码迷,mamicode.com
首页 > 其他好文 > 详细

20170603 ELK安装 (rpm包安装)

时间:2017-06-13 16:38:46      阅读:330      评论:0      收藏:0      [点我收藏+]

标签:elk安装

                              ELK安装

 

环境安装:

(a)、关闭firewall:

systemctl stop firewalld.service #停止firewall

systemctl disable firewalld.service #禁止firewall开机启动

firewall-cmd --state #查看默认防火墙状态(关闭后显示notrunning,开启后显示running)

(b)、iptables防火墙(这里iptables已经安装,下面进行配置)

vi/etc/sysconfig/iptables #编辑防火墙配置文件

 

1,elasticsearch

 

1),安装JDK

yum install java-1.8.0-openjdk -y   

java -version            ##查看版本

 

2),

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.0.rpm

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.1.rpm

 

3),yum localinstall elasticsearch-5.4.0.rpm

 

4),

sudo systemctl daemon-reload      ##没有权限可以使用sudo刷新配置

sudo systemctl enable elasticsearch.service         

sudo systemctl status elasticsearch.service   

 

查看状态发现失败错误:服务会起不来,是node环境的问题,把之前的文件全部删掉,全新安装

[root@slave local]# find / -name "elasticsearch" -exec  rm -rf {} \;

rpm -qa |grep elasticsearch

rpm -e --nodeps elasticsearch-5.4.0-1

 

5),重新安装后再查看状态已经出来了:

6),查看端口

查看端口

[root@dev tmp]# lsof -i:9200

COMMAND  PID          USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

java    3994 elasticsearch  112u  IPv6  54287      0t0  TCP localhost:wap-wsp (LISTEN)

java    3994 elasticsearch  113u  IPv6  54288      0t0  TCP localhost:wap-wsp (LISTEN)

端口没监听在ipv4上。

看来下官方文档, elasticsearch默认监听在localhost上,修改配置文件,把127.0.0.1改为本机ip

[root@dev elasticsearch]# vim elasticsearch.yml

network.host: 10.0.2.15

使用curl访问下

[root@dev elasticsearch]# curl 10.0.2.15:9200

{

  "name" : "Bulldozer",

  "cluster_name" : "elasticsearch",

  "version" : {

    "number" : "2.2.1",

    "build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",

    "build_timestamp" : "2016-03-09T09:38:54Z",

    "build_snapshot" : false,

    "lucene_version" : "5.4.1"

  },

  "tagline" : "You Know, for Search"

}

使用浏览器访问

http://10.0.2.15:9200/

{

  "name" : "Bulldozer",

  "cluster_name" : "elasticsearch",

  "version" : {

    "number" : "2.2.1",

    "build_hash" : "d045fc29d1932bce18b2e65ab8b297fbf6cd41a1",

    "build_timestamp" : "2016-03-09T09:38:54Z",

    "build_snapshot" : false,

    "lucene_version" : "5.4.1"

  },

  "tagline" : "You Know, for Search"

}

7),修改IP和端口后浏览器查看能登入

Es常遇到的问题,

http://www.mamicode.com/info-detail-1663378.html

http://www.bubuko.com/infodetail-1898143.html

http://blog.csdn.net/weini1111/article/details/60468068

[root@slave ~]# vim /etc/security/limits.conf

* soft nofile 65536

* hard nofile 131072

* soft nproc 2048

* hard nproc 4096

soft nproc: 可打开的文件描述符的最大数(软限制)            *号代表可执行

hard nproc: 可打开的文件描述符的最大数(硬限制)

soft nofile:单个用户可用的最大进程数量(软限制)

hard nofile:单个用户可用的最大进程数量(硬限制)

[root@slave ~]# vim /etc/elasticsearch/jvm.options      ##根据实际系统 内存来配置

 [root@slave ~]# vim /etc/sysctl.conf

 

2, elasticesarch-head

 

1),安装node.js

CentOS7配置Nodejs环境安装记录

http://www.cnblogs.com/charles-dxb/p/5170209.html

linux下安装NPM管理工具

http://www.cnblogs.com/lovelylife/p/3503980.html

 

 

[root@slave local]# curl --silent --location https://rpm.nodesource.com/setup_4.x | bash -

 

[root@slave local]# yum install -y nodejs

 

