首页 > 系统相关> > Linux--ELK日志分析

Linux--ELK日志分析

2020-02-02 11:08:31 作者：互联网

（实验准备1号机#nodel1，2号机#nodel2,3号机#apachect,ELK软件包，yum软件包1，2号机内核4G）

1号机#

#vim /etc/sysconfig/network-scripts/ifcfg-ens33

BOOTPROTO=static

IPADDR=192.168.1.1 (ESC:wq)保存退出

#ifdown ens33;ifup ens33

#getenforce （显示为disabled）

#systemctl stop firewalld

#mount /dev/cdrom /mnt

#cd /etc/yum.repos.d/

#ls (默认将第一个备份为Centos-Base.repo.bak)

#mv Centos-Base.repo Centos-Base.repo.bak

#vim Centos-Base.repo

【a】

baseurl=file:///mnt

gpgcheck=0 (ESC:wq)保存退出

#yum clean all (清除缓存)

2号机#

#vim /etc/sysconfig/network-scripts/ifcfg-ens33

BOOTPROTO=static

IPADDR=192.168.1.2 (ESC:wq)保存退出

#ifdown ens33;ifup ens33

#getenforce （显示为disabled）

#systemctl stop firewalld

#mount /dev/cdrom /mnt

#cd /etc/yum.repos.d/

#ls (默认将第一个备份为Centos-Base.repo.bak)

#mv Centos-Base.repo Centos-Base.repo.bak

#vim Centos-Base.repo

【a】

baseurl=file:///mnt

gpgcheck=0 (ESC:wq)保存退出

#yum clean all (清除缓存)

3号机#

#vim /etc/sysconfig/network-scripts/ifcfg-ens33

BOOTPROTO=static

IPADDR=192.168.1.3 (ESC:wq)保存退出

#ifdown ens33;ifup ens33

#getenforce （显示为disabled）

#systemctl stop firewalld

#mount /dev/cdrom /mnt

#cd /etc/yum.repos.d/

#ls (默认将第一个备份为Centos-Base.repo.bak)

#mv Centos-Base.repo Centos-Base.repo.bak

#vim Centos-Base.repo

【a】

baseurl=file:///mnt

gpgcheck=0 (ESC:wq)保存退出

#yum clean all (清除缓存)

1号机#

#hostname nodel

#bash

#vim /etc/hosts

192.168.1.1 nedel1

192.168.1.2 nedel2 (esc:wq)

2号机#

#hostname node2

#bash

#vim /etc/hosts

192.168.1.1 nedel1

192.168.1.2 nedel2 (esc:wq)

#ping nedel 1 //必须通

#ping nedel2 //必须通

1号机#

#Java -version

将elk软件包复制到桌面，安装elasticsearch

#rpm -ivh elasticsearch-5.5.0.rpm

#systemctl daemon-reload
#systemctl enable elasticsearch

2号机#

#Java -version

将elk软件包复制到桌面，安装elasticsearch

#rpm -ivh elasticsearch-5.5.0.rpm

#systemctl daemon-reload
#systemctl enable elasticsearch

1号机#

#vim /etc/elasticsearch/elasticsearch.yml

17/行：cluster.name: my-elk-cluster
23行：node.name: node1
33行：path.data: /data/elk_data
37行：path.logs: /var/log/elasticsearch
43行：bootstrap.memory_lock: false
55行：network.host: 0.0.0.0
59行：http.port: 9200
68行：discovery.zen.ping.unicast.hosts: ["node1","node2"]
保存退出

#cd /etc/elasticsearch/

#scp elasticsearch.yml root@node2:/etc/elasticsearch/

password:123456

2号机#

#vim /etc/elasticsearch/elasticsearch.yml

23行：node.name: node2 （esc:wq）

1号机#

#cd

#mkdir -p /data/elk_data
#chown elasticsearch:elasticsearch /data/elk_data

#systemctl start elasticsearch

#netstat -anput | grep 9200

2号机#

#mkdir -p /data/elk_data
#chown elasticsearch:elasticsearch /data/elk_data

#systemctl start elasticsearch

#netstat -anput | grep 9200

1号机#

在浏览页查看群集状态
http://192.168.1.1:9200
http://192.168.1.1:9200/_cluster/health?pretty //查看是否健康green绿色为健康
http://192.168.1.1:9200/_cluster/state?pretty //查看群集状态

