一、前期准备
1、日志采集过程2、服务内容表3、防火墙配置4、配置主机名hosts文件5、设置3台主机互相ssh不需要密码6、配置系统参数(每台服务器都要配置)
(1)修改句柄限制值(2)修改max_map_count值(3)修改时区并设置自动同步阿里云的时间 7、关闭SELIunx 二、安装ELK
1、Elasticsearch安装2、生成ES集群之间证书,用于配置安全认证使用
(1) 创建证书(192.168.4.2、192.168.4.3都创建) 3、修改配置文件4、修改systemctl启动文件5、启动Elasticsearch6、初始化Elasticsearch内部用户密码 三、安装Kibana (192.168.4.2)四、安装redis(192.168.4.4)
1、编辑配置文件修改bind绑定地址和设置密码2、配置系统参数防止redis报错3、启动redis 五、安装logstash(192.168.4.4)
1、编辑logstash配置文件2、日志过滤配置-示例(192.168.4.4 /etc/logstash/conf.d)3、启动logstash 六、客户端采集日志程序filebeat
1、安装filebeat2、编辑配置文件3、启动filebeat 七、日志查看
一、前期准备 1、日志采集过程 2、服务内容表| 系统发行版 | IP地址 | 主机名 | CPU | 内存 | 硬盘 | 使用组件 |
|---|---|---|---|---|---|---|
| CentOS7.9 | 192.168.4.2 | elk-node1-Kibana | 4H | 8G | 50G/2TB(NFS挂载) | ES集群node1、Kibana |
| CentOS7.9 | 192.168.4.3 | elk-node2-Filebeat | 4H | 8G | 50G/2TB(NFS挂载) | ES集群node2 、Filebeat |
| CentOS7.9 | 192.168.4.4 | Redis-Logstash | 4H | 8G | 50G/2TB(NFS挂载) | Logstash,Redis |
# 每台服务器添加各个组件节点的IP地址到信任区防止发生数据无法同步和不能访问的情况 firewall-cmd --permanent --zone=trusted --add-source=192.168.4.0/24 firewall-cmd --reload4、配置主机名hosts文件
#每台服务器都执行
vim /etc/hosts
# 以下为文件的全部内容,主要添加后3行
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.4.2 elk-node1-Kibana
192.168.4.3 elk-node2-Filebeat
192.168.4.4 Redis-Logstash
5、设置3台主机互相ssh不需要密码
ssh-keygen # 每台服务器都执行,如果你有更好的办法也可以 Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): #此处回车即可 Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): #此处回车即可 Enter same passphrase again: #此处回车即可 Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:**************************** root@redis-logstash The key's randomart image is: +---[RSA 2048]----+ | o . . . | |. o o . . . . | |o . + = . . | |..+ . . * . . | | oo. SB o | | o E =+O. | | . oO=oo . | | =+++o.+ | | .o=.+=+. | +----[SHA256]-----+
# 在 [root@redis-logstash] 操作 # 将三台服务器的id_rsa.pub里面的内容追加到/root/.ssh/authorized_keys文件内 cat /root/.ssh/id_rsa.pub # 查看一下,先找一台机器追加,然后拷贝到其他两台服务器 # 拷贝文件到redis-logstash [root@redis-logstash opm]# scp /root/.ssh/authorized_keys root@elk-node2-filebeat:/root/.ssh/ The authenticity of host 'elk-node2-filebeat (192.168.4.3)' can't be established. ECDSA key fingerprint is SHA256:2xlcRYVVf+AkmhA66j++glMgV0NP3kCaFcWbCc6ljeE. ECDSA key fingerprint is MD5:39:7f:7c:8e:64:6c:8e:8a:ba:38:6c:84:60:ed:32:c2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'elk-node2-filebeat,192.168.4.3' (ECDSA) to the list of known hosts. root@elk-node2-filebeat's password: authorized_keys 100% 1209 524.4KB/s 00:00 [root@redis-logstash opm]# scp /root/.ssh/authorized_keys root@elk-node1-kibana:/root/.ssh/ The authenticity of host 'elk-node1-kibana (192.168.4.2)' can't be established. ECDSA key fingerprint is SHA256:2xlcRYVVf+AkmhA66j++glMgV0NP3kCaFcWbCc6ljeE. ECDSA key fingerprint is MD5:39:7f:7c:8e:64:6c:8e:8a:ba:38:6c:84:60:ed:32:c2. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'elk-node1-kibana,192.168.4.2' (ECDSA) to the list of known hosts. root@elk-node1-kibana's password: authorized_keys 100% 1209 487.1KB/s 00:006、配置系统参数(每台服务器都要配置) (1)修改句柄限制值
vim /etc/security/limits.conf # 文件末尾以下内容 * soft nproc 65535 * hard nproc 65535 * soft nofile 65535 * hard nofile 65535 * soft memlock unlimited * hard memlock unlimited(2)修改max_map_count值