2)安装phantomjs

[root@slave src]# wget https://bbuseruploads.s3.amazonaws.com/fd96ed93-2b32-46a7-9d2b-ecbc0988516a/downloads/396e7977-71fd-4592-8723-495ca4cfa7cc/phantomjs-2.1.1-linux-x86_64.tar.bz2?Signature=35G3OMsJ6wyIIBjYhDIa5zG%2FGxE%3D&Expires=1496287129&AWSAccessKeyId=AKIAIWZLQBE7J6CD7UJA&versionId=null&response-content-disposition=attachment%3B%20filename%3D%22phantomjs-2.1.1-linux-x86_64.tar.bz2%22

 

[root@slave src]# tar -jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2 -C /usr/local/

tar (child): bzip2:无法 exec: 没有那个文件或目录

tar (child): Error is not recoverable: exiting now

tar: Child returned status 2

tar: Error is not recoverable: exiting now

缺少bzip2

yum install -y bzip2

 

[root@slave src]# vim /etc/profile

export PATH=/usr/local/phantomjs-2.1.1-linux-x86_64/bin:$PATH     ##配置文件后添加

[root@slave src]# source /etc/profile

 

3),下载安装elasticsearch-head

 

[root@slave src]# yum install -y git

[root@slave src]# git clone git://github.com/mobz/elasticsearch-head.git

[root@slave elasticsearch-head]# npm install

npm WARN package.json elasticsearch-head@0.0.0 license should be a valid SPDX license expression

[root@slave elasticsearch-head]# npm run start

 

> elasticsearch-head@0.0.0 start /usr/local/src/elasticsearch-head

> grunt server

 

Running "connect:server" (connect) task

Waiting forever...

Started connect web server on http://localhost:9100

^C

[root@slave elasticsearch-head]# npm run start

 

> elasticsearch-head@0.0.0 start /usr/local/src/elasticsearch-head

> grunt server

 

Running "connect:server" (connect) task

Waiting forever...

Started connect web server on http://localhost:9100

3,logStash部署与配置

1),[root@slave local]# wget https://artifacts.elastic.co/downloads/logstash/logstash-5.4.0.rpm

https://artifacts.elastic.co/downloads/logstash/logstash-5.4.1.rpm

 

[root@slave local]# yum localinstall logstash-5.4.0.rpm

生成SSL证书

由于我们将使用Filebeat将日志从我们的客户端服务器发送到我们的ELK服务器,我们需要创建一个SSL证书和密钥对。 Filebeat使用该证书来验证ELK Server的身份。使用以下命令创建将存储证书和私钥的目录:

使用以下命令(在ELK服务器的FQDN中替换)在适当的位置(/etc/pki/tls/ …)中生成SSL证书和私钥:

 

2),[root@slave local]# cd /etc/pki/tls/

[root@slave tls]# openssl req -subj ‘/CN=ELK_server_fqdn/‘ -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

3),之后创建logstash 的配置文件。如下:

[root@slave tls]# vim /etc/logstash/conf.d/01-logstash-initial.conf

 

input {

  beats {

    port => 5000

    type => "logs"

    ssl => true

    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"

    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"

  }

}

 

filter {

  if [type] == "syslog-beat" {

    grok {

      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }

      add_field => [ "received_at", "%{@timestamp}" ]

      add_field => [ "received_from", "%{host}" ]

    }

    geoip {

      source => "clientip"

    }

    syslog_pri {}

    date {

      match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

    }

  }

}

 

output {

  elasticsearch { }

  stdout { codec => rubydebug }

}

4),启动logstash,并检查端口,配置文件里,我们写的是5000端口

[root@slave logstash]# systemctl enable logstash

[root@slave logstash]# systemctl start logstash

[root@slave logstash]# systemctl status logstash

相关的配置可以查看配置文件的具体配置

5), 修改elasticsearch 配置文件

查看目录,创建文件夹es-01(名字不是必须的),logging.yml是自带的,elasticsearch.yml是创建的文件,内如见下:

[root@slave logstash]# cd /etc/elasticsearch/

[root@slave elasticsearch]# tree

.

