20170603 ELK安裝 (rpm包安裝)
ELK安裝html
環境安裝:java
(a)、關閉firewall:node
systemctl stop firewalld.service #中止firewalllinux
systemctl disable firewalld.service #禁止firewall開機啓動git
firewall-cmd --state #查看默認防火牆狀態(關閉後顯示notrunning,開啓後顯示running)es6
(b)、iptables防火牆(這裏iptables已經安裝,下面進行配置)github
vi/etc/sysconfig/iptables #編輯防火牆配置文件web
1,elasticsearchexpress
1),安裝JDKnpm
yum install java-1.8.0-openjdk -y
java -version ##查看版本
2),
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.0.rpm
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.1.rpm
3),yum localinstall elasticsearch-5.4.0.rpm
4),
sudo systemctl daemon-reload ##沒有權限可使用sudo刷新配置
sudo systemctl enable elasticsearch.service
sudo systemctl status elasticsearch.service
查看狀態發現失敗錯誤:服務會起不來,是node環境的問題,把以前的文件所有刪掉,全新安裝
[root@slave local]# find / -name "elasticsearch" -exec rm -rf {} \;
rpm -qa |grep elasticsearch
rpm -e --nodeps elasticsearch-5.4.0-1
5),從新安裝後再查看狀態已經出來了:
6),查看端口
查看端口
[root@dev tmp]# lsof -i:9200
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 3994 elasticsearch 112u IPv6 54287 0t0 TCP localhost:wap-wsp (LISTEN)
java 3994 elasticsearch 113u IPv6 54288 0t0 TCP localhost:wap-wsp (LISTEN)
端口沒監聽在ipv4上。
看來下官方文檔, elasticsearch默認監聽在localhost上,修改配置文件,把127.0.0.1改成本機ip
[root@dev elasticsearch]# vim elasticsearch.yml
network.host: 10.0.2.15
使用curl訪問下
[root@dev elasticsearch]# curl 10.0.2.15:9200
{
"name" : "Bulldozer",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "2.2.1",
"build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",
"build_timestamp" : "2016-03-09T09:38:54Z",
"build_snapshot" : false,
"lucene_version" : "5.4.1"
},
"tagline" : "You Know, for Search"
}
使用瀏覽器訪問
http://10.0.2.15:9200/
{
"name" : "Bulldozer",
"cluster_name" : "elasticsearch",
"version" : {
"number" : "2.2.1",
"build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",
"build_timestamp" : "2016-03-09T09:38:54Z",
"build_snapshot" : false,
"lucene_version" : "5.4.1"
},
"tagline" : "You Know, for Search"
}
7),修改IP和端口後瀏覽器查看能登入
Es常遇到的問題,
http://www.mamicode.com/info-detail-1663378.html
http://www.bubuko.com/infodetail-1898143.html
http://blog.csdn.net/weini1111/article/details/60468068
[root@slave ~]# vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
soft nproc: 可打開的文件描述符的最大數(軟限制) *號表明可執行
hard nproc: 可打開的文件描述符的最大數(硬限制)
soft nofile:單個用戶可用的最大進程數量(軟限制)
hard nofile:單個用戶可用的最大進程數量(硬限制)
[root@slave ~]# vim /etc/elasticsearch/jvm.options ##根據實際系統 內存來配置
[root@slave ~]# vim /etc/sysctl.conf
2, elasticesarch-head
1),安裝node.js
http://www.cnblogs.com/charles-dxb/p/5170209.html
http://www.cnblogs.com/lovelylife/p/3503980.html
[root@slave local]# curl --silent --location https://rpm.nodesource.com/setup_4.x | bash -
[root@slave local]# yum install -y nodejs
2)安裝phantomjs
[root@slave src]# tar -jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/
tar (child): bzip2:沒法 exec: 沒有那個文件或目錄
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
