本文详细介绍了ELK(Elasticsearch、Logstash、Kibana)的安装过程,包括在主节点安装Kibana,在另一台机器安装Logstash,还说明了Logstash收集syslog日志的操作,如配置文件编辑、启动方式、端口检测等,最后介绍了在Kibana配置索引的方法。
安装kibana、安装logstash,logstash收集syslog日志
ELK安装 – 安装kibana(成图的、web工具)
以下在128(主节点)上执行(在一台机器上安装即可)
wget https://artifacts.elastic.co/downloads/kibana/kibana-6.0.0-x86_64.rpm sha1sum kibana-6.0.0-x86_64.rpm rpm --install kibana-6.0.0-x86_64.rpm
!!用以上方式安装kibana6.0.0版本的。因为阿里云内置的yum源是最新版的,不兼容
https://www.elastic.co/guide/cn/kibana/current/rpm.html,这是官网安装页面
前面已经配置过yum源,这里就不用再配置了
yum install -y kibana
若速度太慢,可以直接下载rpm包
1.wget https://artifacts.elastic.co/downloads/kibana/kibana-6.0.0-x86_64.rpm
2.rpm -ivh kibana-6.0.0-x86_64.rpm
kibana同样也需要安装x-pack(可省略)
安装方法同elasticsearch的x-pack
cd /usr/share/kibana/bin (可省略)
./kibana-plugin install x-pack //如果这样安装比较慢,也可以下载zip文件(可省略)
wget https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-6.0.0.zip//这个文件和前面下载的那个其实是一个(可省略)
./kibana-plugin install file:///tmp/x-pack-6.0.0.zip (可省略)
以下在128上执行
3.vim /etc/kibana/kibana.yml //增加 (配置文件)
server.host: 192.168.193.128
#此处建议监听内网ip(就是本机),监听外网或全部不安全。如果想监听外网,可以nginx做代理,然后安全认证,增加安全性
elasticsearch.url: "http://192.168.193.128:9200"
#需要跟主节点通信,此处要写主节点的ip
logging.dest: /var/log/kibana.log
#默认在/var/log/messages。可以不指定输出日志,默认就好
touch /var/log/kibana.log; chmod 777 /var/log/kibana.log
4.systemctl restart kibana
[root@axinlinux-01 ~]# ps aux|grep kibana
kibana 10254 1.4 7.2 1122032 72296 ? Ssl 16:12 0:24 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
root 11121 0.0 0.0 112720 980 pts/0 R+ 16:40 0:00 grep --color=auto kibana[root@axinlinux-01 ~]# netstat -an|grep 5601
tcp 0 0 192.168.193.128:5601 0.0.0.0:* LISTEN
tcp 0 0 192.168.193.128:5601 192.168.193.1:53975 ESTABLISHED
tcp 0 0 192.168.193.128:5601 192.168.193.1:53973 ESTABLISHED
tcp 0 0 192.168.193.128:5601 192.168.193.1:53974 ESTABLISHED
tcp 0 0 192.168.193.128:5601 192.168.193.1:53984 ESTABLISHED
tcp 0 0 192.168.193.128:5601 192.168.193.1:53986 ESTABLISHED
tcp 0 0 192.168.193.128:5601 192.168.193.1:53985 ESTABLISHED浏览器里访问http://192.168.193.128:5601/
用户名elastic,密码为之前你设置过的密码(如果未安装x-pack,不需要用户名密码)
若无法输入用户名密码,查日志/var/log/kibana.log
出现错误 Status changed from uninitialized to red - Elasticsearch is still initializing the kibana index.