├── elasticsearch.yml

├── jvm.options

├── log4j2.properties

└── scripts

 

1 directory, 3 files

[root@slave elasticsearch]# ll

总用量 16

-rw-rw----. 1 root elasticsearch 2923 6月   1 19:12 elasticsearch.yml

-rw-rw----. 1 root elasticsearch 3117 4月  29 01:45 jvm.options

-rw-rw----. 1 root elasticsearch 4456 4月  29 01:45 log4j2.properties

drwxr-x---. 2 root elasticsearch    6 4月  29 01:45 scripts

[root@slave elasticsearch]# mkdir es-01      ##创建一个文件夹

[root@slave elasticsearch]# cd es-01/

[root@slave es-01]# vim elasticsearch.yml

http:

  port: 9200

network:

  host: elk.test.com

node:

  name: elk.test.com

path:

  data: /etc/elasticsearch/data/es-01

 

 

5),重启elasticsearchlogstash服务。

[root@slave ~]# systemctl (stop)start elasticsearch

[root@slave es-01]# systemctl stop logstash

[root@slave es-01]# systemctl start logstash

 

 

 

4,安装kibana

1)

[root@slave local]# wget https://artifacts.elastic.co/downloads/kibana/kibana-5.4.0-x86_64.rpm

2),[root@slave local]# yum localinstall kibana-5.4.0-x86_64.rpm -y

3),[root@slave local]# systemctl enable kibana

Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.

4),[root@slave local]# systemctl start kibana

[root@slave local]# systemctl status kibana

检查kibana服务运行(Kibana默认 进程名:node ,端口5601

 

5),[root@slave local]# netstat -lnpt

修改防火墙,对外开放tcp/5601

[root@slave local]# firewall-cmd --permanent --add-port=5601/tcp

FirewallD is not running       ##防火墙没有开可以不设置

 

[root@elk elk]# firewall-cmd --reload

success

[root@elk elk]# firewall-cmd --list-all

 

[root@slave local]# vim /etc/kibana/kibana.yml   ##修改配置文件

浏览器访问http://192.168.3.194:5601

 

5, 客户端部署filebeat

filebeat客户端是一个轻量级的,从服务器上的文件收集日志资源的工具,这些日志转发到处理到Logstash服务器上。该Filebeat客户端使用安全的Beats协议与Logstash实例通信。lumberjack协议被设计为可靠性和低延迟。Filebeat使用托管源数据的计算机的计算资源,并且Beats输入插件尽量减少对Logstash的资源需求。

 

1),[root@master local]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.4.0-x86_64.rpm

[root@master local]# yum localinstall filebeat-5.4.0-x86_64.rpm

[root@master certs]# scp root@192.168.3.194:/etc/pki/tls/certs/logstash-forwarder.crt /etc/pki/tls/certs/                      ##拷贝ELK节点上的证书logstash-forwarder.crt 到客户端

 

 

[root@master filebeat]# cd /etc/filebeat/

[root@master filebeat]# tree

.

├── filebeat.full.yml

├── filebeat.template-es2x.json

├── filebeat.template-es6x.json

├── filebeat.template.json

└── filebeat.yml

 

0 directories, 5 files

2),修改的文件有3个,filebeat.yml,是定义连接logstash 服务器的配置。conf.d目录下的2个配置文件是自定义监控日志的,下面看下各自的内容:

filebeat.yml

[root@master filebeat]# mkdir conf.d

[root@master filebeat]# vim conf.d/authlogs.yml

filebeat:

  prospectors:

    - paths:

      - /var/log/secure

      encoding: plain

      fields_under_root: false

      input_type: log

      ignore_older: 24h

      document_type: syslog-beat

      scan_frequency: 10s

      harvester_buffer_size: 16384

      tail_files: false

      force_close_files: false

      backoff: 1s

      max_backoff: 1s

      backoff_factor: 2

      partial_line_waiting: 5s

      max_bytes: 10485760

[root@master filebeat]# vim conf.d/syslogs.yml

filebeat:

  prospectors:

    - paths:

      - /var/log/messages

      encoding: plain

      fields_under_root: false

      input_type: log

      ignore_older: 24h

      document_type: syslog-beat

      scan_frequency: 10s

      harvester_buffer_size: 16384

      tail_files: false

      force_close_files: false

      backoff: 1s

      max_backoff: 1s

      backoff_factor: 2

      partial_line_waiting: 5s

      max_bytes: 10485760

修改完成后,启动filebeat服务

 

插入仪表板

 


20170603 ELK安装 (rpm包安装)

标签:elk安装

原文地址:http://9940459.blog.51cto.com/9930459/1934942

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!