






  (文字颜色说明:灰色是注释和一些说明的内容,基本上带 # 的都是; 绿色是一些命令行打印信息和文件内容; 黄色底色的是一些注意事项,可能在你遇到问题时帮你起到一个分析引导的作用)






本人当前使用的是Elasticsearch + Kibana + filebeat直接索引分类 + ElastAlert报警到钉钉;


若你也想用这个结构,依次查看 1(filebeat数据集成部分跳过) --> 3 --> 4 --> 5 部分即可;


内容索引: ---> 1、安装部署及文件配置

                  ---> 2、配置logstash为多个日志来源分别设置索引

                  ---> 3、不使用logstash,而是设置filebeat来为多个日志分别设置索引

                  ---> 4、ElastAlert安装

                  ---> 5、ElastAlert规则配置文件编写及调试说明

                  ---> 6、ElastAlert安装及使用中遇到的报错问题

                  ---> 7、Kibana提示许可过期,不能对索引等功能进行操作

                  ---> 8、Elasticsearch与Kibana之间开启TLS以满足“告警和操作”的设置环境(商用功能)

                  ---> 9、删除指定时间的Elasticsearch索引(shell脚本清理+crontab定时任务)

                  ---> 10、使用elasticdump对elasticsearch数据进行导入导出(数据的异地迁移)







[root@localhost ~]# ls -ls *.rpm
315352 -rw-r--r-- 1 root root 322917736 Mar 31 04:53 elasticsearch-7.11.2-x86_64.rpm
 33512 -rw-r--r-- 1 root root  34316071 Mar 31 05:44 filebeat-7.11.2-x86_64.rpm
249492 -rw-r--r-- 1 root root 255479673 Mar 31 04:52 kibana-7.11.2-x86_64.rpm
358580 -rw-r--r-- 1 root root 367185271 Mar 31 04:53 logstash-7.11.2-x86_64.rpm



  Unrecognized VM option 'UseParNewGC' Error: Could not create the Java Virtua ...

这个报错网上找的解释是新的 java-11-openjdk 废弃了一个命令导致 ELK6.6.1 版本不能使用该环境,只支持到9版本,相应的可以安装 java-1.6.0-openjdk ;

我目前安装的 7.11.2 版本可以直接安装 java-11-openjdk 或 java-1.8.0-openjdk ;

[root@localhost ~]# yum install -y java-11-openjdk
[root@localhost ~]# java -version
openjdk version "11.0.10" 2021-01-19 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.10+9-LTS, mixed mode, sharing)

[root@localhost ~]# yum install -y ntpdate
    ##服务器没有时间同步可以加到 /etc/rc.local 中
[root@localhost ~]# /usr/sbin/ntpdate ntp.aliyun.com



[root@localhost ~]# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

[root@localhost ~]# rpm -ivh elasticsearch-7.11.2-x86_64.rpm logstash-7.11.2-x86_64.rpm kibana-7.11.2-x86_64.rpm filebeat-7.11.2-x86_64.rpm 
warning: elasticsearch-7.11.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:filebeat-7.11.2-1                ################################# [ 25%]
   2:kibana-7.11.2-1                  ################################# [ 50%]
Creating kibana group... OK
Creating kibana user... OK
   3:logstash-1:7.11.2-1              ################################# [ 75%]
Using bundled JDK: /usr/share/logstash/jdk
Using provided startup.options file: /etc/logstash/startup.options
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.31/lib/pleaserun/platform/base.rb:112: warning: constant ::Fixnum is deprecated
Successfully created system startup script for Logstash
Creating elasticsearch group... OK
Creating elasticsearch user... OK
   4:elasticsearch-0:7.11.2-1         ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
Created Kibana keystore in /etc/kibana/kibana.keystore
Created elasticsearch keystore in /etc/elasticsearch/elasticsearch.keystore

这里注意一下在安装Logstash时下面弹出的提示:OpenJDK 64-Bit Server VM warning: If the number of processors .. ,该提示说明你当前的虚拟机处理器的处理器核心数量不足,我们可以将VMware虚拟机的物理配置修改一下:





[root@localhost ~]# vim /etc/elasticsearch/elasticsearch.yml
 17 cluster.name: my-application
 23 node.name: node-1

    ##数据文件及日志文件的路径,可以使用默认的 /var 下路径,若自己进行了其他位置的配置需要创建文件夹并正确授权,配置完配置文件,后面我有写步骤
 33 path.data: /opt/elasticsearch/date
 37 path.logs: /opt/elasticsearch/log

 55 network.host:
 59 http.port: 9200

 89 xpack.security.enabled: true
 90 xpack.security.transport.ssl.enabled: true
 91 cluster.initial_master_nodes: ["node-1"]



    ##根据实际需要,我们创建目录,这里我就暂时放 opt 下了
[root@localhost ~]# mkdir -pv /opt/elasticsearch/date
mkdir: created directory ‘/opt/elasticsearch’
mkdir: created directory ‘/opt/elasticsearch/date
[root@localhost ~]# mkdir -pv /opt/elasticsearch/log
mkdir: created directory ‘/opt/elasticsearch/log’

