CentOS 7下安装Logstash ELK Stack 日志管理系统（下）-白红宇

CentOS 7下安装Logstash ELK Stack 日志管理系统（下）

阅读量：5161 次

发布时间：2019-06-13

本文共 9319 字，大约阅读时间需要 31 分钟。

修改防火墙，对外开放tcp/5601

[root@elk elk]# firewall-cmd --permanent --add-port=5601/tcp

Success

[root@elk elk]# firewall-cmd --reload

success

[root@elk elk]# firewall-cmd --list-all

public (default, active)

interfaces: eno16777984 eno33557248

sources:

services: dhcpv6-client ssh

ports: 9200/tcp 9300/tcp 5601/tcp

masquerade: no

forward-ports:

icmp-blocks:

rich rules:3.5 安装kibana[root@elk elk]# yum localinstall kibana-4.5.1-1.x86_64.rpm –y

[root@elk elk]# systemctl enable kibana

Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /usr/lib/systemd/system/kibana.service.

[root@elk elk]# systemctl start kibana

[root@elk elk]# systemctl status kibana

● kibana.service - no description given

Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; vendor preset: disabled)

Active: active (running) since Fri 2016-05-20 15:49:02 CST; 20s ago

Main PID: 11260 (node)

CGroup: /system.slice/kibana.service

└─11260 /opt/kibana/bin/../node/bin/node /opt/kibana/bin/../src/cli

May 20 15:49:05 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:05+00:00","tags":["status","plugin:elasticsearch...May 20 15:49:05 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:05+00:00","tags":["status","plugin:kbn_vi...lized"}

May 20 15:49:05 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:05+00:00","tags":["status","plugin:markdo...lized"}

May 20 15:49:05 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:05+00:00","tags":["status","plugin:metric...lized"}

May 20 15:49:05 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:05+00:00","tags":["status","plugin:spyMod...lized"}

May 20 15:49:05 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:05+00:00","tags":["status","plugin:status...lized"}

May 20 15:49:05 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:05+00:00","tags":["status","plugin:table_...lized"}

May 20 15:49:05 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:05+00:00","tags":["listening","info"],"pi...:5601"}

May 20 15:49:10 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:10+00:00","tags":["status","plugin:elasticsearch...May 20 15:49:14 elk.test.com kibana[11260]: {"type":"log","@timestamp":"2016-05-20T07:49:14+00:00","tags":["status","plugin:elasti...found"}

Hint: Some lines were ellipsized, use -l to show in full.

检查kibana服务运行（Kibana默认进程名：node ，端口5601）[root@elk elk]# netstat -nltp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 909/sshd

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1595/master

tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 11260/node

修改防火墙，对外开放tcp/5601[root@elk elk]# firewall-cmd --permanent --add-port=5601/tcp

Success

[root@elk elk]# firewall-cmd --reload

success

[root@elk elk]# firewall-cmd --list-all

public (default, active)

interfaces: eno16777984 eno33557248

sources:

services: dhcpv6-client ssh

ports: 9200/tcp 9300/tcp 5601/tcp

masquerade: no

forward-ports:

icmp-blocks:

rich rules:

这时，我们可以打开浏览器，测试访问一下kibana服务器http://192.168.30.67:5601/，确认没有问题，如下图：

在这里，我们可以修改防火墙，将用户访问80端口连接转发到5601上，这样可以直接输入网址不用指定端口了，如下:[root@elk elk]# firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=5601[root@elk elk]# firewall-cmd --reload[root@elk elk]# firewall-cmd --list-all

public (default, active)

interfaces: eno16777984 eno33557248

sources:

services: dhcpv6-client ssh

ports: 9200/tcp 9300/tcp 5601/tcp

masquerade: no

forward-ports: port=80:proto=tcp:toport=5601:toaddr=

icmp-blocks:

rich rules:

3.6 安装logstash，以及添加配置文件[root@elk elk]# yum localinstall logstash-2.3.2-1.noarch.rpm –y

生成证书[root@elk elk]# cd /etc/pki/tls/[root@elk tls]# lscert.pem certs misc openssl.cnf private

