ELK的安装

centos 7
同步时间
yum -y install ntpdate
ntpdate  0.cn.pool.ntp.org

上传elk四个环境包
1.elasticsearch-6.6.0.rpm
2.jdk-8u131-linux-x64_.rpm
3.kibana-6.6.0-x86_64.rpm
4.logstash-6.6.0.rpm

rpm -ivh jdk-8u131-linux-x64_.rpm
rpm -ivh elasticsearch-6.6.0.rpm
rpm -ivh logstash-6.6.0.rpm
rpm -ivh kibana-6.6.0-x86_64.rpm

ulimit -n 65536
vim /etc/sysctl.conf
里边写个vm.max_count=655360

sysctl -p
vim /etc/elasticsearch/elasticsearch.yml
里边把network注释去掉 后边改0.0.0.0
http port注释去掉 9200

systemctl start elasticsearch
ss -ntl

vim /etc/logstash/conf.d/system.conf
input {
    file {
       path => "/var/log/messages"
       type => "system-log"
       start_position => "beginning"
    }
}

output {
    elasticsearch {
      hosts => "192.168.189.128:9200"
      index => "system_log-%{+YYYY.MM.dd}"
    }
}

chmod 644 /var/log/messages
systemctl start logstash

ss -ntl

vim /etc/kibana/kibana.yml
里的server port 5601，server hosts 0.0.0.0，elasti【"localhost：9200"】

ss -ntlp 查看一下端口
访问的时候ip后边加5601


分析nginx访问日志
cd /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-patterns-core-4.1.2/patterns/
vim nginx_access
URIPARAM1 [A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\-\[\]]*
NGINXACCESS %{IPORHOST:client_ip} (%{USER:ident}|- ) (%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)" %{NUMBER:status} (?:%{NUMBER:bytes}|-) "(?:%{URI:referrer}|-)" "%{GREEDYDATA:agent}"

vim /etc/logstash/conf.d/nginx-log.conf
input {
   file {
      path  => "/usr/local/nginx/logs/access.log"
      type  => "nginx-log"
      start_position => "beginning"
    }
}

filter {
    grok { 
        match => { "message" => "%{NGINXACCESS}" }
    }

}

output {
   elasticsearch {
      hosts => ["192.168.189.128:9200"]
      index => "nginx_log-%{+YYYY.MM.dd}"
   }

}

systemctl restart logstash