[root@localhost ~]# cd /opt/elasticsearch/
[root@localhost elasticsearch]# chmod 750 *
[root@localhost elasticsearch]# chmod g+s *
[root@localhost elasticsearch]# chown elasticsearch:elasticsearch *
[root@localhost elasticsearch]# ll
total 0
drwxr-s--- 2 elasticsearch elasticsearch 6 Apr  3 14:12 date
drwxr-s--- 2 elasticsearch elasticsearch 6 Apr  3 14:12 log



[root@localhost ~]# systemctl start elasticsearch

[root@localhost ~]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y

Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana_system]: 
Reenter password for [kibana_system]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]



[root@localhost ~]# vim /etc/kibana/kibana.yml

  2 server.port: 5601

  7 server.host: ""

 32 elasticsearch.hosts: ["http://localhost:9200"]

 36 kibana.index: ".kibana"

 45 elasticsearch.username: "kibana_system"
 46 elasticsearch.password: "kibana_system"

111 i18n.locale: "zh-CN"



[root@localhost ~]# vim /etc/logstash/logstash.yml

231 http.host: ""

236 http.port: 9600-9700



[root@localhost ~]# cp /etc/logstash/logstash-sample.conf /etc/logstash/conf.d/logstash.conf

[root@localhost ~]# vim /etc/logstash/conf.d/logstash.conf
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "elastic"



[root@localhost ~]# vim /etc/filebeat/filebeat.yml

176 #output.elasticsearch:
178   #hosts: ["localhost:9200"]

189 output.logstash:
191   hosts: [""]








这里提醒一下,我使用的结构这一步是跳过的,上面安装和配置文件结束之后,可以直接跳到 不使用logstash,而是设置filebeat来为多个日志分别设置索引 继续进行设置;



    ##enable为开启,disable为关闭,多个模块空格分隔,例如:system nginx apache ...
[root@localhost ~]# filebeat modules enable system
Enabled system

[root@localhost ~]# filebeat setup
Exiting: Index management requested but the Elasticsearch output is not configured/enabled

    ##启动服务,当然,systemctl restart 也可以
[root@localhost ~]# service filebeat start
Starting filebeat (via systemctl):                         [  OK  ]




会发现,所有的日志没有办法分类,统一都是 nginx.access 和 nginx.error,数据均在 filebeat-7.11.2-日期 这个索引里,不能直接按照不同虚拟主机的日志机型分



这里再提一下,使用这个方法,可以在Overview --> 日志下以流式传输的方式直接查看到数据,并由相应的event.dataset来帮你分辨日志来源。







这个方法是我在被迫直接使用 filebeat 之后(这个方法在下一部分),回家找了一些网上的帖子得到的方法,原理基本是同直接设定 filebeat 的方式一样,只不过它是通过 logstash 对加了标识的日志信息做索引分类;


首先我们修改 filebeat 的配置文件:


[root@postgreSQL ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs: ##类型,默认的log即可
- type: log ##默认是false,不启用设置,这里设置好的一定要改成true,否则不生效 enabled: true ##日志路径,绝对路径,可以使用*来做通配,但是我并没有这么做,日志索引的信息我是定期删除的,这个也要考虑一下你的日志滚动设置 paths: - /var/log/messages ##这个是为我们采集的每条日志信息增加一个标签一样的东西,来进行标识,为啥是这个,我不知道,反正大家都这么写的,哈哈 fields: index: syslog-91 - type: log enabled: true paths: - /var/log/nginx/access.log fields: index: nginx-access - type: log enabled: true paths: - /var/log/nginx/error.log fields: index: nginx-error # ---------------------------- Elasticsearch Output ---------------------------- ##这个是默认开启的,我们要把采集的日志送到logstash中,所以要关闭这个,当前配置只允许开启一个output设置,不能双开 #output.elasticsearch: ##这个也注释上 #hosts: ["localhost:9200"] # ------------------------------ Logstash Output ------------------------------- ##默认关闭的,我们使用logstash进行配置,所以去掉注释打开 output.logstash: ##地址要填写logstash得到主机IP地址,端口号默认是5044,但其实它是在logstash主机下的 /etc/logstash/conf.d/logstash.conf 中设置的 hosts: [""]



主配置文件 /etc/logstash/logstash.yml 我们在安装的时候已经进行配置了,这里不需要修改;

/etc/logstash/conf.d/logstash.conf 的配置文件我们安装的时候 cp 复制了一份,这里需要修改:

# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    ##格式这里,[fields] 和 [index] 分别对应 filebeat 中对日志文件设置的“标签”
    index => "%{[fields][index]}-%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "elastic"


之后我们分别在相应的主机上重启 logstash 和 filebeat:

[root@localhost kibana]# systemctl restart logstash

[root@postgreSQL ~]# systemctl status filebeat


然后去kibana的索引管理以及 Analytics --> Discover 中查看日志数据:

(查看日志数据需要先创建一个匹配的索引模式,我直接创建一个根据 *-* 匹配的模式,因为命名中由 - 来连接字符)








