ELK6.4.1安装【亲试】

DogJay 2018-09-28 后端技术 524人已围观

安装Elasticsearch

下载Elasticseach的rpm包并安装Elasticsearch

```shell wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.1.rpm [root@xxxxx ~]# ls anaconda-ks.cfg elasticsearch-6.4.1.rpm kibana-6.4.1-x86_64.rpm logstash-6.4.1.rpm [root@xxxxx ~]# rpm -ivh elasticsearch-6.4.1.rpm ```

安装过程:

```shell [root@xxxxx ~]# systemctl status elasticsearch ● elasticsearch.service - Elasticsearch Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2018-09-28 11:28:35 CST; 24s ago Docs: http://www.elastic.co Main PID: 664406 (java) CGroup: /system.slice/elasticsearch.service ├─664406 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupa... └─664486 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller Sep 28 11:28:35 xxxxx systemd[1]: Started Elasticsearch. Sep 28 11:28:35 xxxxx systemd[1]: Starting Elasticsearch... ``` 安装成功

配置Elasticsearch的配置文件elasticsearch.yml

[root@xxxxx ~]# vi /etc/elasticsearch/elasticsearch.yml 找到: ```shell # Elasticsearch performs poorly when the system is swapping the memory. # # ---------------------------------- Network ----------------------------------- # # Set the bind address to a specific IP (IPv4 or IPv6): # network.host: 192.168.1.101 # # Set a custom port for HTTP: # http.port: 9200 ```

修改network.host以及http.port

保存退出

启动Elasticsearch并开机启动,查看ES状态

```shell [root@xxxxx ~]# systemctl start elasticsearch [root@xxxxx ~]# systemctl enable elasticsearch Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service. [root@xxxxx ~]# systemctl enable elasticsearch [root@xxxxx ~]# systemctl status elasticsearch ● elasticsearch.service - Elasticsearch Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2018-09-28 11:28:35 CST; 24s ago Docs: http://www.elastic.co Main PID: 664406 (java) CGroup: /system.slice/elasticsearch.service ├─664406 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupa... └─664486 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller Sep 28 11:28:35 xxxxx systemd[1]: Started Elasticsearch. Sep 28 11:28:35 xxxxx systemd[1]: Starting Elasticsearch... ``` 到现在位置,ES安装完毕

安装Kibana

下载Kibana的rpm包并安装Kibana

```shell wget https://artifacts.elastic.co/downloads/kibana/kibana-6.4.1-x86_64.rpm [root@xxxxx ~]# rpm -ivh kibana-6.4.1-x86_64.rpm ```

当出现如下的情况是,说明安装成功

```shell [root@xxxxx ~]# rpm -ivh kibana-6.4.1-x86_64.rpm warning: kibana-6.4.1-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY Preparing... ################################# [100%] Updating / installing... 1:kibana-6.4.1-1 ################################# [100%] ```

配置Kibana的配置文件kibana.yml

主要修改: ```yml # Kibana is served by a back end server. This setting specifies the port to use. server.port: 5601 # Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values. # The default is 'localhost', which usually means remote machines will not be able to connect. # To allow connections from remote users, set this parameter to a non-loopback address. server.host: "172.18.61.46" # Enables you to specify a path to mount Kibana at if you are running behind a proxy. # Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath # from requests it receives, and to prevent a deprecation warning at startup. # This setting cannot end in a slash. #server.basePath: "" # Specifies whether Kibana should rewrite requests that are prefixed with # `server.basePath` or require that they are rewritten by your reverse proxy. # This setting was effectively always `false` before Kibana 6.3 and will # default to `true` starting in Kibana 7.0. #server.rewriteBasePath: false # The maximum payload size in bytes for incoming server requests. #server.maxPayloadBytes: 1048576 # The Kibana server's name. This is used for display purposes. #server.name: "your-hostname" # The URL of the Elasticsearch instance to use for all your queries. elasticsearch.url: "http://172.18.61.46:9200" ``` 保存退出

启动kibana

```shell [root@xxxxx ~]# systemctl start kibana ```

设置kibana开机启动,并查看kibana的状态

```shell [root@xxxxx ~]# systemctl enable kibana Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service. [root@xxxxx ~]# systemctl enable kibana [root@xxxxx ~]# systemctl status kibana ● kibana.service - Kibana Loaded: loaded (/etc/systemd/system/kibana.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2018-09-28 11:35:07 CST; 13s ago Main PID: 664926 (node) CGroup: /system.slice/kibana.service └─664926 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml Sep 28 11:35:20 xxxxx kibana[664926]: {"type":"log","@timestamp":"2018-09-28T03:35:20Z","tags":["status","plugin:tilema...earch"} Sep 28 11:35:20 xxxxx kibana[664926]: {"type":"log","@timestamp":"2018-09-28T03:35:20Z","tags":["status","plugin:watche...earch"} ··· Hint: Some lines were ellipsized, use -l to show in full. ```

安装Logstash

下载Logstash并安装Logstash