解决办法:curl -XDELETE http://192.168.133.130:9200/.kibana -uelastic
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ELK安装 – 安装logstash
以下在133上执行
logstash目前不支持java9(如果安装的idk是1.9的,目前logstash不支持)
直接yum安装(配置源同前面es的源)
yum install -y logstash //如果慢,就下载rpm包
1.wget https://artifacts.elastic.co/downloads/logstash/logstash-6.0.0.rpm
2.rpm -ivh logstash-6.0.0.rpm
logstash也需要安装x-pack(可省略)
cd /usr/share/logstash/bin/ (可省略)
./logstash-plugin install file:///tmp/x-pack-6.0.0.zip (可省略)
systemctl enable logstash
systemctl start logstash
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
logstash收集syslog日志
以下在133上操作
编辑配置文件 vi /etc/logstash/conf.d/syslog.conf//加入如下内容
#编辑的文件统统放到conf.d下面,并且以.conf后缀。这样才能识别到
input {
syslog {
type => "system-syslog"
port => 10514
}
}
output {
elasticsearch {
hosts => ["192.168.193.133:9200"]
index => "system-syslog-%{+YYYY.MM}"
}
}input { #进入的源日志
syslog {
type => "system-syslog"
port => 10514
}
}
output { #输出到哪里去
stdout {
codec => rubydebug
}
}
检测配置文件是否有错
cd /usr/share/logstash/bin
./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
以下在133上操作
前台形式启动logstash
./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf//这样可以在屏幕上查看到日志输出,不能敲命令
再开一个终端
检测是否开启10514端口:netstat -lnp |grep 10514
tcp6 0 0 :::10514 :::* LISTEN
udp 0 0 0.0.0.0:10514 0.0.0.0:* vi /etc/rsyslog.conf//在#### RULES下面增加一行
*.* @@127.0.0.1:10514
#这里的ip应该写133的ip
systemctl restart rsyslog
从128ssh到133上,可以在logstash前台的终端上看到ssh登录的相关日志
结束logstash,在前台的那个终端上按ctrl c
以下在133上操作
后台形式启动logstash
编辑配置文件 vi /etc/logstash/conf.d/syslog.conf//配置文件内容改为如下
input {
syslog {
type => "system-syslog"
port => 10514
}
}
output {
elasticsearch {
hosts => ["192.168.193.133:9200"]
index => "system-syslog-%{+YYYY.MM}"
}
}
systemctl start logstash //启动需要一些时间,启动完成后,可以看到9600端口和10514端口已被监听
tcp 0 0 192.168.193.133:48782 192.168.193.133:10514 ESTABLISHED
tcp6 0 0 :::10514 :::* LISTEN
tcp6 1194 0 192.168.193.133:10514 192.168.193.133:48782 ESTABLISHED
udp 0 0 0.0.0.0:10514 0.0.0.0:* tcp6 0 0 127.0.0.1:9600 :::* LISTEN 128上执行curl '192.168.193.128:9200/_cat/indices?v' 可以获取索引信息
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open .kibana HUhL8JS6Sgqxr8mSq9UgoQ 1 1 1 0 3.4kb 3.4kb
yellow open system-syslog-2019.06 fqLpMdxRTG2EAV5DC8eIMw 5 1 110 0 421.7kb 421.7kb
curl -XGET '192.168.193.128:9200/indexname?pretty' 可以获指定索引详细信息
[root@axinlinux-03 ~]# curl -XGET '192.168.193.128:9200/system-syslog-2019.06pretty'
{"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index","resource.type":"index_or_alias","resource.id":"system-syslog-2019.06pretty","index_uuid":"_na_","index":"system-syslog-2019.06pretty"}],"type":"index_not_found_exception","reason":"no such index","resource.type":"index_or_alias","resource.id":"system-syslog-2019.06pretty","index_uuid":"_na_","index":"system-syslog-2019.06pretty"},"status":404}[root@axinlinux-03 ~]# curl -XDELETE '192.168.193.128:9200/logstash-xxx-*' 可以删除指定索引
{"acknowledged":true}[root@axinlinux-03 ~]#
浏览器访问192.168.193.128:5601,到kibana配置索引
左侧点击“Managerment”-> “Index Patterns”-> “Create Index Pattern”
Index pattern这里需要根据前面curl查询到的索引名字来写,否则下面的按钮是无法点击的
[root@axinlinux-03 ~]# curl '192.168.193.128:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open .kibana HUhL8JS6Sgqxr8mSq9UgoQ 1 1 1 0 3.4kb 3.4kb
yellow open system-syslog-2019.06 fqLpMdxRTG2EAV5DC8eIMw 5 1 110 0 421.7kb 421.7kb
以上,curl出来的,其中 system-syslog-2019.06 就是要输入到kibana界面里的
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