这个方法其实最初是因为我配置不明白logstash来分索引,而用的一种替代方案,但是后来又发现我安装ELK的服务器只有8G的内存,配置低;所以理所应当的也就把logstash停止了(也就开个nginx,之后加上 Elasticsearch 和 kibana 还有 filebeat 这3个,内存已经是平稳使用75%-80%了);

该方案只是替代方案,而且没有Logstash来为你做日志信息的格式化输出,除了结构简单,顺便能稍微省点资源;且由于日常的日志量不大,也不怕丢失,我暂时使用的就是 Elasticsearch + Kibana + filebeat 这个方案;


首先我们调整 filebeat 的配置文件:


[root@postgreSQL ~]# vim /etc/filebeat/filebeat.yml

- type: log
  enabled: true
    - /var/log/messages
    ##将fields 和 index 去掉了,使用一个 tags 的标签来标识日志文件来源
  tags: ["syslog91"]

- type: log
  enabled: true
    - /var/log/nginx/access.log
  tags: ["nginx-access"]

- type: log
  enabled: true
    - /var/log/nginx/error.log
  tags: ["nginx-error"]

# ---------------------------- Elasticsearch Output ----------------------------
  # Array of hosts to connect to.
  hosts: [""]
  - index: "syslog2--%{+YYYY.MM.dd}"
      tags: "syslog2"
  - index: "nginx-access--%{+YYYY.MM.dd}"
      tags: "nginx-access"
  - index: "nginx-error--%{+YYYY.MM.dd}"
      tags: "nginx-error"
  username: "elastic"
  password: "elastic"

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
  username: "kibana_system"
  password: "kibana_system"

# ------------------------------ Logstash Output -------------------------------
  # The Logstash hosts
  # hosts: [""]



[root@localhost ~]# vim /etc/elasticsearch/elasticsearch.yml

 55 network.host:

[root@localhost ~]# vim /etc/kibana/kibana.yml

 32 elasticsearch.hosts: [""]



[root@localhost ~]# systemctl stop logstash
[root@localhost ~]# systemctl restart elasticsearch

[root@postgreSQL ~]# systemctl restart filebeat


















若使用pip报错,那么使用pip3看看,使用pip3报错那么试试pip2,常用 pip list 和 pip3 list 看看自己已经是否安装了相应的插件,自己一定不要乱套;



    ##这里多说一点,如果你要使用编译安装python时,执行 configure 时一定带 --prefix= ,也就是给它一个安装路径,默认安装不好卸载,当你发现它用不时,你卸载麻烦,删
[root@localhost ~]# yum install -y epel-release
[root@localhost ~]# yum install -y python36 python-dev libsasl2-devel libffi-dev libffi-devel libssl-dev python36-devel libevent-devel gcc gcc-c++



[root@localhost ~]# git clone https://github.com/Yelp/elastalert.git
[root@localhost ~]# wget https://github.com/xuyaoqiang/elastalert-dingtalk-plugin/archive/master.zip
[root@localhost ~]# unzip elastalert-dingtalk-plugin-master
[root@localhost ~]# mv elastalert-dingtalk-plugin-master dingtalk

[root@localhost ~]# ls -ld elastalert elastalert-dingtalk-plugin-master
drwxr-xr-x 10 root root 4096 Apr  6 21:54 elastalert
drwxr-xr-x  4 root root  123 Apr  8 07:10 dingtalk



[root@localhost ~]# cd /elastalert/
[root@localhost elastalert]# pip3 install setuptools==44.0.0
[root@localhost elastalert]# python setup.py install
[root@localhost elastalert]# pip3 install elasticsearch==7.0.0

[root@localhost elastalert]# cd ../dingtalk
[root@localhost ~]# pip install -r requirements.txt 

[root@localhost elastalert]# cp -r ../dingtalk/elastalert_modules .



[root@localhost elastalert]# ls -l /usr/bin/elastalert*
-rwxr-xr-x 1 root root 316 Apr  6 21:55 /usr/bin/elastalert
-rwxr-xr-x 1 root root 342 Apr  6 21:55 /usr/bin/elastalert-create-index
-rwxr-xr-x 1 root root 350 Apr  6 21:55 /usr/bin/elastalert-rule-from-kibana
-rwxr-xr-x 1 root root 336 Apr  6 21:55 /usr/bin/elastalert-test-rule

total 24
-rw-r--r-- 1 root root   1 Apr  6 21:55 dependency_links.txt
-rw-r--r-- 1 root root 226 Apr  6 21:55 entry_points.txt
-rw-r--r-- 1 root root 417 Apr  6 21:55 PKG-INFO
-rw-r--r-- 1 root root 369 Apr  6 21:55 requires.txt
-rw-r--r-- 1 root root 205 Apr  6 21:55 SOURCES.txt
-rw-r--r-- 1 root root   1 Apr  6 21:55 top_level.txt



[root@localhost ~]# cd dingtalk/
[root@localhost dingtalk]# ll
total 12
-rw-r--r-- 1 root root 1762 Sep 15  2017 config.yaml
drwxr-xr-x 2 root root   50 Sep 15  2017 elastalert_modules
-rw-r--r-- 1 root root  688 Sep 15  2017 README.md
-rw-r--r-- 1 root root   92 Sep 15  2017 requirements.txt
drwxr-xr-x 2 root root   57 Sep 15  2017 rules

