elk日志收集

elk日志收集

elk+redis+filebeat收集多日志部署文档

环境:Centos7.6两台
elk--ip:103.39.232.249
nginx--ip:103.39.232.248
基础环境
关闭防火墙
setenforce 0
systemctl stop firewalld
systemctl disable firewalld
sed -i 's/enforcing/disabled/g' /etc/selinux/config
 
设置yum源
yum install wget -y
cd /etc/yum.repos.d/
wget http://mirrors.aliyun.com/repo/Centos-7.repo
wget http://mirrors.aliyun.com/repo/epel-7.repo
yum -y install epel-release
yum install net-tools tree lrzsz vim-enhanced bzip2-x86_64 -y 
 
配置jdk环境
mkdir /app
cd /app
wget http://download.zhiannet.com/software/java/jdk-11.0.4_linux-x64_bin.rpm
rpm -ivh jdk-11.0.4_linux-x64_bin.rpm
java -version
 
修改系统参数(重启生效)
vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
 
 
添加下面配置:
echo 'vm.max_map_count=655360' >>/etc/sysctl.conf
并执行命令:
sysctl -p
 
vi /etc/security/limits.d/90-nproc.conf
* soft nproc 2048
 
vi /etc/security/limits.d/20-nproc.conf
*          soft    nproc     4096
elk        soft    nproc     4096
root       soft    nproc     unlimited
 
提前下载软件
cd /app
wget http://download.zhiannet.com/software/elk/centos7/elasticsearch-7.3.2-linux-x86_64.tar.gz
wget http://download.zhiannet.com/software/elk/centos7/filebeat-7.3.2-linux-x86_64.tar.gz
wget http://download.zhiannet.com/software/elk/centos7/kibana-7.3.2-linux-x86_64.tar.gz
wget http://download.zhiannet.com/software/elk/centos7/logstash-7.3.2.tar.gz
wget http://download.zhiannet.com/software/elk/centos7/redis-5.0.7.tar.gz
添加用户
useradd elk
 
修改安装目录权限
chown elk.elk /app
 
重启服务器
reboot
安装es
cd /app
tar xf elasticsearch-7.3.2-linux-x86_64.tar.gz -C /usr/local/
mv /usr/local/elasticsearch-7.3.2/ /usr/local/elasticsearch
chown -R elk.elk /usr/local/elasticsearch
su elk
 
修改配置文件
vim /usr/local/elasticsearch/config/jvm.options
-Xms4g
-Xmx4g
## 根据主机内从调整,一般为主机内存的一半
 
vim /usr/local/elasticsearch/config/elasticsearch.yml
node.name: node-1
path.data: /usr/local/elasticsearch/data
path.logs: /usr/local/elasticsearch/logs
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 39200
discovery.seed_hosts: ["127.0.0.1"]
cluster.initial_master_nodes: ["node-1"]
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
 
启动es
cd /usr/local/elasticsearch
nohup ./bin/elasticsearch &
 
此时启动es可能会报错,开启内存锁失败
ERROR: bootstrap checks failed
memory locking requested for elasticsearch process but memory is not locked
 
解决办法:
vim /etc/security/limits.conf
elk soft memlock unlimited
elk hard memlock unlimited
注意:localhost=主机名
 
vim /etc/sysctl.conf
vm.swappiness=0
 
sysctl -p
reboot
 
然后重启es,成功
su elk
cd /usr/local/elasticsearch
nohup ./bin/elasticsearch &
 
 
配置es密码
./bin/elasticsearch-setup-passwords interactive
y
******
******
******
...
 
 
gihXmSYLcnYAHhcn
浏览器访问
ip:39200
用户:elastic
密码:******
21ops.com
 
安装kibana
cd /app
tar xf kibana-7.3.2-linux-x86_64.tar.gz -C /usr/local/
mv /usr/local/kibana-7.3.2-linux-x86_64 /usr/local/kibana
 
配置kibana
vim /usr/local/kibana/config/kibana.yml
server.port: 35601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:39200"]
elasticsearch.username: "elastic"
elasticsearch.password: "******"
 
启动kibana
cd /usr/local/kibana/
nohup bin/kibana --allow-root &
#直接nohup ./bin/kibana & 会报错
 
浏览器访问:
ip:35601
用户:elastic
密码:******
安装redis
yum install -y gcc
tar xf /app/redis-5.0.7.tar.gz -C /usr/local/
mv  /usr/local/redis-5.0.7/ /usr/local/redis
cd /usr/local/redis
make MALLOC=libc && echo $?
cd src/
make install
echo $?
 
vim redis.conf
将daemonize no 改为 daemonize yes
port  12345
requirepass nGjBwhgriFWrLOM2
bind 0.0.0.0
 
为了安全起见,不要用root用户起redis
chown -R elk.elk /usr/local/redis
su elk
cd /usr/local/redis/src
./redis-server /usr/local/redis/redis.conf
 
安装logstash
cd /app
tar xf logstash-7.3.2.tar.gz -C /usr/local
mv /usr/local/logstash-7.3.2 /usr/local/logstash
 
