elk——kibana

 一、kibana安装与配置 1.开启elasticsearch

[root@server1 ~]# cd elasticsearch-head-master/
[root@server1 elasticsearch-head-master]# ls
[root@server1 elasticsearch-head-master]# vim _site/app.js 
http://172.25.52.1:9200

[root@server1 elasticsearch-head-master]# cnpm run start &
[1] 3526
[root@server1 elasticsearch-head-master]# 
> elasticsearch-head@0.0.0 start /root/elasticsearch-head-master
> grunt server

(node:3552) ExperimentalWarning: The http2 module is an experimental API.
Running "connect:server" (connect) task
Waiting forever...
Started connect web server on http://localhost:9100

[root@server1 elasticsearch-head-master]# systemctl start elasticsearch.service 

 在前端查看：

2.安装与配置

[root@server4 ~]# rpm -ivh kibana-7.6.1-x86_64.rpm 
[root@server4 ~]# vim /etc/kibana/kibana.yml 

server.port: 5601

server.host: "172.25.52.4"

28 elasticsearch.hosts: ["http://172.25.52.1:9200"]

37 kibana.index: ".kibana"

i18n.locale: "zh-CN"

[root@server4 ~]# systemctl start kibana.service 
[root@server4 ~]# netstat -antlp | grep :5601

 

 配置文件的设置：

 访问：http://172.25.52.4:5601/

添加数据Sample web logs：

 查看仪表板：

二、kibana的使用

在管理——索引模式——创建索引：

 

 为已经创建的索引添加可视化：

选择指标：

 可视化创建成功：

再次创建一个可视化（条形图）

进行压力测试：

[root@server1 elasticsearch-head-master]# yum install -y httpd-tools
[root@server1 elasticsearch-head-master]# ab -c1 -n500 http://172.25.52.4/index.html

[root@server2 ~]# yum install -y httpd-tools
[root@server2 ~]# ab -c1 -n500 http://172.25.52.4/index.html

 

 创建仪表板，将想要看到的数据添加进去：

 全屏模式：

 head

在server1中：
[root@server1 ~]# cd /usr/share/elasticsearch/
[root@server1 elasticsearch]# bin/elasticsearch-certutil ca
[root@server1 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
[root@server1 elasticsearch]# ls
bin                       elastic-stack-ca.p12  lib          modules     plugins
elastic-certificates.p12  jdk                   LICENSE.txt  NOTICE.txt  README.asciidoc
[root@server1 elasticsearch]# cp elastic-certificates.p12  /etc/elasticsearch
[root@server1 elasticsearch]# cd /etc/elasticsearch
[root@server1 elasticsearch]# ls
elastic-certificates.p12  elasticsearch.yml  log4j2.properties  roles.yml  users_roles
elasticsearch.keystore    jvm.options        role_mapping.yml   users
[root@server1 elasticsearch]# chown elasticsearch elastic-certificates.p12
[root@server1 elasticsearch]# ll

 

[root@server1 elasticsearch]# vim /etc/elasticsearch/elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

[root@server1 elasticsearch]# scp -p elastic-certificates.p12 server2:/etc/elasticsearch/  
[root@server1 elasticsearch]# scp -p elastic-certificates.p12server3:/etc/elasticsearch/

在server2和3中进行相同的配置：

[root@server2 elasticsearch]# cd /etc/elasticsearch/
[root@server2 elasticsearch]# ls
elastic-certificates.p12  elasticsearch.yml  log4j2.properties  roles.yml  users_roles
elasticsearch.keystore    jvm.options        role_mapping.yml   users
[root@server2 elasticsearch]# chown elasticsearch elastic-certificates.p12  ##修改权限
[root@server2 ~]# vim /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
[root@server2 elasticsearch]# systemctl restart elasticsearch.service 

[root@server3 ~]#  cd /etc/elasticsearch/
[root@server3 elasticsearch]# chown elasticsearch elastic-certificates.p12
[root@server2 elasticsearch]# vim /etc/elasticsearch/elasticsearch.yml 
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
[root@server3 elasticsearch]# systemctl restart elasticsearch.service 

 然后在server1中：

[root@server1 elasticsearch-head-master]# vim /etc/elasticsearch/elasticsearch.yml 

http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type   ##head
[root@server1 elasticsearch]# systemctl restart elasticsearch.service ##重启

测试：

在前端head访问：

http://172.25.52.4:9100/?auth_user=elastic&auth_password=westos

 登陆es需要在网址处加入用户和密码：

  前端进不去">http://172.25.52.4:5601/ ---->前端进不去

启用xpack安全验证

[root@server4 ~]# cd /etc/kibana/
[root@server4 kibana]# ls
apm.js  kibana.yml
[root@server4 kibana]# vim kibana.yml 

elasticsearch.username: "kibana"
elasticsearch.password: "westos"