[root@localhost ~]# cd elastalert
[root@localhost elastalert]# cp config.yaml.example config.yaml

[root@localhost elastalert]# vim config.yaml

  3 rules_folder: example_rules

  7 run_every:
  8   minutes: 1

 12 buffer_time:
 13   minutes: 15

 17 es_host:

 20 es_port: 9200

 46 es_username: elastic
 47 es_password: elastic

 59 writeback_index: elastalert_status
 60 writeback_alias: elastalert_alerts

 64 alert_time_limit:
 65   days: 2



    ##这里提醒一下,一般情况下创建 elastalert-create-index --index elastalert_status 和 elastalert-create-index 两个命令都是可以的
    ##若一个不行可以用另一个试一试,我在删除索引之后重建使用 elastalert-create-index 不能创建,后面必须加 --index elastalert_status 才可以执行成功
    ##若提示 Unable to import "auth" 是你需要看看你安装ElastAlert是用的python多少版本执行的,下面的报错总结里面有,可以参考下
[root@localhost elastalert]# elastalert-create-index --index elastalert_status
Elastic Version: 7.11.2
Reading Elastic 6 index mappings:
Reading index mapping 'es_mappings/6/silence.json'
Reading index mapping 'es_mappings/6/elastalert_status.json'
Reading index mapping 'es_mappings/6/elastalert.json'
Reading index mapping 'es_mappings/6/past_elastalert.json'
Reading index mapping 'es_mappings/6/elastalert_error.json'
New index elastalert_status created











[root@localhost example_rules]# pwd
[root@localhost example_rules]# cp example_frequency.yaml syslog10.yaml

[root@localhost example_rules]# vim syslog200.yaml
# Alert when the rate of events exceeds a threshold

# (Optional)
# Elasticsearch host

# (Optional)
# Elasticsearch port
es_port: 9200

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
es_username: elastic
es_password: elastic

# (Required)
# Rule name, must be unique
name: 发送消息

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: frequency

# (Required)
# Index to search, wildcard supported
    ##这里是我们要匹配的索引,可以用 * 来匹配
index: nginx*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
  minutes: 1

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
- query:
      query: "message: ERROR"

# (Required)
# The alert is use when a match is found
- "elastalert_modules.dingtalk_alert.DingTalkAlerter"

dingtalk_webhook: "https://oapi.dingtalk.com/robot/send?access_token=************************************"
dingtalk_msgtype: text

#smtp_host: smtp.163.com
#smtp_port: 25
#smtp_auth_file: /root/elastalert/example_rules/testauth.yaml
#email_reply_to: *****@qq.com
#from_addr: *****@163.com

# (required, email specific)
# a list of email addresses to send alerts to
# email:
# - "elastalert@example.com"



[root@localhost example_rules]# vim testauth.yaml

user: ***********@163.com
password: sdgkljsklgslvgb





[root@localhost elastalert]# python3 -m elastalert.elastalert --verbose --config ./config.yaml --rule ./example_rules/syslog10.yaml 
1 rules loaded
INFO:elastalert:Starting up
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999936 seconds
INFO:elastalert:Queried rule 发送消息 from 2021-04-10 12:38 CST to 2021-04-10 12:41 CST: 0 / 0 hits
INFO:elastalert:Ran 发送消息 from 2021-04-10 12:38 CST to 2021-04-10 12:41 CST: 0 query hits (0 already seen), 0 matches, 0 alerts sent
INFO:elastalert:Background configuration change check run at 2021-04-10 12:42 CST
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999764 seconds
INFO:elastalert:Background alerts thread 0 pending alerts sent at 2021-04-10 12:42 CST
INFO:elastalert:Queried rule 发送消息 from 2021-04-10 12:38 CST to 2021-04-10 12:42 CST: 72 / 72 hits
INFO:elastalert:Ignoring match for silenced rule 发送消息
INFO:elastalert:Ignoring match for silenced rule 发送消息
INFO:elastalert:Ignoring match for silenced rule 发送消息
INFO:elastalert:Ignoring match for silenced rule 发送消息






[root@localhost ~]# cd /root/elastalert
[root@localhost elastalert]# nohup python3 -m elastalert.elastalert --verbose --config ./config.yaml --rule ./example_rules/syslog10.yaml &

    ##如果有很多配置文件,那么把可以用的放到我们配置的规则文件目录下(配置不正确的规则文件会导致报错,要移出规目录),然后就不用指定参数 --rule 了,同理 --config 的参数也不是必须的,但是切到目录下是必须的
[root@localhost elastalert]# nohup python3 -m elastalert.elastalert --verbose










  这个问题一般出现在 python setup.py install 和 pip install -r requirements.txt 的时候,我在安装的时候就有点纳闷,为什么我安装时用python(自带的2.7)来安装,而我运行缺需要用python3来运行;但是