缺乏bzip2包
yum install -y bzip2
[root@slave src]# vim /etc/profile
export PATH=/usr/local/phantomjs-2.1.1-linux-x86_64/bin:$PATH ##配置文件後添加
[root@slave src]# source /etc/profile
3),下載安裝elasticsearch-head
[root@slave src]# yum install -y git
[root@slave src]# git clone git://github.com/mobz/elasticsearch-head.git
[root@slave elasticsearch-head]# npm install
npm WARN package.json elasticsearch-head@0.0.0 license should be a valid SPDX license expression
[root@slave elasticsearch-head]# npm run start
> elasticsearch-head@0.0.0 start /usr/local/src/elasticsearch-head
> grunt server
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
^C
[root@slave elasticsearch-head]# npm run start
> elasticsearch-head@0.0.0 start /usr/local/src/elasticsearch-head
> grunt server
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100
3,logStash部署與配置
1),[root@slave local]# wget https://artifacts.elastic.co/downloads/logstash/logstash-5.4.0.rpm
https://artifacts.elastic.co/downloads/logstash/logstash-5.4.1.rpm
[root@slave local]# yum localinstall logstash-5.4.0.rpm
生成SSL證書
因爲咱們將使用Filebeat將日誌從咱們的客戶端服務器發送到咱們的ELK服務器,咱們須要建立一個SSL證書和密鑰對。 Filebeat使用該證書來驗證ELK Server的身份。使用如下命令建立將存儲證書和私鑰的目錄:
使用如下命令(在ELK服務器的FQDN中替換)在適當的位置(/etc/pki/tls/ …)中生成SSL證書和私鑰:
2),[root@slave local]# cd /etc/pki/tls/
[root@slave tls]# openssl req -subj '/CN=ELK_server_fqdn/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
3),以後建立logstash 的配置文件。以下:
[root@slave tls]# vim /etc/logstash/conf.d/01-logstash-initial.conf
input {
beats {
port => 5000
type => "logs"
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "syslog-beat" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
geoip {
source => "clientip"
}
syslog_pri {}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { }
stdout { codec => rubydebug }
}
4),啓動logstash,並檢查端口,配置文件裏,咱們寫的是5000端口
[root@slave logstash]# systemctl enable logstash
[root@slave logstash]# systemctl start logstash
[root@slave logstash]# systemctl status logstash
相關的配置能夠查看配置文件的具體配置
5), 修改elasticsearch 配置文件
查看目錄,建立文件夾es-01(名字不是必須的),logging.yml是自帶的,elasticsearch.yml是建立的文件,內如見下:
[root@slave logstash]# cd /etc/elasticsearch/
[root@slave elasticsearch]# tree
.
├── elasticsearch.yml
├── jvm.options
├── log4j2.properties
└── scripts
1 directory, 3 files
[root@slave elasticsearch]# ll
總用量 16
-rw-rw----. 1 root elasticsearch 2923 6月 1 19:12 elasticsearch.yml
-rw-rw----. 1 root elasticsearch 3117 4月 29 01:45 jvm.options
-rw-rw----. 1 root elasticsearch 4456 4月 29 01:45 log4j2.properties
drwxr-x---. 2 root elasticsearch 6 4月 29 01:45 scripts
[root@slave elasticsearch]# mkdir es-01 ##建立一個文件夾
[root@slave elasticsearch]# cd es-01/
[root@slave es-01]# vim elasticsearch.yml
http:
port: 9200
network:
host: elk.test.com
node:
name: elk.test.com
path:
data: /etc/elasticsearch/data/es-01
5),重啓elasticsearch、logstash服務。
[root@slave ~]# systemctl (stop)start elasticsearch