#复制elk软件包内容到/usr/src

#cd /usr/src
#tar xf node-v8.2.1.tar.gz
#cd /usr/src/node-v8.2.1
#./configure && make && make install

#cd /usr/src
#tar xf phantomjs-2.1.1-linux-x86_64.tar.bz2
#cd phantomjs-2.1.1-linux-x86_64/bin
#cp phantomjs /usr/local/bin

#cd /usr/src
#tar xf elasticsearch-head.tar.gz
#cd elasticsearch-head
#npm install

修改elasticsearch主配置文件
#vim /etc/elasticsearch/elasticsearch.yml
添加:
http.cors.enabled: true
http.cors.allow-origin: "*"
保存退出

#systemctl restart elasticsearch

启动head服务
#cd /usr/src/elasticsearch-head
#npm run start &

#netstat -anput | grep 9100

#netstat -anput | grep 9200

在浏览页查看群集状态
http://192.168.1.1:9100 (出现nodel,node2)

#cd

#添加索引
#curl -XPUT 'localhost:9200/index-demo/test/1?pretty&pretty' -H 'Content-Type: application/json' -d '{"user":"zhangsan","mesg":"hello world"}'

刷新浏览页查看群集状态
http://192.168.1.1:9100 (出现nodel,node2)

#rpm -ivh logstash-5.5.1.rpm

#systemctl start logstash
#ln -s /usr/share/logstash/bin/logstash /usr/local/bin/
#logstash -e 'input { stdin{} } output { stdout{} }'
#logstash -e 'input { stdin{} } output { stdout{ codec=>rubydebug } }'
#logstash -e 'input { stdin{} } output { elasticsearch { hosts=>["192.168.1.1:9200"] } }'
#chmod o+r /var/log/messages
#vim /etc/logstash/conf.d/system.conf
添加：
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
保存退出
#systemctl restart logstash

刷新浏览页查看群集状态
http://192.168.1.1:9100 (出现nodel,node2)

#cd /usr/local/src/

#rpm -ivh kibana-5.5.1-x86_64.rpm

#systemctl enable kibana

#vim /etc/kibana/kibana.yml
修改：
2行erver.port: 5601
7行server.host: "0.0.0.0"
21行elasticsearch.url: "http://192.168.1.1:9200"
30行kibana.index: ".kibana"
保存退出
#systemctl start kibana

刷新浏览页查看群集状态
http://192.168.1.1:5601

3号机#

安装httpd，并启动
#yum -y install httpd
#systemctl start httpd

#java -version
复制elk软件包里的logstash到/usr/src，安装
#cd /usr/src
#rpm -ivh logstash-5.5.1.rpm
#systemctl daemon-reload
#systemctl enable logstash

#cd /etc/logstash/conf.d/

#touch apache_log.conf

#vim apache_log.conf

添加：
input {
file {
path => "/etc/httpd/logs/access_log"
type => "access"
start_position => "beginning"
}
file {
path => "/etc/httpd/logs/error_log"
type => "error"
start_position => "beginning"
}
}
output {
if [type] == "access" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "apache_access-%{+YYYY.MM.dd}"
}
}
if [type] == "error" {
elasticsearch {
hosts => ["192.168.1.1:9200"]
index => "apache_access-%{+YYYY.MM.dd}"
}
}
}

保存退出

#/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/apache_log.conf

1号机#

刷新浏览页查看群集状态
http://192.168.1.1:9200

http://192.168.1.1:5601

施瓦希格发布了29 篇原创文章 · 获赞 2 · 访问量 523 私信关注

标签：ELK,1.1,192.168,etc,systemctl,elasticsearch,Linux,日志,号机
来源： https://blog.csdn.net/weixin_45986422/article/details/104141653