ELK安装及配置

一. Logstash6的安装

cd /opt
wget https://artifacts.elastic.co/downloads/logstash/logstash-6.5.2.tar.gz
tar -zxvf logstash-6.5.2.tar.gz
mv logstash-6.5.2 logstash
cd /opt/logstash/config
cp logstash-sample.conf syslog.conf
vi syslog.conf

# 定义日志源
input {  
  syslog {
    type => "system-syslog"  	# 定义类型
    port => 10514    			# 定义监听端口
  }
}
# 定义日志输出
output {  
  stdout {
    codec => rubydebug  		# 将日志输出到当前的终端上显示
  }
}

# 验证配置文件
/opt/logstash/bin/logstash --path.settings /opt/logstash/config/ -f /opt/logstash/config/syslog.conf --config.test_and_exit

正确输出如下:
Sending Logstash logs to /opt/software/logstash/logs which is now configured via log4j2.properties
[2018-11-23T09:28:36,184][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK
[2018-11-23T09:28:38,630][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash


--config.test_and_exit 指定检测完之后就退出，不然就会直接启动了

# 配置服务器的ip以及配置的监听端口
vim /etc/rsyslog.conf

# 增加自己的服务器IP
#### RULES ####
*.* @@xxx.xxx.xxx.xxx:10514


ps. 上面xxx.xxx.xxx.xxx需要替换成自己服务器的IP地址

# 重启rsyslog, 让配置生效
systemctl restart rsyslog

# 指定配置文件，启动logstash
cd /opt/logstash/bin
./logstash --path.settings /opt/software/logstash/config/ -f /opt/software/logstash/config/syslog.conf

# 打开新终端检查一下10514端口是否已被监听
netstat -lntp |grep 10514
tcp6       0      0 :::10514                :::*                    LISTEN      496336/java

# 然后在别的机器ssh登录到这台机器上，测试一下有没有日志输出：
{
          "severity" => 6,
         "timestamp" => "Sep 30 14:00:12",
               "pid" => "497144",
              "type" => "system-syslog",
         "logsource" => "VM-0-11-centos",
    "facility_label" => "security/authorization",
              "host" => "81.69.248.111",
           "program" => "sshd",
           "message" => "Disconnected from authenticating user root 188.166.180.17 port 42278 [preauth]\n",