[root@slave es-01]# systemctl stop logstash
[root@slave es-01]# systemctl start logstash
4,安裝kibana
1)
[root@slave local]# wget https://artifacts.elastic.co/downloads/kibana/kibana-5.4.0-x86_64.rpm
2),[root@slave local]# yum localinstall kibana-5.4.0-x86_64.rpm -y
3),[root@slave local]# systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
4),[root@slave local]# systemctl start kibana
[root@slave local]# systemctl status kibana
檢查kibana服務運行(Kibana默認 進程名:node ,端口5601)
5),[root@slave local]# netstat -lnpt
修改防火牆,對外開放tcp/5601
[root@slave local]# firewall-cmd --permanent --add-port=5601/tcp
FirewallD is not running ##防火牆沒有開能夠不設置
[root@elk elk]# firewall-cmd --reload
success
[root@elk elk]# firewall-cmd --list-all
[root@slave local]# vim /etc/kibana/kibana.yml ##修改配置文件
瀏覽器訪問http://192.168.3.194:5601
5, 客戶端部署filebeat
filebeat客戶端是一個輕量級的,從服務器上的文件收集日誌資源的工具,這些日誌轉發處處理到Logstash服務器上。該Filebeat客戶端使用安全的Beats協議與Logstash實例通訊。lumberjack協議被設計爲可靠性和低延遲。Filebeat使用託管源數據的計算機的計算資源,而且Beats輸入插件儘可能減小對Logstash的資源需求。
1),[root@master local]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.4.0-x86_64.rpm
[root@master local]# yum localinstall filebeat-5.4.0-x86_64.rpm
[root@master certs]# scp root@192.168.3.194:/etc/pki/tls/certs/logstash-forwarder.crt /etc/pki/tls/certs/ ##拷貝ELK節點上的證書logstash-forwarder.crt 到客戶端
[root@master filebeat]# cd /etc/filebeat/
[root@master filebeat]# tree
.
├── filebeat.full.yml
├── filebeat.template-es2x.json
├── filebeat.template-es6x.json
├── filebeat.template.json
└── filebeat.yml
0 directories, 5 files
2),修改的文件有3個,filebeat.yml,是定義鏈接logstash 服務器的配置。conf.d目錄下的2個配置文件是自定義監控日誌的,下面看下各自的內容:
filebeat.yml
[root@master filebeat]# mkdir conf.d
[root@master filebeat]# vim conf.d/authlogs.yml
filebeat:
prospectors:
- paths:
- /var/log/secure
encoding: plain
fields_under_root: false
input_type: log
ignore_older: 24h
document_type: syslog-beat
scan_frequency: 10s
harvester_buffer_size: 16384
tail_files: false
force_close_files: false
backoff: 1s
max_backoff: 1s
backoff_factor: 2
partial_line_waiting: 5s
max_bytes: 10485760
[root@master filebeat]# vim conf.d/syslogs.yml
filebeat:
prospectors:
- paths:
- /var/log/messages
encoding: plain
fields_under_root: false
input_type: log
ignore_older: 24h
document_type: syslog-beat
scan_frequency: 10s
harvester_buffer_size: 16384
tail_files: false
force_close_files: false
backoff: 1s
max_backoff: 1s
backoff_factor: 2
partial_line_waiting: 5s
max_bytes: 10485760
修改完成後,啓動filebeat服務
插入儀表板
- 1. 安裝RPM包
- 2. mysql rpm包安裝
- 3. RPM包安裝zabbix_Server
- 4. linux安裝RPM包
- 5. MySql RPM包安裝
- 6. jenkins rpm包安裝
- 7. LAMP rpm包安裝
- 8. linux centos7 下安裝mysql (rpm包安裝)
- 9. Linux 下的安裝包安裝方法(RPM安裝YUM安裝)
- 10. 18. linux之rpm包安裝上------1.安裝rpm包 2.升級rpm包 3.卸載rpm包 4.查詢rpm包
- 更多相關文章...
- • Docker 安裝 Nginx - Docker教程
- • Docker 安裝 Node.js - Docker教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
-
每一个你不满意的现在,都有一个你没有努力的曾经。