利用KiWi Syslog收集日志并将日志发送至ELK进行分析
一、KiWi Syslog部署配置
原文链接:https://blog.csdn.net/ytlzq0228/article/details/104827014
【逗老师带你学IT】Kiwi Syslog Server安装和配置教程
二、Docker 部署ELK(配置账号密码)
原文链接:https://blog.csdn.net/qq_36056567/article/details/116801822
前提:centos关闭firewalld
永久关闭 firewalld 防火墙
systemctl disable firewalld
systemctl stop firewalld
拓展查看防火墙状态
systemctl status firewalld
docker 安装elk
1.安装elk
1.1:获取最新的镜像:
docker pull sebp/elk
1.2:启动镜像:
sysctl -w vm.max_map_count=262144
docker run -d -e ES_JAVA_OPTS=“-Xms1024m -Xmx1024m” -p 5601:5601 -p 5044:5044 -p 9200:9200 -p 9300:9300 -it --restart=always --name elk c21727ae794b
错误
max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
编辑/etc/sysctl.conf,在里面加入:vm.max_map_count=262144
修改elasticsearch
docker exec -it elk bash
#编辑es,vim /etc/elasticsearch/elasticsearch.yml,在结尾追加
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
#退出容器
exit
重启再进入
docker restart elk
systemctl restart docker 重启docker
docker exec -it elk bash
#进入安装目录,为内置账号生成密码(自建)y
/opt/elasticsearch/bin/elasticsearch-setup-passwords interactive
#进入安装目录,为内置账号生成密码(自动)
/opt/elasticsearch/bin/elasticsearch-setup-passwords auto
修改kibana
#停掉kibana,修改kibana的配置文件vim /opt/kibana/config/kibana.yml,在结尾追加以下内容
i18n.locale: “zh-CN”
kibana.index: “.kibana”
elasticsearch.username: “elastic”
elasticsearch.password: “之前配置的密码”
修改logstash:
修改02-beats-input.conf
docker exec -it elk /bin/bash
vim /etc/logstash/conf.d/02-beats-input.conf
input {
tcp {
port => 5044
codec => json_lines
}
}
output{
elasticsearch {
hosts => [“localhost:9200”]
index => “rizhi-log-%{+YYYY.MM.dd}”
user => “elastic”
password => “之前配置的密码”
}
}
修改 30-output.conf
vim /etc/logstash/conf.d/30-output.conf
output {
elasticsearch {
hosts => [“localhost:9200”]
manage_template => false
index => “%{[@metadata][beat]}-%{+YYYY.MM.dd}”
user => “elastic”
password => “之前配置密码”
}
}
修改 logstash.yml
vim /opt/logstash/config/logstash.yml
#追加
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: 之前配置密码
重新elk
docker restart elk
至此完成配置,生产环境最好内网部署
KiWi Syslog服务器配置
1、KiWi Syslog需要以应用程序安装,实现日志输出到"其他主机”
2、由于改服务器装有服务器安全狗,因此需要将ELK的IP地址加入白名单,避免无法推送日志。