install]
WantedBy=multi-user.target
[root@redis ~]# systemctl daemon-reload
[root@redis ~]# systemctl start filebeat
[root@redis ~]# systemctl status filebeat
3、配置filebeat
[root@redis ]# touch /usr/local/access-filebeat-test.log
[root@redis ]# echo "zhuyong is pig" >> /usr/local/access-filebeat-test.log
4、配置filebeat写入redis
[root@redis ~]# vim /usr/local/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
- /var/log/httpd/access_log
output.redis:
hosts: ["192.168.152.169"]
password: "123.com"
key: "httpdlogs"
datatype: "list"
db: 0
enable: true
worker: 1
loadbalance: true
5、配置filebeat写入es
[root@redis ~]# vim /usr/local/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
- /var/log/httpd/access_log
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.11.66.180:9200","10.11.66.181:9200","10.11.66.182:9200"]
6、启动服务
[root@redis ~]# systemctl restart filebeat.service
7、生成日志
[root@redis ~]# yum install httpd
[root@redis ~]# systemctl start httpd
[root@redis ~]# echo 'Home Page' > /var/www/html/index.html
[root@redis ~]# for i in {1..20}; do echo "Test Page ${i}" > /var/www/html/test${i}.html; done
[root@redis ~]# for i in {1..200}; do j=$(($i %20+1)); curl http://10.11.66.184:80/test$j.html; done
8、测试
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Bo90mkim-1596544798222)(C:assets/1594257145151.png)]
[root@redis ~]# systemctl restart filebeat.service
7、生成日志
[root@redis ~]# yum install httpd
[root@redis ~]# systemctl start httpd
[root@redis ~]# echo 'Home Page' > /var/www/html/index.html
[root@redis ~]# for i in {1..20}; do echo "Test Page ${i}" > /var/www/html/test${i}.html; done
[root@redis ~]# for i in {1..200}; do j=$(($i %20+1)); curl http://10.11.66.184:80/test$j.html; done