[root@server4 kibana]# systemctl restart kibana.service 

 设置认证：

 在server1中：

[root@server1 elasticsearch]# cd /usr/share/elasticsearch/
[root@server1 elasticsearch]# ls
bin                       elastic-stack-ca.p12  lib          modules     plugins
elastic-certificates.p12  jdk                   LICENSE.txt  NOTICE.txt  README.asciidoc
[root@server1 elasticsearch]# cd bin/
[root@server1 bin]# ./elasticsearch-setup-passwords interactive  ##设置es的密码

 在浏览器访问  http://172.25.52.4:5601/

在真机中：

[westos@foundation52 file_recv]$ podman ps
[westos@foundation52 file_recv]$ podman ps -a
[westos@foundation52 file_recv]$ podman start cerebro  ##开启cerebro

 测试：
访问http://172.25.52.250:9000/
选择地址：

 进入登陆页面————>输入用户及密码

 

 

 登陆kibana  http://172.25.52.4:5601/

 

 使用metricbeat设置检测：

 

三、使用metricbeat检测节点

 

 

 

[root@server1 ~]# rpm -ivh metricbeat-7.6.1-x86_64.rpm 
[root@server1 ~]# cd /etc/metricbeat/
[root@server1 metricbeat]# ls
fields.yml  metricbeat.reference.yml  metricbeat.yml  modules.d
[root@server1 metricbeat]# cd modules.d/
[root@server1 modules.d]# ls
[root@server1 modules.d]# metricbeat modules enable elasticsearch-xpack  ##直接修改文件名也可以
Enabled elasticsearch-xpack
[root@server1 modules.d]# ls ##查看是否修改成功

 

[root@server1 modules.d]# vim elasticsearch-xpack.yml 

  hosts: ["http://localhost:9200"]
  username: "elastic"    ##去掉注释，设置用户和密码
  password: "westos"     
  xpack.enabled: true

 修改主配置文件

[root@server1 metricbeat]# ls
fields.yml  metricbeat.reference.yml  metricbeat.yml  modules.d
[root@server1 metricbeat]# vim metricbeat.yml
  # Array of hosts to connect to.
  hosts: ["172.25.52.1:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "westos"
[root@server1 metricbeat]# systemctl start metricbeat.service

 在kibana前端查看

同理，设置server2和3
[root@server1 modules.d]# cd
[root@server1 ~]# scp metricbeat-7.6.1-x86_64.rpm server2:
[root@server1 ~]# scp metricbeat-7.6.1-x86_64.rpm server3:

[root@server2 ~]# rpm -ivh metricbeat-7.6.1-x86_64.rpm 
[root@server2 ~]# cd /etc/metricbeat/
[root@server2 metricbeat]# cd modules.d/
[root@server2 modules.d]# metricbeat modules enable elasticsearch-xpack
Enabled elasticsearch-xpack
[root@server2 modules.d]# vim elasticsearch-xpack.yml
[root@server2 modules.d]# cd ..
[root@server2 metricbeat]# vim metricbeat.yml 
[root@server2 metricbeat]# systemctl start metricbeat.service 

 

  在server3中：

 

 在前端查看：

 

 四、设置filebeat

[root@server1 ~]# rpm -ivh filebeat-7.6.1-x86_64.rpm 
[root@server1 ~]# cd /etc/filebeat/
[root@server1 filebeat]# cd modules.d/
[root@server1 modules.d]# filebeat modules enable elasticsearch
Enabled elasticsearch
[root@server1 modules.d]# vim elasticsearch.yml 

- module: elasticsearch
  # Server log
  server:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths:
      - /var/log/elasticsearch/*.log          # Plain text logs
      - /var/log/elasticsearch/*_server.json  # JSON logs

  gc:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths:
      - /var/log/elasticsearch/gc.log.[0-9]*
      - /var/log/elasticsearch/gc.log

  audit:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths:
      - /var/log/elasticsearch/*_access.log  # Plain text logs
      - /var/log/elasticsearch/*_audit.json  # JSON logs
slowlog:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths:
      - /var/log/elasticsearch/*_index_search_slowlog.log     # Plain text logs
      - /var/log/elasticsearch/*_index_indexing_slowlog.log   # Plain text logs
      - /var/log/elasticsearch/*_index_search_slowlog.json    # JSON logs
      - /var/log/elasticsearch/*_index_indexing_slowlog.json  # JSON logs

  deprecation:
    enabled: true
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths:
      - /var/log/elasticsearch/*_deprecation.log   # Plain text logs
      - /var/log/elasticsearch/*_deprecation.json  # JSON logs
     

[root@server1 modules.d]# cd ..
[root@server1 filebeat]# ls
fields.yml  filebeat.reference.yml  filebeat.yml  modules.d
[root@server1 filebeat]# vim filebeat.yml 
 output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["172.25.52.1:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "westos"
   
[root@server1 filebeat]# systemctl start filebeat.service 

 

  在前端查看日志：

 搜索：host.name:server1