  还是我之前说的,python 和 python3 要切换着用,因为情况乱,我并没有记录下所有的指令和报错信息,无法全部复现,所以大家要多尝试一下,因为我自己就是在 python、python3、python3.6 和 pip、pip3、

pip3.6 中来回切换才最终安装成功的,有时候python可以安装,但是它不能运行,python3可以运行,但是它不能安装;




    ##但也有特殊情况,我们的安装主要以python36为主,因为我们运行需要它,常用 pip3 来确定自己是不是真的没有安装包,还是只是它找不到路径

  File "/root/elastalert/elastalert/elastalert.py", line 21, in <module>
    import pytz
ImportError: No module named pytz

ModuleNotFoundError: No module named 'deeptools'



    ##你可能还会遇到一个问题,就是提示你a sync= False ,这个也是python3和2的使用错误,用3就会报错,这个是安装时候的提示,那么你直接用python,或python2.7就安装成功了
raise EAException(
"Error querying for dashboard: %s" % (e)), None, sys.exc_info()[2] ^ SyntaxError: invalid syntax



    ##仔细看里面: elastalert_modules.dingtalk_alert.DingTalkAlerter 找不到,之前说了,规则文件里面 alert 一定写对,而且 elastalert_modules 一定要复制到 elastalert 目录下
"/root/elastalert/elastalert/loaders.py", line 126, in load raise EAException('Error loading file %s: %s' % (rule_file, e)) elastalert.util.EAException: Error loading file ./example_rules/syslog200.yaml: Error initia ting alert ['elastalert_modules.dingtalk_alert.DingTalkAlerter']: Could not import module el astalert_modules.dingtalk_alert.DingTalkAlerter: No module named 'elastalert_modules'


5、elastalert-create-index 创建索引失败:

    ##如果是提示你没有安装auth,那还是安装一个,pip3 install auth
    ##我遇到的问题是告诉我 不能导入验证,但是其实这个和验证没啥关系,你看你 pip? list 里面可能每个版本都有auth模块,但是它还是报错。这里一定要确定好你是python多少版本
      安装的ElastAlert,也就是你安装执行的是 python? setup.py 和 pip? install -r requirements.txt,当你指向错误版本的python时,就有这个提示,之后我用我好用的
      python3.6 和 pip3.6 再次执行安装,发现还真有包没安上,之后再创建索引就没有问题了
    ##所以我建议你用 yum 去安装 python36,不要去官网下编译安装,如果你只是为了用 ElastAlert 而不需要必须使用其他版本的 python,或者 python36 就可以满足你的需求,可别安装多了,那可太麻烦了

    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python3.6/site-packages/elastalert/create_index.py", line 12, in <module>
    from auth import Auth
ModuleNotFoundError: No module named 'auth'

    module = __import__(self.module_name, fromlist=['__name__'], level=0)
  File "/usr/local/lib/python3.6/site-packages/elastalert/create_index.py", line 12, in <module>
    from auth import Auth
ImportError: No module named 'Auth'







但是......,你不是说 “您的许可证永不会过期”,逗我?假的么?但是不管怎样,不能用了是真的,所以需要解决它;













配置错误会直接导致elasticsearch和kibana启动失败,使用 journalctl -xe 查看服务启动失败的原因进行调整即可,若是elasticsearch启动正常,但是提示kibana没有准备好,就是没有连接到elasticsearch,去看看http是否改了https;




进入 ”告警和操作“ 的界面,我们首先是被告知:必须在 Kibana 和 Elasticsearch 之间启用传输层安全并在 kibana.yml 文件中配置加密密钥。那么我们接下来就对其进行配置:






[root@VM_0_7_centos elasticsearch]# pwd
[root@VM_0_7_centos elasticsearch]# ll
total 76
-rw------- 1 elasticsearch root           3443 Apr  6 10:51 elastic-certificates.p12
-rw-rw---- 1 root          elasticsearch   199 Mar 29 18:04 elasticsearch.keystore
-rw-rw---- 1 root          elasticsearch  3545 Apr  6 09:14 elasticsearch.yml
-rw------- 1 elasticsearch root           2527 Apr  6 10:51 elastic-stack-ca.p12
-rw-r--r-- 1 elasticsearch root           3451 Apr  6 11:01 http.p12
-rw-rw---- 1 root          elasticsearch  3182 Mar  6 14:03 jvm.options
drwxr-s--- 2 root          elasticsearch  4096 Mar  6 14:06 jvm.options.d
-rw-r--r-- 1 root          elasticsearch  1397 Apr  6 11:36 kibana-ca.crt
-rw-rw---- 1 root          elasticsearch 18612 Mar  6 14:03 log4j2.properties
-rw-r--r-- 1 root          root           1306 Apr  6 11:01 README.txt
-rw-rw---- 1 root          elasticsearch   473 Mar  6 14:03 role_mapping.yml
-rw-rw---- 1 root          elasticsearch   197 Mar  6 14:03 roles.yml
-rw-r--r-- 1 root          root            658 Apr  6 11:01 sample-elasticsearch.yml
-rw-r--r-- 1 root          root           1057 Apr  6 11:01 sample-kibana.yml
-rw-rw---- 1 root          elasticsearch     0 Mar  6 14:03 users
-rw-rw---- 1 root          elasticsearch     0 Mar  6 14:03 users_roles




