ELK日志分析系统

ELK日志分析系统

配置ELK

安装elasticsearch

[root@centos01 ~]# rz
z waiting to receive.**B0100000023be50
[root@centos01 ~]# ls
anaconda-ks.cfg initial-setup-ks.cfg
elasticsearch-5.6.16.rpm simkai.ttf
[root@centos01 ~]# yum -y install local elasticsearch-5.6.16.rpm

[root@centos02 ~]# rz
z waiting to receive.**B0100000023be50
[root@centos02 ~]# ls
anaconda-ks.cfg elasticsearch-5.6.16.rpm initial-setup-ks.cfg
[root@centos02 ~]# yum -y install local elasticsearch-5.6.16.rpm

备份elasticsearch主配置文件
[root@centos01 ~]# cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak

编辑elasticsearch主配置文件
[root@centos01 ~]# vi /etc/elasticsearch/elasticsearch.yml
18 cluster.name: ELK
25 node.name: centos01
57 network.host: 192.168.100.10
71 discovery.zen.ping.unicast.hosts: [“centos01”, “centos02”]

配置hosts文件解析计算机名
[root@centos01 ~]# vi /etc/hosts
192.168.100.10 centos01
192.168.100.20 centos02

配置守护进程运行elasticsearch
[root@centos01 ~]# systemctl daemon-reload

启动服务设置开机自动启动
[root@centos01 ~]# systemctl start elasticsearch.service
[root@centos01 ~]# systemctl enable elasticsearch.service
[root@centos01 ~]# /etc/init.d/elasticsearch start

监听9200端口
[root@centos01 ~]# netstat -anptu | grep 9200
tcp6 0 0 192.168.100.10:9200 ::😗 LISTEN 3185/java

客户端访问

安装elasticsearch-head图形化管理ELK工具

[root@centos01 ~]# rz

[root@centos01 ~]# ls
anaconda-ks.cfg initial-setup-ks.cfg simkai.ttf
elasticsearch-5.6.16.rpm node-v4.2.2-linux-x64.tar.gz

安装node，安装在/usr/local/node
[root@centos01 ~]# tar zxvf node-v4.2.2-linux-x64.tar.gz -C /usr/local/
[root@centos01 ~]# cd /usr/local/
[root@centos01 local]# mv node-v4.2.2-linux-x64/ node
[root@centos01 local]# ls
bin etc games include lib lib64 libexec node sbin share src

连接管理命令（优化）
[root@centos01 local]# ln -s /usr/local/node/bin/npm /usr/local/bin/npm
[root@centos01 local]# ln -s /usr/local/node/bin/node /usr/local/bin/node

配置环境变量加载node
[root@centos01 ~]# vi /etc/profile
export NODE_HOME=/usr/local/node
export PATH=$PATH:$NODE_HOME/bin
export NODE_PATH=$NODE_HOME/lib/node_modules/

[root@centos01 ~]# source /etc/profile

配置安装源
[root@centos01 ~]# git clone git://github.com/mobz/elasticsearch-head.git

将elasticsearch-head图形化管理ELK工具复制到第二台
[root@centos01 ~]# scp -r /root/elasticsearch-head/ root@192.168.100.20:/root

修改elasticsearch主配置文件
[root@centos01 ~]# vi /etc/elasticsearch/elasticsearch.yml
62 http.cors.enabled: true
63 http.cors.allow-origin: “*”

重启服务
[root@centos01 ~]# /etc/init.d/elasticsearch stop
[root@centos01 ~]# /etc/init.d/elasticsearch start

监听端口
[root@centos01 ~]# netstat -anptu | grep 9200
tcp6 0 0 192.168.100.10:9200 ::😗 LISTEN 4565/java

安装elasticsearch-head

修改安装位置
[root@centos01 ~]# mv elasticsearch-head/ /usr/local/

安装grunt-cli
[root@centos01 ~]# cd /usr/local/elasticsearch-head/
[root@centos01 elasticsearch-head]# npm install -g grunt-cli