```shell wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.1.rpm [root@xxxxx ~]# rpm -ivh logstash-6.4.1.rpm ```

屏幕上出现如下,说明安装成功

```shell warning: logstash-6.4.1.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY Preparing... ################################# [100%] Updating / installing... 1:logstash-1:6.4.1-1 ################################# [100%] Using provided startup.options file: /etc/logstash/startup.options Successfully created system startup script for Logstash ```

配置Logstash

生成ssl证书

```shell [root@xxxx ~]# sudo vi /etc/pki/tls/openssl.cnf ```

找到[ v3_ca ]的地方,修改(或添加subjectAltName)

```shell [ v3_ca ] # Extensions for a typical CA subjectAltName = IP: 172.18.61.46 ``` 保存退出

切换到 /etc/pki/tls目录下面,生成证书

cd /etc/pki/tls

生成证书

```shell [root@xxxxx tls]# sudo openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout priv ate/logstash-forwarder.key -out certs/logstash-forwarder.crt Generating a 2048 bit RSA private key .........................................................................+++ ...+++ writing new private key to 'private/logstash-forwarder.key' ----- ``` 生成成功

配置Logstash的Input

```shell [root@xxxx tls]# sudo vi /etc/logstash/conf.d/02-beats-input.conf #添加文件内容 input { beats { port => 5044 ssl => true ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } } ```

为syslog创建一个filter

```shell [root@xxxxx tls]# sudo vi /etc/logstash/conf.d/10-syslog-filter.conf #添加文件内容 filter { if [type] == "syslog" { grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:sys log_pid}\])?: %{GREEDYDATA:syslog_message}" } add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] } syslog_pri { } date { match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } } } ```

将beat输入输出到Elasticearch

```shell [root@xxxxx tls]# sudo vi /etc/logstash/conf.d/30-elasticsearch-output.conf #添加文件内容 output { elasticsearch { hosts => ["192.168.1.101:9200"] sniffing => true manage_template => false index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" } } ```

测试配置是否正确

```shell [root@172-18-61-46 tls]# sudo /usr/share/logstash/bin/logstash --config.test_and_exit --path.settings /etc/logstash/ #出现Configuration OK时,表示配置时没有语法错误 Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties [2018-09-28T11:53:44,815][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/var/lib/logstash/queue"} [2018-09-28T11:53:44,823][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/var/lib/logstash/dead_letter_queue"} [2018-09-28T11:53:47,743][WARN ][logstash.outputs.elasticsearch] You are using a deprecated config setting "document_type" set in elasticsearch. Deprecated settings will continue to work, but are scheduled for removal from logstash in the future. Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature If you have any questions about this, please visit the #logstash channel on freenode irc. {:name=>"document_type", :plugin=>"%{[@metadata][beat]}-%{+YYYY.MM.dd}", sniffing=>true, manage_template=>false, id=>"0305584601408bb39a7b208d2ad8f50cc25fbf9d03002c665f90a46ff443ef7f", hosts=>[//172.18.61.46:9200], document_type=>"%{[@metadata][type]}", enable_metric=>true, codec=>"plain_8125692a-37b4-4cca-a0d5-db369e769962", enable_metric=>true, charset=>"UTF-8">, workers=>1, template_name=>"logstash", template_overwrite=>false, doc_as_upsert=>false, script_type=>"inline", script_lang=>"painless", script_var_name=>"event", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, action=>"index", ssl_certificate_verification=>true, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>} Configuration OK [2018-09-28T11:53:47,762][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash ```

启动logstash并设置开机启动,并查看logstash运行状态

```shell [root@172-18-61-46 tls]# sudo systemctl restart logstash #设置Logstash开机启动 [root@172-18-61-46 tls]# sudo systemctl enable logstash Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service. [root@172-18-61-46 tls]# sudo systemctl enable logstash #查看logstash运行状态 [root@172-18-61-46 tls]# sudo systemctl status logstash ● logstash.service - logstash Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2018-09-28 11:55:32 CST; 3s ago Main PID: 666234 (java) CGroup: /system.slice/logstash.service └─666234 /bin/java -Xms1g -Xmx1g -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCM... Sep 28 11:55:32 172-18-61-46 systemd[1]: Started logstash. Sep 28 11:55:32 172-18-61-46 systemd[1]: Starting logstash... ```

吐槽(0)

文章评论

    共有0条评论

    验证码:

文章目录