Elk测试环境搭建

环境介绍

Elk版本5.2.2

Yum方式安装

Java

测试机器3台

elk-node1

Elasticsearch、logstash、kibana

elk-node2、elk-node3

filebeat

日志管理、日志分析、web展示

创建logstash的openssl认证

openssl req -subj '/CN=hostname/' -x509 -days $((100*365)) -batch -nodes -newkeys rsa:2048 -keyout ./pki/tlk/provate/filebeat.key -out ./pki/tls/certs/filebeat.crt

拷贝crt文件到elk-node3

scp /etc/logstash/pki/tls/certs/logstash.crt 10.152.4.47:/etc/filebeat/pki/tls/certs

1.Elasticsearch安装及配置

yum localinstall -y elasticsearch-5.2.2.rpm

配置文件

[root@elk-node1 ~]# cat /etc/elasticsearch/elasticsearch.yml |grep -v "^#"

network.host: 0.0.0.0

http.port: 9200

http.cors.enabled: true

http.cors.allow-origin: "*"

安装elasticsearch-head组件

yum install epel-release npm git

npm install -g grunt-cli grunt

npm init -f

git clone git://github.com/mobz/elasticsearch-head.git

cp -r elasticsearch-head/ /var/lib/elasticsearch

cd /var/lib/elasticsearch/elasticsearch-head/

vi Gruntfile.js

            port: 9100,

            hostname: '*',          插入此行

            base: '.',

vi _site/app.js

this.base_uri = this.config.base_uri || this.prefs.get("app-base_uri") || "http://10.152.4.30:9200";      更改为主机地址

vi /etc/elasticsearch/elasticsearch.yml

http.cors.enabled: true

http.cors.allow-origin: "*"

npm install

grunt server

2.Logstash安装及配置

创建openssl认证

yum localinstall -y filebeat-5.2.2-x86_64.rpm

配置文件

[root@elk-node1 ~]# cat /etc/logstash/conf.d/02-beats-input.conf |grep -v "^#"

input {

  beats {

    host => "10.152.4.30"

    port => 5044

    type => "syslogs"

    ssl => true

    ssl_certificate_authorities => ["/etc/logstash/pki/tls/certs/filebeat.crt"]

    ssl_certificate_authorities => ["/etc/logstash/pki/tls/certs/filebeat1.crt"]

    ssl_certificate => "/etc/logstash/pki/tls/certs/logstash.crt"

    ssl_key => "/etc/logstash/pki/tlk/private/logstash.key"

    ssl_verify_mode => "force_peer"

  }

}

 

output {

  elasticsearch {

         hosts => ["10.152.4.30:9200"]

         index => "test-system-%{+YYYY.MM.dd}"

         }

}

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3.Kibana安装及配置

yum localinstall -y kibana-5.2.2-x86_64.rpm

配置文件

[root@elk-node1 ~]# cat /etc/kibana/kibana.yml |grep -v "^#"

server.port: 5601

server.host: "10.152.4.30"

elasticsearch.url: "http://10.152.4.30:9200"

kibana.index: ".kibana"

日志收集

创建filebeat的openssl认证

openssl req -x509 -days $((100*365)) -batch -nodes -newkeys rsa:2048 -keyout ./pki/tlk/provate/filebeat.key -out ./pki/tls/certs/filebeat.crt

拷贝crt文件到elk-node1

scp /etc/filebeat/pki/tls/certs/filebeat.crt 10.152.4.30:/etc/logstash/pki/tls/certs

[root@elk-node2 ~]# cat /etc/filebeat/filebeat.yml|grep -v "#"|grep -v ^$

filebeat.prospectors:

- input_type: log

  paths:

    - /var/log/*.log

output.logstash:

  hosts: ["10.152.4.30:5044"]

  ssl.enabled: true

  ssl.verification_mode: full

  ssl.certificate_authorities: ["/etc/filebeat/pki/tls/certs/logstash.crt"]

  ssl.certificate:  "/etc/filebeat/pki/tls/certs/filebeat.crt"

  ssl.key: "/etc/filebeat/pki/tlk/private/filebeat.key"

logging.to_files: true

logging.files:

启动filebeat节点服务

systemctl start filebeat.service

启动服务：

systemctl start elasticsearch.service

systemctl start logstash.service

/usr/share/kibana/bin/kibana

相关链接：

Elasticsearch.url           10.152.4.30:9200

Es_ head.url              10.152.4.30:9100

Kabana. url               10.152.4.30:5601