[root@VM_0_7_centos elasticsearch]# cd /etc/kibana/
[root@VM_0_7_centos kibana]# ll
total 20
-rw-r--r-- 1 kibana root   1200 Apr  6 11:08 elasticsearch-ca.pem
-rw-rw---- 1 root   kibana 5466 Apr  6 11:53 kibana.yml
-rw-r--r-- 1 root   kibana  216 Mar  6 13:11 node.options





[root@localhost ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
be a zip file containing individual files for the CA certificate and private key Please enter the desired output file [elastic-stack-ca.p12]: 默认即可,直接回车确定 Enter password for elastic-stack-
ca.p12 : 可自行设定密码,不设定直接回车也可以 ##查看生成文件 [root@localhost ~]# ls -l /usr/share/elasticsearch/elastic-stack-ca.p12 -rw------- 1 root root 2527 Apr 5 13:38 /usr/share/elasticsearch/elastic-stack-ca.p12



[root@localhost ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /usr/share/elasticsearch/elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
* -keep-ca-key (retain generated CA key) * -multiple (generate multiple certificates) * -in (generate certificates from an input file) then the output will be be a zip file containing individual certificate/key files Enter password for CA (/usr/share/elasticsearch/elastic-stack-ca.p12) : 指定好的文件,直接回车即可 Please enter the desired output file [elastic-certificates.p12]: 直接回车 Enter password for elastic-certificates.p12 : 直接回车 Certificates written to /usr/share/elasticsearch/elastic-certificates.p12
configure the client to trust this certificate.
##查看生成的文件 [root@localhost
~]# ls -l /usr/share/elasticsearch/elastic-certificates.p12 -rw------- 1 root root 3451 Apr 5 13:41 /usr/share/elasticsearch/elastic-certificates.p12



[root@localhost ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil http

## Elasticsearch HTTP Certificate Utility

The 'http' command guides you through the process of generating certificates
  ...... configure all your clients to trust that custom CA. Generate a CSR? [y/N] n 输入n,选否 ## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate? If you have an existing CA certificate and key, then you can use that CA to sign your new http certificate. This allows you to use the same CA across multiple Elasticsearch clusters which can make it easier to configure clients, and may be easier for you to manage. If you do not have an existing CA, one will be generated for you. Use an existing CA? [y/N] y 输入y,选是 ## What is the path to your CA? Please enter the full pathname to the Certificate Authority that you wish to use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS (.jks) or PEM (.crt, .key, .pem) format. CA Path: /usr/share/elasticsearch/elastic-stack-ca.p12 这个是我们之前生成的文件 Reading a PKCS12 keystore requires a password. It is possible for the keystore's password to be blank, in which case you can simply press <ENTER> at the prompt Password for elastic-stack-ca.p12: 直接回车 ## How long should your certificates be valid? Every certificate has an expiry date. When the expiry date is reached clients will stop trusting your certificate and TLS connections will fail. Best practice suggests that you should either: (a) set this to a short duration (90 - 120 days) and have automatic processes to generate a new certificate before the old one expires, or (b) set it to a longer duration (3 - 5 years) and then perform a manual update a few months before it expires. You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D) For how long should your certificate be valid? [5y] 这里是有效时间,Y是年,M是月,D是天,根据实际情况写,默认5Y,我直接回车了 ## Do you wish to generate one certificate per node? If you have multiple nodes in your cluster, then you may choose to generate a separate certificate for each of these nodes. Each certificate will have its own private key, and will be issued for a specific hostname or IP address. Alternatively, you may wish to generate a single certificate that is valid across all the hostnames or addresses in your cluster. If all of your nodes will be accessed through a single domain (e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it simpler to generate one certificate with a wildcard hostname (*.es.example.com) and use that across all of your nodes. However, if you do not have a common domain name, and you expect to add additional nodes to your cluster in the future, then you should generate a certificate per node so that you can more easily generate new certificates when you provision new nodes. Generate a certificate per node? [y/N] n 这里我选择不为每个节点设置,因为我是单机配置,若是集群,需要每个去配置,然后分发文件 ## Which hostnames will be used to connect to your nodes? These hostnames will be added as "DNS" names in the "Subject Alternative Name" (SAN) field in your certificate. You should list every hostname and variant that people will use to connect to your cluster over http. Do not list IP addresses here, you will be asked to enter them later. If you wish to use a wildcard certificate (for example *.es.example.com) you can enter that here. Enter all the hostnames that you need, one per line. When you are done, press <ENTER> once more to move on to the next step. 这里提示我直接回车,不填写主机的hostname,因为我是单机 You did not enter any hostnames. Clients are likely to encounter TLS hostname verification errors if they connect to your cluster using a DNS name. Is this correct [Y/n]y 是否使用当前配置,选择y是 ## Which IP addresses will be used to connect to your nodes? If your clients will ever connect to your nodes by numeric IP address, then you can list these as valid IP "Subject Alternative Name" (SAN) fields in your certificate. If you do not have fixed IP addresses, or not wish to support direct IP access to your cluster then you can just press <ENTER> to skip this step. Enter all the IP addresses that you need, one per line. When you are done, press <ENTER> once more to move on to the next step. 这里输入本机的IP地址,回车一次,输入一条,然后再点回车确定即可 You entered the following IP addresses. - Is this correct [Y/n]y 是否使用当前配置,选择y是 ## Other certificate options The generated certificate will have the following additional configuration values. These values have been selected based on a combination of the information you have provided above and secure defaults. You should not need to change these values unless you have specific requirements. Key Name: elasticsearch Subject DN: CN=elasticsearch Key Size: 2048 Do you wish to change any of these options? [y/N]n 是否要修改之前的选择,选n否,我们配置没有问题就可以 ## What password do you want for your private key(s)? Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12". This type of keystore is always password protected, but it is possible to use a blank password. If you wish to use a blank password, simply press <enter> at the prompt below. Provide a password for the "http.p12" file: [<ENTER> for none]
根据提示,回车就可以了,我们的配置已经完成,之后只是提示和生成文件了 ## Where should we save the generated files? A number of files will be generated including your private key(s), public certificate(s), and sample configuration options for Elastic Stack products. These files will be included in a single zip archive. What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip] Zip file written to /usr/share/elasticsearch/elasticsearch-ssl-http.zip
##生成的文件是zip格式的,若没有unzip,请yum install -y unzip [root@localhost ~]# unzip /usr/share/elasticsearch/elasticsearch-ssl-http.zip -d /root Archive: /usr/share/elasticsearch/elasticsearch-ssl-http.zip creating: /root/elasticsearch/ inflating: /root/elasticsearch/README.txt inflating: /root/elasticsearch/http.p12 inflating: /root/elasticsearch/sample-elasticsearch.yml creating: /root/kibana/ inflating: /root/kibana/README.txt inflating: /root/kibana/elasticsearch-ca.pem inflating: /root/kibana/sample-kibana.yml



