elk搭建
elk系统全部采用5.0版本1、elk是依赖于java环境,所以要先安装jdk,主意elk5.0版本所需要的jdk必须在1.8以上
2、安装elasticsearch
yum -y install elasticsearch-5.0.1.rpm
mkdir -pv /elk/{data,logs} //创建es存储的数据和日志文件
chown -R elasticsearch.elasticsearch /elk/* //修改属主属组修改es配置文件:
vim /etc/elasticsearch/elasticsearch.yml
1cluster.name: my-application
2node.name: node-1
3path.data: /elk/data
4path.logs: /elk/logs
5network.host: 0.0.0.0
6http.port: 9200修改文件限制
vim /etc/security/limits.d/90-nproc.conf
* 改为2048即可
修改jvm参数
vim /etc/elasticsearch/jvm.options
-Xms512m
-Xmx512m
此参数根据实际内存调整启动elasticsearch,查看9200,9300端口是否启用
https://s1.运维网.com/wyfs02/M00/8F/61/wKioL1jcsYyiRdrHAAAsFzGsM9o977.png-wh_500x0-wm_3-wmp_4-s_330089564.png
3、安装kibana
# yum -y install kibana-5.0.1-x86_64.rpm修改kibana配置文件
# vim /etc/kibana/kibana.yml
1server.port: 5601
2server.host: "0.0.0.0"
3elasticsearch.url: "http://localhost:9200"
4kibana.index: ".kibana"启动kibana,查看端口5601是否开启
4、安装logstash
# yum -y install logstash-5.0.1.rpm编辑第一个测试文档
# cat /etc/logstash/conf.d/test.conf
input {
stdin {}
}
output {
stdout {
codec =>"rubydebug"
}
}测试:
# /usr/share/logstash/bin/logstash -t-f /etc/logstash/conf.d/test.conf
-t:标识测试配置文件但并不启动
-f:表示用哪一个测试文件
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs to console
Configuration OK
14:08:51.310 INFOlogstash.runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
出现警告信息:因为在/usr/share/logstash的目录下没有找到config文件
解决方法:创建一个软连接
# ln -sv /etc/logstash /usr/share/logstash/config
https://s1.运维网.com/wyfs02/M02/8F/64/wKiom1jctbXy25nNAABJlGNlS5c751.png-wh_500x0-wm_3-wmp_4-s_3982408019.png
修改配置文件:
# cat /etc/logstash/conf.d/test.conf
input {
redis {
host =>"192.168.0.224"
port => 6379
key => "syslog"
type =>"message1"
data_type =>"list"
}
}
output {
stdout {
codec =>"rubydebug"
}
elasticsearch{
hosts =>["localhost:9200"]
}
}4、编译安装redis
先安装gcc
# yum -y install gcc
# tar xf redis-3.0.7.tar.gz -C /app/tools/
# cd /app/tools/redis-3.0.7/
# make启动redis-server
# /app/tools/redis-3.0.7/src/redis-server &查看6379端口是否打开
5、安装filebeat
# yum -y install filebeat-5.0.1-x86_64.rpm
# vim /etc/filebeat/filebeat.yml
paths:
#- /var/log/*.log
- /var/log/messages
output.redis:
hosts: ["192.168.0.224"] //redis的地址
port: 6379 //redis的端口
key: "syslog" //redis的索引名6、测试
# service filebeat start
进入redis,查看是否有数据压入
# /app/tools/redis-3.0.7/src/redis-cli
127.0.0.1:6379> llen syslog
(integer) 1255
启动logstash
# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test.conf
如果定义的配置文件有问题,查看logstash日志
# tail /var/log/logstash/logstash-plain.log
配置正确后可以查看redis的syslog索引
# /app/tools/redis-3.0.7/src/redis-cli
127.0.0.1:6379> llen syslog
(integer) 0
127.0.0.1:6379>
https://s5.运维网.com/wyfs02/M01/8F/64/wKiom1jcvUqyZa17AAFbywCCeFs696.png-wh_500x0-wm_3-wmp_4-s_3579001558.png
https://s2.运维网.com/wyfs02/M01/8F/64/wKiom1jcvd7xJXUMAAEvLkHXJRg257.png-wh_500x0-wm_3-wmp_4-s_758095090.png
就此elk+redis+filebeat搭建完毕
页:
[1]