[root@elk tls]# openssl req -subj '/CN=elk.test.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out

certs/logstash-forwarder.crt

Generating a 2048 bit RSA private key

...................................................................+++......................................................+++writing new private key to 'private/logstash-forwarder.key'-----

之后创建logstash 的配置文件。如下：View Code启动logstash，并检查端口，配置文件里，我们写的是5000端口[root@elk conf.d]# systemctl start logstash

[root@elk elk]# /sbin/chkconfig logstash on

[root@elk conf.d]# netstat -ntlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 909/sshd

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1595/master

tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 11260/node

tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 618/rsyslogd

tcp6 0 0 :::5000 :::* LISTEN 12819/java

tcp6 0 0 :::3306 :::* LISTEN 1270/mysqld

tcp6 0 0 127.0.0.1:9200 :::* LISTEN 10430/java

tcp6 0 0 ::1:9200 :::* LISTEN 10430/java

tcp6 0 0 127.0.0.1:9300 :::* LISTEN 10430/java

tcp6 0 0 ::1:9300 :::* LISTEN 10430/java

tcp6 0 0 :::22 :::* LISTEN 909/sshd

tcp6 0 0 ::1:25 :::* LISTEN 1595/master

tcp6 0 0 :::514 :::* LISTEN 618/rsyslogd

修改防火墙，将5000端口对外开放。

[root@elk ~]# firewall-cmd --permanent --add-port=5000/tcp

success

[root@elk ~]# firewall-cmd --reload

success

[root@elk ~]# firewall-cmd --list-all

public (default, active)

interfaces: eno16777984 eno33557248

sources:

services: dhcpv6-client ssh

ports: 9200/tcp 9300/tcp 5000/tcp 5601/tcp

masquerade: no

forward-ports: port=80:proto=tcp:toport=5601:toaddr=

icmp-blocks:

rich rules:3.7 修改elasticsearch 配置文件查看目录，创建文件夹es-01（名字不是必须的）,logging.yml是自带的，elasticsearch.yml是创建的文件，内如见下：[root@elk ~]# cd /etc/elasticsearch/[root@elk elasticsearch]# tree

├── es-01│ ├── elasticsearch.yml

│ └── logging.yml

└── scripts

[root@elk elasticsearch]# cat es-01/elasticsearch.yml

----http:

port: 9200network:

host: elk.test.com

node:

name: elk.test.com

path:

data: /etc/elasticsearch/data/es-01

3.8 重启elasticsearch、logstash服务。

3.9 将 fiebeat安装包拷贝到 rsyslog、nginx 客户端上[root@elk elk]# scp filebeat-1.2.3-x86_64.rpm root@rsyslog.test.com:/root/elk

[root@elk elk]# scp filebeat-1.2.3-x86_64.rpm root@nginx.test.com:/root/elk

[root@elk elk]# scp /etc/pki/tls/certs/logstash-forwarder.crt rsyslog.test.com:/root/elk

[root@elk elk]# scp /etc/pki/tls/certs/logstash-forwarder.crt nginx.test.com:/root/elk客户端部署filebea

filebeat客户端是一个轻量级的，从服务器上的文件收集日志资源的工具，这些日志转发到处理到Logstash服务器上。该Filebeat客户端使用安全的Beats协议与Logstash实例通信。lumberjack协议被设计为可靠性和低延迟。Filebeat使用托管源数据的计算机的计算资源，并且Beats输入插件尽量减少对Logstash的资源需求。4.1.（node1）安装filebeat，拷贝证书，创建收集日志配置文件[root@rsyslog elk]# yum localinstall filebeat-1.2.3-x86_64.rpm -y

#拷贝证书到本机指定目录中

[root@rsyslog elk]# cp logstash-forwarder.crt /etc/pki/tls/certs/.