[root@centos01 ~]# vi /usr/local/elasticsearch-head/Gruntfile.js

检查grunt是否安装成功
[root@centos01 elasticsearch-head]# grunt -version
grunt-cli v1.3.2

修改elasticsearch-head配置文件
[root@centos01 ~]# vim /usr/local/elasticsearch-head/Gruntfile.js
99 keepalive: true,
100 hostname: “*”

修改elasticsearch-head
[root@centos01 ~]# vim /usr/local/elasticsearch-head/_site/app.js
4374 this.base_uri = this.config.base_uri || this.prefs.get(“app-base_uri”) || “http://192.168.100.10:9200”;

安装npm
[root@centos01 ~]# cd /usr/local/elasticsearch-head/
[root@centos01 elasticsearch-head]# npm install

启动服务
[root@centos01 elasticsearch-head]# grunt server&

重新启动elasticsearch服务
[root@centos01 ~]# /etc/init.d/elasticsearch restart

客户端访问验证


安装logstash
安装logstash，两种方法，一种使用网络源安装，第二种通过本地rpm包上传

使用rz命令上传logstash-5.1.1.tar.gz 软件包，使用网络源安装

[root@centos01 ~]# tar zxvf logstash-5.1.1.tar.gz -C /usr/local/
[root@centos01 local]# mv logstash-5.1.1/ logstash
[root@centos01 ~]# yum -y install logstash

第二种方法：
使用rz命令上传logstash-5.5.1.rpm 软件包

[root@centos01 ~]# rpm -ivh logstash-5.5.1.rpm

优化安装命令
[root@centos01 ~]# ln -s /usr/share/logstash/bin/logstash /usr/local/bin/

配置存储数据目录
[root@centos01 ~]# mkdir -p /usr/share/logstash/config
[root@centos01 ~]# ln -s /etc/logstash/* /usr/share/logstash/config/

启动logstash
[root@centos01 ~]# systemctl start logstash
[root@centos01 ~]# systemctl enable logstash

写入测试数据测试日志服务器
[root@centos01 ~]# logstash -e ‘input { stdin {} } output { stdout {} }’

[root@centos01 ~]# logstash -e ‘input { stdin {} } output { stdout { codec=> rubydebug } }’

[root@centos01 ~]# logstash -e ‘input { stdin {} } output { elasticsearch { hosts=>[“192.168.100.10:9200”] } }’

安装kibana

安装kibana，使用rz命令上传kibana-5.5.1-x86_64.rpm软件包

[root@centos01 ~]# rpm -ivh kibana-5.5.1-x86_64.rpm

修改kibana主配置文件，备份主配置文件
[root@centos01 ~]# cp /etc/kibana/kibana.yml /etc/kibana/kibana.yml.bak
[root@centos01 ~]# vim /etc/kibana/kibana.yml
server.port: 5601
server.host: “0.0.0.0”
elasticsearch.url: “http://192.168.100.10:9200”
kibana.index: “.kibana”

启动服务设置服务开机自动启动
[root@centos01 ~]# systemctl start kibana
[root@centos01 ~]# systemctl enable kibana

客户端访问验证，默认端口号5601

配置监控客户端

安装logstash，通过rz命令上传logstash-5.5.1.rpm软件包

[root@centos03 ~]# rpm -ivh logstash-5.5.1.rpm

安装apache
[root@centos03 ~]# yum -y install httpd
[root@centos03 ~]# systemctl start httpd
[root@centos03 ~]# systemctl enable httpd

配置监控apache的错误日志

[root@centos03 ~]# vim /etc/logstash/conf.d/apache_error.conf
input {
file {
path => “/var/log/httpd/error_log”
type => “error”
start_position => “beginning”
}
}
output {
if [type] == “error”{
elasticsearch {
hosts => [“192.168.100.10:9200”]
index => “apache_error-%{+YYYY.MM.dd}”

}
}
}

启动服务设置服务开机自动启动
[root@centos03 ~]# systemctl start logstash
[root@centos03 ~]# systemctl enable logstash

启动监控apache服务器
[root@centos03 ~]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/apache_error.conf

开台客户端访问验证