[root@localhost ~]# vim /etc/elasticsearch/elasticsearch.yml

 92 xpack.security.transport.ssl.verification_mode: certificate
 93 xpack.security.transport.ssl.client_authentication: required
 94 xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
 95 xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
 96 xpack.security.http.ssl.enabled: true
 97 xpack.security.http.ssl.keystore.path: http.p12



[root@localhost ~]# vim /etc/kibana/kibana.yml

 32 elasticsearch.hosts: [""]

 34 elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/elasticsearch-ca.pem" ]

118 xpack.encryptedSavedObjects.encryptionKey: 'afdjlk_@rsedfdgnfkl_asd_flkfjselj_faelikj@##'
119 xpack.security.session.idleTimeout: "1h"
120 xpack.security.session.lifespan: "30d"


再次访问 ”告警和操作“ ,可以看到已经可以建立告警了:



下面内容是 filebeat 和 logstash 的相关设置,毕竟 http:// 已经连接不上了;





filebeat 配置文件有两种方法:


[root@postgreSQL ~]# vim /etc/filebeat/filebeat.yml
    ##Elasticsearch Output部分的hosts给地址加上https://即可
  hosts: [""]

  ssl.certificate_authorities: ["/etc/filebeat/elasticsearch-ca.pem"]


第二种需要在原来 output.elasticsearch 加两个选项;

[root@postgreSQL ~]# vim /etc/filebeat/filebeat.yml
    ##在Elasticsearch Output部分添加这两行,使用https
  protocol: "https"
  ssl.verification_mode: none

[root@postgreSQL ~]# systemctl restart filebeat

没有报错,服务状态正常,去 Kibana 的可视化界面验证下是否刷新日志;



logstash 配置文件:

[root@localhost ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert -ca /etc/elasticsearch/elastic-stack-ca.p12 -name logstash-client
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
* -multiple (generate multiple certificates) * -in (generate certificates from an input file) then the output will be be a zip file containing individual certificate/key files Enter password for CA (/etc/elasticsearch/elastic-stack-ca.p12) : 直接回车 Please enter the desired output file [logstash-client.p12]: 还是回车 Enter password for logstash-client.p12 : 依旧回车
configure the client to trust this certificate.
##根据生成的p12文件,生成我们需要的CA证书 [root@localhost
~]# openssl pkcs12 -in /usr/share/elasticsearch/logstash-client.p12 -cacerts -nokeys -out logstash-ca.crt Enter Import Password: MAC verified OK ##之后文件放入logstash的配置文件目录,权限原来的root即可,不用修改 [root@localhost ~]# mv logstash-ca.crt /etc/logstash/



[root@localhost ~]# vim /etc/logstash/conf.d/logstash.conf
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044

output {
  elasticsearch {
    hosts => [""]
    ssl => true
    cacert => "/etc/logstash/logstash-ca.crt"
    index => "%{[fields][index]}-%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "elastic"

之后我们启动(或重启)logstash 和 filebeat 服务,然后到Kibana可视化界面查看是否刷新了日志;

相应的,filebeat 服务的配置文件是无需修改的;








[root@localhost ~]# vim elk_clean.sh
DATEDAY=$(date -d "14 day ago" +%Y.%m.%d)
    ##这里设置了一个记录着 需要删除的索引分片名称 的文件,之后需要对其逐个删除

