ELK日誌分析平臺部署實錄
[root@king01 ~]# vim /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-5.x]
name=Elasticsearch repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
[root@king01 ~]# cd /usr/local/src
[root@king01 src]# tar zxvf jdk-8u161-linux-x64.tar.gz
[root@king01 src]# mv jdk1.8.0_161 /usr/local
[root@king01 src]# vi /etc/profile
JAVA_HOME=/usr/local/jdk1.8.0_161
JAVA_BIN=/usr/local/jdk1.8.0_161/bin
PATH=$PATH:$JAVA_BIN
CLASSPATH=$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export JAVA_HOME JAVA_BIN PATH CLASSPATH
export LD_LIBRARY_PATH=/usr/local/apr/lib
[root@king01 ~]# java -version
java version "1.8.0_161"
Java(TM) SE Runtime Environment (build 1.8.0_161-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.161-b12, mixed mode)
[root@king01 ~]# yum install -y elasticsearch
[root@king01 ~]# mkdir /usr/local/es-data
[root@king01 ~]# chown -R elasticsearch:elasticsearch /usr/local/es-data
[root@king01 ~]# mkdir -p /var/log/elasticsearch/
[root@king01 ~]# chown -R elasticsearch:elasticsearch /var/log/elasticsearch/
[root@king01 ~]# vim /etc/elasticsearch/elasticsearch.yml
cluster.name: elk-cluster
node.name: king01
path.data: /usr/local/es-data
path.logs: /var/log/elasticsearch/
bootstrap.memory_lock: true
bootstrap.system_call_filter: false
network.host: 192.168.1.201
http.port: 9200
discovery.zen.ping.unicast.hosts: ["king01"]
http.cors.enabled: true
http.cors.allow-origin: "*"
[root@king01 ~]# vi /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
* soft memlock unlimited
* hard memlock unlimited
[root@king01 ~]# vim /etc/security/limits.d/90-nproc.conf
* soft nproc 2048
root soft nproc unlimited
[root@king01 ~]# /etc/init.d/elasticsearch start
[root@king01 ~]# /etc/init.d/elasticsearch status
elasticsearch (pid 18338) is running...
[root@king01 ~]# cat /var/log/elasticsearch/elk-cluster.log
[root@king01 ~]# curl http://192.168.1.201:9200/
{
"name" : "king01",
"cluster_name" : "elk-cluster",
"cluster_uuid" : "oGuBJsi3SZyYnCT4PvuNgA",
"version" : {
"number" : "5.6.8",
"build_hash" : "688ecce",
"build_date" : "2018-02-16T16:46:30.010Z",
"build_snapshot" : false,
"lucene_version" : "6.6.1"
},
"tagline" : "You Know, for Search"
}
[root@king01 ~]# yum install -y logstash
[root@king01 ~]# ln -s /usr/share/logstash/bin/logstash /bin/
[root@king01 ~]# mkdir -p /usr/share/logstash/config/
[root@king01 ~]# chown -R logstash:logstash /usr/share/logstash/config/
[root@king01 ~]# ln -s /etc/logstash/* /usr/share/logstash/config
[root@king01 ~]# vim /etc/logstash/conf.d/elk.conf
input {
syslog {
port => "514"
}
}
output {
elasticsearch {
hosts => ["192.168.1.201:9200"]
index => "syslog-%{+YYYY.MM.dd}"
}
}
[root@king01 ~]# logstash -f /etc/logstash/conf.d/elk.conf&
[root@king01 ~]# cat /var/log/logstash/logstash-plain.log
[root@king01 ~]# netstat -tunlp | grep 514
tcp 0 0 :::514 :::* LISTEN 18713/java
udp 0 0 :::514 :::* 18713/java
[root@king01 ~]# yum install -y kibana
[root@king01 ~]# vim /etc/kibana/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://192.168.1.201:9200"
[root@king01 ~]# /etc/init.d/kibana start
kibana started
[root@king01 ~]# /etc/init.d/kibana status
kibana is running
[root@king01 ~]# netstat -tunlp | grep 5601
[root@king02 ~]# vi /etc/rsyslog.conf
*.* @192.168.1.201:514
[root@king02 ~]# vi /etc/bashrc
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):[`pwd`]"$msg"; }'
[root@king02 ~]# service rsyslog restart
ELK日誌分析平臺部署實錄