修改配置
mv config/logstash-sample.conf config/logstash-sample.conf_bak
vim config/logstash-redis.conf
input {
  redis {
    host => "127.0.0.1"
    port => 53289
    password => "21ops.com"
    data_type => "list"
    key => "all_keys"
    db => 0
  }
}
output {
  if [fields][log_source] == 'access' {
    elasticsearch {
      hosts => "127.0.0.1:39200"
      index => "nginx-access-%{+YYYY.MM.dd}"
      user => "elastic"
      password => "21ops.com"
    }
  }  
  if [fields][log_source] == 'error' {
    elasticsearch{
      hosts => "127.0.0.1:39200"
      index => "nginx-error-%{+YYYY.MM.dd}"
      user => "elastic"
      password => "21ops.com"
    }
  }
}
 
启动logstash
nohup ./bin/logstash -f config/logstash-redis.conf &
nginx端配置
安装nginx,略
日志目录如下:
/data/logs/nginx/access/ip/access.log
/data/logs/nginx/error/ip/error.log
 
安装filebeat
mkdir /app
cd /app
wget http://download.zhiannet.com/software/elk/centos7/filebeat-7.3.2-linux-x86_64.tar.gz
tar xf filebeat-7.3.2-linux-x86_64.tar.gz -C /usr/local
mv /usr/local/filebeat-7.3.2-linux-x86_64/ /usr/local/filebeat
 
修改配置文件
vim /usr/loca/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /data/logs/nginx/access/*/access.log
  fields:
    log_source: access
- type: log
  enabled: true
  paths:
    - /data/logs/nginx/error/*/error.log
  fields:
    log_source: error
output.redis:
  hosts: ["103.39.232.249:53289"]
  password: "21ops.com"
  key: "all_keys"
  db: 0
 
启动
nohup ./filebeat -c filebeat.yml &
redis做成systemd服务
vim /usr/lib/systemd/system/redis.service
[Unit]
Description=Redis
After=network.target
 
[Service]
Type=forking
User=elk
Group=elk
PIDFile=/var/run/redis_6379.pid
ExecStart=/usr/local/redis/src/redis-server /usr/local/redis/redis.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
 
[Install]
WantedBy=multi-user.target
 
es做成systemd服务
vim /usr/lib/systemd/system/elasticsearch.service
[Unit]
Description=elasticsearch
After=network.target
 
[Service]
LimitMEMLOCK=infinity
Type=simple
User=elk
Group=elk
LimitNOFILE=100000
LimitNPROC=100000
Restart=no
ExecStart=/usr/local/elasticsearch/bin/elasticsearch
PrivateTmp=true
 
[Install]
WantedBy=multi-user.target
 
 
systemctl daemon-reload
systemctl restart elasticsearch
logstash做成systemd服务
vim /usr/lib/systemd/system/logstash.service
[Unit]
Description=logstash
 
[Service]
Type=simple
User=root
Group=root
#Environment=JAVA_HOME=/usr/local/jdk
Environment=LS_HOME=/usr/local/logstash
Environment=LS_SETTINGS_DIR=/usr/local/logstash/config/
Environment=LS_PIDFILE=/usr/local/logstash/logstash.pid
Environment=LS_USER=root
Environment=LS_GROUP=root
Environment=LS_GC_LOG_FILE=/usr/local/logstash/logs/gc.log
Environment=LS_OPEN_FILES=16384
Environment=LS_NICE=19
Environment=SERVICE_NAME=logstash
Environment=SERVICE_DESCRIPTION=logstash
ExecStart=/usr/local/logstash/bin/logstash -f /usr/local/logstash/config/logstash-redis.conf
Restart=always
WorkingDirectory=/usr/local/logstash
Nice=19
LimitNOFILE=16384
 
[Install]
WantedBy=multi-user.target
 
kibana做成systemd服务
vim /usr/lib/systemd/system/kibana.service
[Unit]
Description=Kibana
 
[Service]
Type=simple
EnvironmentFile=-/usr/local/kibana/config
ExecStart=/usr/local/kibana/bin/kibana --allow-root
Restart=always
WorkingDirectory=/
 
[Install]
WantedBy=multi-user.target
 
 
 
filebeat做成systemd服务
vim /usr/lib/systemd/system/filebeat.service 
[Unit]
Description=filebeat
 
[Service]
Type=simple
EnvironmentFile=-/usr/local/filebeat
ExecStart=/usr/local/filebeat/filebeat -c /usr/local/filebeat/filebeat.yml
Restart=always
WorkingDirectory=/
 
[Install]
WantedBy=multi-user.target
posted @   帅帅啊  阅读(18)  评论(0编辑  收藏  举报
相关博文:
· zabbix-服务端安装
· Linux-awk
· Linux-CentOS7安装ELK-Elasticsearch-Logstash-Kibana
· @ELK集群环境部署搭建
· ELK部署中_
阅读排行:
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· C#/.NET/.NET Core优秀项目和框架2025年2月简报
· 葡萄城 AI 搜索升级:DeepSeek 加持,客户体验更智能
· 什么是nginx的强缓存和协商缓存
· 一文读懂知识蒸馏
点击右上角即可分享
微信分享提示