    ##搜索指定的索引分片名称,并将其放入文件内记录,使用 > 覆盖重新添加,不要 >> 追加
    ##后面会提到重复记录和重复删除的问题,这里最后 awk 处理的命令可以改为 awk 'NR%2==1 {print $1}'
curl -s -XGET -u username:password | grep $DATEDAY | awk '{print $1}' > $LISTFILE
#curl -s -XGET -u username:password | grep $DATEDAY | awk 'NR%2==1 {print $1}' > $LISTFILE

while read line
    curl -XDELETE$line -u username:password | grep true
    if [ $? -eq 0 ]
        echo "$line 删除成功" >> $SHLOG
        echo "$line 删除失败" >> $SHLOG
done < $LISTFILE


生成的 $LISTFILE 文件内容:

[root@localhost ~]# vim cat elklistfile
... ...
... ...

[root@localhost ~]# curl -s -XGET -u username:password | grep $(date -d "13 day ago" +%Y.%m.%d)
syslog--2021.07.07                0 p STARTED      12058    3.4mb dmon-1
syslog--2021.07.07                0 r UNASSIGNED                             
secure--2021.07.07                0 p STARTED      73960   18.5mb dmon-1
secure--2021.07.07                0 r UNASSIGNED                             
... ...
... ...

同一个名称的索引,出现了2条记录,一个是 STARTED,一个是 UNASSIGNED;

UNASSIGNED 是未分配的意思,是由于该索引的副本不存在(或未指定)而造成的,其影响的是我们索引的健康状态(数据安全),对我们删除并无影响;

这个情况也可以在Kibana的web可视化中看到,索引的 运行状态 会显示一个黄色的点,并标记为 yellow;


处理索引为 UNASSIGNED 这个问题的方法是在Elasticsearch中设置自动分配,或是手动重建索引副本(对当前这块没有影响);



    ##成功的一条,是我们执行删除了有数据大小的一条,也就是 STARTED 的这一个
[root@localhost ~]# head elkdeletelog
syslog--2021.07.06 删除成功
syslog--2021.07.06 删除失败
secure--2021.07.06 删除成功
secure--2021.07.06 删除失败
... ...
... ...

    ##目前这个演示脚本,打印的日志信息是 >> ,是追加,记得定期清理


若不想重复删除,可以使用 awk 取奇数行再导入 $LISTFILE 这个文件即可( awk 'NR%2==1 {print $1}' );










[root@localhost bin]# ./node -v
./node: /lib64/libm.so.6: version `GLIBC_2.27' not found (required by ./node)
./node: /lib64/libc.so.6: version `GLIBC_2.25' not found (required by ./node)
./node: /lib64/libc.so.6: version `GLIBC_2.28' not found (required by ./node)
./node: /lib64/libstdc++.so.6: version `CXXABI_1.3.9' not found (required by ./node)
./node: /lib64/libstdc++.so.6: version `GLIBCXX_3.4.20' not found (required by ./node)
./node: /lib64/libstdc++.so.6: version `GLIBCXX_3.4.21' not found (required by ./node)

上面提示是需要你升级系统中GLIBC的版本,在我使用的CentOS 7的系统中yum及rpm的安装方式最高支持到2.17,如果要升级到提示所需的版本需要编译安装,但如果没有成功,还是有一定风险的,所以我选择避开,降低使用软件的版本;





[root@test-001 ~]# yum install -y epel-release
[root@test-001 ~]# yum install -y nodejs
[root@test-001 ~]# yum install -y npm



[root@test-001 ~]# tar xvf node-v14.16.0-linux-x64.tar.xz -C /usr/local/
[root@test-001 ~]# cd /usr/local/
[root@test-001 local]# mv node-v14.16.0-linux-x64/ nodejs/

[root@test-001 local]# vi /etc/profile
export NODEJS=/usr/local/nodejs
export PATH=$NODEJS/bin:$PATH

    ##使用 node -v 和 npm -v 可查看安装的版本
[root@test-001 local]# cd
[root@test-001 ~]# which node
[root@test-001 ~]# which npm



[root@test-001 ~]# npm install elasticdump

[root@test-001 ~]# ./node_modules/elasticdump/bin/elasticdump --version






    ##命令在 ./node_modules/elasticdump/bin 的目录下
[root@test-001 ~]# cd node_modules/elasticdump/bin

    ##先 input 后 output
    ##如果 elasticsearch 有认证,则需要使用 http://elastic:123456@ 来进行认证
[root@test-001 bin]# ./elasticdump --input=http://elastic:123456@ --output=/elasticsearch/backup/test_e_log_0222.json --type=mapping
[root@test-001 bin]# ./elasticdump --input=http://elastic:123456@ --output=/elasticsearch/backup/test_e_log_0222_data.json --type=data

    ##先 output 后 input 
[root@localhost bin]# ./elasticdump --output= --input=/home/elastic_dir/backup/test_e_log_0222.json --type=mapping
[root@localhost bin]# ./elasticdump --output= --input=/home/elastic_dir/backup/test_e_log_0222_data.json --type=data







