安装ELK集群
ELK 集群安装
1. Logstash 1.1 安装 注:安装在需要收集日志的机器上(192.168.128.134)。 mkdir -p /data/softs /data/logs cd /data/softs sudo wget https://artifacts.elastic.co/downloads/logstash/logstash-7.4.0.rpm rpm -ivh logstash-7.4.0.rpm 1.2 创建配置 vi /etc/logstash/logstash.conf 输入: input { file { path => ["/data/logs/error/program.error.log"] type => "error" tags => ["error"] start_position => "beginning" codec => "json" } file { path => ["/data/logs/error/program.warning.log"] type => "warning" tags => ["warning"] start_position => "beginning" codec => "json" } } output { if "error" in [tags] { elasticsearch { hosts => "192.168.128.136:9200" index => "error_log" } stdout { codec=> rubydebug } } if "warning" in [tags] { elasticsearch { hosts => "192.168.128.136:9200" index => "warning_log" } stdout { codec=> rubydebug } } if "access" in [tags] { elasticsearch { hosts => "192.168.128.136:9200" index => "access_log_%{+YYYY.MM.dd}" } stdout { } } } 1.3 启动 sudo /usr/share/logstash/bin/logstash -f /etc/logstash/logstash.conf 2>>/data/logs/error/logstash.error.log & 2. ElasticSearch集群(三台192.168.128.136/137/138) 2.1 安装 # 安装JDK sudo yum -y install java-1.8.0-openjdk # 下载ES RPM包 wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.0-x86_64.rpm # 安装 rpm -ivh elasticsearch-7.4.0-x86_64.rpm # 开机启动 sudo /bin/systemctl daemon-reload sudo /bin/systemctl enable elasticsearch.service 2.2 配置 2.2.1 elasticsearch01(192.168.128.136) # 更改配置 sudo vim /etc/elasticsearch/elasticsearch.yml cluster.name: zt-elk node.name: zt-elk01 path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: 192.168.128.136 http.port: 9200 discovery.seed_hosts: ["192.168.128.138", "192.168.128.137"] # 重启 sudo systemctl enable elasticsearch.service sudo systemctl restart elasticsearch.service 2.2.2 elasticsearch02(192.168.128.137) # 更改配置 sudo vim /etc/elasticsearch/elasticsearch.yml cluster.name: zt-elk node.name: zt-elk02 path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: 192.168.128.137 http.port: 9200 discovery.seed_hosts: ["192.168.128.136", "192.168.128.138"] # 重启 sudo systemctl enable elasticsearch.service sudo systemctl restart elasticsearch.service 2.2.3 elasticsearch03(192.168.128.138) # 更改配置 sudo vim /etc/elasticsearch/elasticsearch.yml path.data: /data/components/elasticsearch path.plugins: /data/components/elasticsearch/plugins cluster.name: zt-elk node.name: zt-elk03 path.data: /var/lib/elasticsearch path.logs: /var/log/elasticsearch network.host: 192.168.128.138 http.port: 9200 discovery.seed_hosts: ["192.168.128.136", "192.168.128.137"] # 重启 sudo systemctl enable elasticsearch.service sudo systemctl restart elasticsearch.service 3. 安装Kibana 3.1 安装 注:安装在能对外访问的机器上(192.168.128.135)。 mkdir -p /data/softs cd /data/softs sudo wget https://artifacts.elastic.co/downloads/kibana/kibana-7.4.0-x86_64.rpm rpm -ivh kibana-7.4.0-x86_64.rpm 3.2 配置 更改相关配置: vi /etc/kibana/kibana.yml server.port: 5601 server.host: "192.168.128.135" elasticsearch.hosts: ["http://192.168.128.136:9200"] 3.3 启动 systemctl start kibana 4. tips 4.1 删除索引 curl -XDELETE 'http://127.0.0.1:9200/applog' 5.解析logstash日志 curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.4.0-x86_64.rpm sudo rpm -vi filebeat-7.4.0-x86_64.rpm vi /etc/filebeat/filebeat.yml filebeat.inputs: - type: log enabled: false paths: - /var/log/*.log filebeat.config.modules: path: ${path.config}/modules.d/*.yml reload.enabled: false setup.template.settings: index.number_of_shards: 1 setup.kibana: host: "192.168.128.137:5601" output.elasticsearch: hosts: ["192.168.128.136:9200"] username: "elastic" password: "changeme" processors: - add_host_metadata: ~ - add_cloud_metadata: ~ sudo filebeat modules enable logstash sudo filebeat setup sudo service filebeat start
