目录:
1、所需安装包
2、预环境
3、安装elasticsearch
4、安装elasticsearch-head
5、安装logstash
6、安装kibana
7、分析apache日志(access和error)
1、所需安装包
elasticsearch-5.5.3.rpm elk-head-5.tar.gz kibana-5.5.3-x86_64.rpm logstash-5.5.3.rpm node-v8.9.4.tar.gz phantomjs-2.1.1-linux-x86_64.tar.bz2
2、预环境配置
配置ip地址 elk-node1:10.0.0.133 elk-node2:10.0.0.135 编辑hosts文件 10.0.0.133 elk-node1 10.0.0.135 elk-node2 安装java yum -y install java java -version openjdk version "1.8.0_102" OpenJDK Runtime Environment (build 1.8.0_102-b14) OpenJDK 64-Bit Server VM (build 25.102-b14, mixed mode)
3、安装elasticsearch
elk-node1上: 安装elasticsearch rpm -ivh elasticsearch-5.5.3.rpm 编辑/etc/elasticsearch/elasticsearch.conf cluster.name: my-elk-cluster 集群名字 node.name: elk-node1 节点名字 path.data: /data/elk_data 数据存放路径 path.logs: /var/log/elasticsearch/ 日志存放路径 bootstrap.memory_lock: false 不在启动的时候锁定内存 network.host: 0.0.0.0 提供服务绑定的 IP 地址,0.0.0.0 代表所有地址 http.port: 9200 侦听端口为 9200 discovery.zen.ping.unicast.hosts: ["elk-node1", "elk-node2"] 集群发现通过单播实现 创建elasticsearch的data数据目录 mkdir -p /data/elk_data chown elasticsearch:elasticsearch /data/elk_data/ systemctl enable elasticsearch systemctl start elasticsearch elk-node2上: 安装elasticsearch rpm -ivh elasticsearch-5.5.3.rpm 编辑/etc/elasticsearch/elasticsearch.conf cluster.name: my-elk-cluster node.name: elk-node2 #注意,这里也是两个节点配置唯一不一样的地方 path.data: /data/elk_data path.logs: /var/log/elasticsearch/ bootstrap.memory_lock: false network.host: 0.0.0.0 http.port: 9200 discovery.zen.ping.unicast.hosts: ["elk-node1", "elk-node2"] 创建elasticsearch的data数据目录 mkdir -p /data/elk_data chown elasticsearch:elasticsearch /data/elk_data/ systemctl enable elasticsearch systemctl start elasticsearch
查看是否成功
ss -lnpt |grep 9200 systemctl status elasticsearch
验证
登录10.0.0.133:9200/_cluster/health?pretty
(你的集群的node数应当是2,status应当是green,也就是健康)
4、安装elasticsearch-head插件,在其中一台node安装即可。本次安装在了elk-node1上。
安装node tar zxvf node-v8.2.1.tar.gz cd node-v8.2.1/ ./configure && make && make install 安装phantomjs tar jxvf phantomjs-2.1.1-linux-x86_64.tar.bz2 cd phantomjs-2.1.1-linux-x86_64/bin/ cp phantomjs /usr/local/bin/ 安装docker,在docker跑elasticsearch-head 安装docker yum -y install docker systemctl start docker systemctl enable docker #注意安装docker时,如果直接yum安装无法启动,可先更新内核 使用docker运行elasticsearch-head docker load < elk-head-5.tar.gz docker run -d -p 9100:9100 mobz/elasticsearch-head:5 配置elasticsearch 编辑/etc/elasticsearch/elasticsearch.conf http.cors.enabled: true 开启跨域访问支持,默认为 false http.cors.allow-origin: "*" 跨域访问允许的域名地址 重启elasticsearch systemctl restart elasticsearch
验证
登录10.0.0.133:9100
会出现如上的界面,在连接那里,将http://localhost:9200改为http://10.0.0.133:9200,可以看到集群状态,应当为绿色。
创建测试索引
curl -XPUT 'localhost:9200/index-demo/test/1?pretty&pretty' -H 'Content-Type: application/json' -d '{ "user": "zhangsan","mesg":"hello world" }'
刷新10.0.0.133:9200
###注意,这里其实你应当只能看到红框内的索引,其他的索引与这次测试无关
5、安装配置logstash(你要采集哪里的日志,就装在哪里)
注意:logstash需要java支持,所以你要装logstash需要先执行yum -y install java,由于elk-node1已经安装则不需再次安装java
在elk-node1上,分析其系统志
安装
rpm -ivh logstash-5.5.3.rpm
通过logstash采集日志
chmod a+r /var/log/messages
编辑/etc/logstash/conf.d/system.conf
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["10.0.0.133:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
起服务
systemctl enable logstash
systemctl start logstash
验证:登录10.0.0.133:9100,刷新,查看是否有定义的system索引
6、安装kibana
安装 rpm -ivh kibana-5.5.3-x86_64.rpm 编辑/etc/kibana/kibana.yml server.port: 5601 server.host: "0.0.0.0" elasticsearch.url: "http://10.0.0.133:9200" kibana.index: ".kibana" 起服务 systemctl start kibana systemctl enable kibana
验证:登录10.0.0.133:5601
添加索引显示图形分析
7、分析apache日志(access和error)
安装apache
yum -y install httpd
systemctl enable httpd
systemctl satrt httpd
安装logstash
yum -y install java
rpm -ivh logstash-5.5.3.rpm
编辑配置/etc/logstash/conf.d/apache_log.conf
input {
file {
path => "/etc/httpd/logs/access_log"
type => "access"
start_position => "beginning"
}
file {
path => "/etc/httpd/logs/error_log"
type => "error"
start_position => "beginning"
}
}
output {
if [type] == "access" {
elasticsearch {
hosts => ["10.0.0.133:9200"]
index => "apache_access-%{+YYYY.MM.dd}"
}
}
if [type] == "error" {
elasticsearch {
hosts => ["10.0.0.133:9200"]
index => "apache_error-%{+YYYY.MM.dd}"
}
}
}
起服务
systemctl enable logstash
systemctl start logstash
验证