[root@rsyslog elk]# cd /etc/filebeat/[root@rsyslog filebeat]# tree

├── conf.d

│ ├── authlogs.yml

│ └── syslogs.yml

├── filebeat.template.json

└── filebeat.yml1 directory, 4 files

修改的文件有3个，filebeat.yml，是定义连接logstash 服务器的配置。conf.d目录下的2个配置文件是自定义监控日志的，下面看下各自的内容：

filebeat.yml View Codeauthlogs.yml & syslogs.yml View Code修改完成后，启动filebeat服务[root@rsyslog filebeat]# service filebeat start

Starting filebeat: [ OK ]

[root@rsyslog filebeat]# chkconfig filebeat on

[root@rsyslog filebeat]# netstat -altp

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 localhost:25151 *:* LISTEN 6230/python2

tcp 0 0 *:ssh *:* LISTEN 5509/sshd

tcp 0 0 localhost:ipp *:* LISTEN 1053/cupsd

tcp 0 0 localhost:smtp *:* LISTEN 1188/master

tcp 0 0 rsyslog.test.com:51155 elk.test.com:commplex-main ESTABLISHED 7443/filebeat

tcp 0 52 rsyslog.test.com:ssh 192.168.30.65:10580 ESTABLISHED 7164/sshd

tcp 0 0 *:ssh *:* LISTEN 5509/sshd

tcp 0 0 localhost:ipp *:* LISTEN 1053/cupsd

tcp 0 0 localhost:smtp *:* LISTEN 1188/master

如果连接不上，状态不正常的话，检查下客户端的防火墙。

4.2. （node2）安装filebeat，拷贝证书，创建收集日志配置文件[root@nginx elk]# yum localinstall filebeat-1.2.3-x86_64.rpm -y

[root@nginx elk]# cp logstash-forwarder.crt /etc/pki/tls/certs/.

[root@nginx elk]# cd /etc/filebeat/[root@nginx filebeat]# tree

├── conf.d

│ ├── nginx.yml

│ └── syslogs.yml

├── filebeat.template.json

└── filebeat.yml1 directory, 4 files

修改filebeat.yml 内容如下：

View Codesyslogs.yml & nginx.yml View Code修改完成后，启动filebeat服务，并检查filebeat进程[root@nginx filebeat]# service filebeat start

Starting filebeat: [ OK ]

[root@nginx filebeat]# chkconfig filebeat on

[root@nginx filebeat]# netstat -aulpt

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 *:ssh *:* LISTEN 1076/sshd

tcp 0 0 localhost:smtp *:* LISTEN 1155/master

tcp 0 0 *:http *:* LISTEN 1446/nginx

tcp 0 52 nginx.test.com:ssh 192.168.30.65:11690 ESTABLISHED 1313/sshd

tcp 0 0 nginx.test.com:49500 elk.test.com:commplex-main ESTABLISHED 1515/filebeat

tcp 0 0 nginx.test.com:ssh 192.168.30.65:6215 ESTABLISHED 1196/sshd

tcp 0 0 nginx.test.com:ssh 192.168.30.65:6216 ESTABLISHED 1200/sshd

tcp 0 0 *:ssh *:* LISTEN 1076/sshd

通过上面可以看出，客户端filebeat进程已经和 elk 服务器连接了。下面去验证。

五、验证，访问kibana http://192.168.30.67

查看下两台机器的系统日志：node1的

node2的nginx 访问日志

体验之前在学习rsyslog +LogAnalyzer，然后又学了这个之后，发现elk 不管从整体系统，还是体验都是不错的，而且更新快。后续会继续学习，更新相关的监控过滤日志方法，日志分析，以及使用kafka 来进行存储的架构。

阅读

精选留言

该文章作者已设置需关注才可以留言

加载中

以上留言由公众号筛选后显示

微信扫一扫

关注该公众号

转载于:https://www.cnblogs.com/sanyuanempire/p/6169460.html

你可能感兴趣的文章

Java8内存模型—永久代(PermGen)和元空间(Metaspace)（转）

Notes of Daily Scrum Meeting（12.8）

查看>>

Apriori算法

查看>>

onlevelwasloaded的调用时机

查看>>

求出斐波那契数组

查看>>

lr_start_transaction/lr_end_transaction事物组合

查看>>

CodeIgniter学习笔记（四）——CI超级对象中的load装载器

查看>>

.NET CLR基本术语

查看>>

ubuntu的home目录下，Desktop等目录消失不见

查看>>

建立，查询二叉树 hdu 5444

查看>>

[Spring框架]Spring 事务管理基础入门总结.

LeetCode 159. Longest Substring with At Most Two Distinct Characters

查看>>

LeetCode Ones and Zeroes

查看>>

基本算法概论

查看>>