sysctl -w vm.max_map_count=655360 echo 'vm.max_map_count=655360' >> /etc/sysctl.conf sysctl -p(3)修改时区并设置自动同步阿里云的时间
tzselect Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean. 1) Africa 2) Americas 3) Antarctica 4) Arctic Ocean 5) Asia 6) Atlantic Ocean 7) Australia 8) Europe 9) Indian Ocean 10) Pacific Ocean 11) none - I want to specify the time zone using the Posix TZ format. #? 5 Please select a country. 1) Afghanistan 18) Israel 35) Palestine 2) Armenia 19) Japan 36) Philippines 3) Azerbaijan 20) Jordan 37) Qatar 4) Bahrain 21) Kazakhstan 38) Russia 5) Bangladesh 22) Korea (North) 39) Saudi Arabia 6) Bhutan 23) Korea (South) 40) Singapore 7) Brunei 24) Kuwait 41) Sri Lanka 8) Cambodia 25) Kyrgyzstan 42) Syria 9) China 26) Laos 43) Taiwan 10) Cyprus 27) Lebanon 44) Tajikistan 11) East Timor 28) Macau 45) Thailand 12) Georgia 29) Malaysia 46) Turkmenistan 13) Hong Kong 30) Mongolia 47) United Arab Emirates 14) India 31) Myanmar (Burma) 48) Uzbekistan 15) Indonesia 32) Nepal 49) Vietnam 16) Iran 33) Oman 50) Yemen 17) Iraq 34) Pakistan #? 9 Please select one of the following time zone regions. 1) Beijing Time 2) Xinjiang Time #? 1 The following information has been given: China Beijing Time Therefore TZ='Asia/Shanghai' will be used. Local time is now: Fri Feb 18 13:32:35 CST 2022. Universal Time is now: Fri Feb 18 05:32:35 UTC 2022. Is the above information OK? 1) Yes 2) No #? 1 # 删除原时间配置文件 rm -f /etc/localtime # 做软连接到时间配置文件 ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
# 设置定时任务 yum install ntpdate -y crontab -e # 添加以下内容 */5 * * * * /sbin/ntpdate ntp.aliyun.com # 保存退出后重启crond服务 systemctl restart crond7、关闭SELIunx
临时关闭 setenforce 0
永久关闭sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
重启系统
cd /opt wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.2-x86_64.rpm rpm -ivh elasticsearch-7.10.2-x86_64.rpm2、生成ES集群之间证书,用于配置安全认证使用 (1) 创建证书(192.168.4.2、192.168.4.3都创建)
创建保存证书的文件夹
mkdir /etc/elasticsearch/cert.d
生成证书文件
cd /usr/share/elasticsearch/bin/
elasticsearch-certutil cert -out /etc/elasticsearch/cert.d/elastic-certificates.p12 -pass ""
拷贝证书到其他集群节点
scp elastic-certificates.p12 root@elk-node2-Filebeat:/etc/elasticsearch/cert.d
配置证书文件权限-注意,所有集群节点在拷贝完证书后都要执行一遍
chown -Rf elasticsearch:elasticsearch /etc/elasticsearch/cert.d/
查看完整配置:grep -Ev "#|^$" /etc/elasticsearch/jvm.options
# -----只是修改了这两行------ -Xms4g -Xmx4g # ------------------------
查看完整配置:grep -Ev "#|^$" /etc/elasticsearch/elasticsearch.yml
# 按照以下内容修改 bootstrap.memory_lock: true cluster.name: my-application # 每台服务器的配置都注意 elk-node1-Kibana elk-node2-filebeat node.name: elk-node1-Kibana # -------此处路径我是挂载的NFS卷,根据实际情况修改路径-------------- # 路径名称注意 elk-node1-Kibana elk-node2-filebeat path.data: /data/elk_node1/elasticsearch/data path.logs: /data/elk_node1/elasticsearch/log #------------------------------------------------------------ cluster.name: my-application node.name: node-1 network.host: 192.168.4.2 http.port: 9200 node.master: true node.data: true discovery.seed_hosts: ["192.168.4.2", "192.168.4.3"] cluster.initial_master_nodes: ["192.168.4.2:9300", "192.168.4.3:9300"] #http.cors.enabled: true #http.cors.allow-origin: "*" # 下方配置文件是后添加的请复制粘贴就好 # ----------------------------------- xpack ------------------------------------ xpack.security.enabled: true xpack.license.self_generated.type: basic xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate # 确认号证书的路径在 二、安装ELK-第二小节的路径 xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/cert.d/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/cert.d/elastic-certificates.p124、修改systemctl启动文件
执行systemctl edit elasticsearch命令
进到一个界面,添加以下2行
[Service]
LimitMEMLOCK=infinity
然后保存退出,运行systemctl daemon-reload
所有节点启动成功后进行第6步骤
systemctl start elasticsearch
cd /usr/share/elasticsearch/bin/
./elasticsearch-setup-passwords auto
... # 以下内容很机密请保存好 Changed password for user apm_system PASSWORD apm_system = xxxxxxxxxxxxxxxxxxxx Changed password for user kibana_system PASSWORD kibana_system = xxxxxxxxxxxxxxxxxxxx Changed password for user kibana PASSWORD kibana = xxxxxxxxxxxxxxxxxxxx Changed password for user logstash_system PASSWORD logstash_system = xxxxxxxxxxxxxxxxxxxx Changed password for user beats_system PASSWORD beats_system = xxxxxxxxxxxxxxxxxxxx Changed password for user remote_monitoring_user PASSWORD remote_monitoring_user = xxxxxxxxxxxxxxxxxxxx Changed password for user elastic PASSWORD elastic = xxxxxxxxxxxxxxxxxxxx三、安装Kibana (192.168.4.2)
cd /opt wget https://artifacts.elastic.co/downloads/kibana/kibana-7.10.2-x86_64.rpm rpm -ivh kibana-7.10.2-x86_64.rpm
编辑kibana配置文件
vim /etc/kibana/kibana.yml
# 绑定地址,0.0.0.0代表允许所有IP访问 server.host: "0.0.0.0" # 集群访问地址根据实际情况配置 elasticsearch.hosts: ["http://192.168.4.2:9200", "http://192.168.4.3:9200"] # 设置kibana中文访问 i18n.locale: "zh-CN" # ES提供的用户名密码 elasticsearch.username: "kibana_system" elasticsearch.password: ""
启动kibana
systemctl start kibana
访问 http://192.168.4.2:5601 查看是否正常
yum install -y redis
1、编辑配置文件修改bind绑定地址和设置密码vim /etc/redis.conf 配置完成自己验证
# 根据实际情况修改配置 bind 192.168.4.4 ... logfile /data/redis-logstash/redis.log ... requirepass <自己设置的密码> ...2、配置系统参数防止redis报错
echo "echo never > /sys/kernel/mm/transparent_hugepage/enabled" >> /etc/rc.local chmod +x /etc/rc.d/rc.local # 一般新安装的redis会根这3个相关报错,不信自己测试 echo never > /sys/kernel/mm/transparent_hugepage/enabled echo "vm.overcommit_memory = 1" >> /etc/sysctl.conf echo "net.core.somaxconn= 1024" >> /etc/sysctl.conf sysctl -p3、启动redis
启动redis服务:systemctl start redis
开机自启动: systemctl enable redis
cd /opt wget https://artifacts.elastic.co/downloads/logstash/logstash-7.10.2-x86_64.rpm rpm -ivh logstash-7.10.2-x86_64.rpm1、编辑logstash配置文件
查看完整配置:grep -Ev "#|^$" /etc/logstash/jvm.options
# 只修改了2行 -Xms4g -Xmx4g # 其他配置不变
查看完整配置:grep -Ev "#|^$" /etc/logstash/logstash.yml
path.data: /data/redis-logstash/logstash/data pipeline.ordered: auto log.level: debug path.logs: /data/redis-logstash/logstash/log xpack.monitoring.enabled: true xpack.monitoring.elasticsearch.username: logstash_system xpack.monitoring.elasticsearch.password:2、日志过滤配置-示例(192.168.4.4 /etc/logstash/conf.d)# es集群访问地址 xpack.monitoring.elasticsearch.hosts: ["http://192.168.4.2:9200", "http://192.168.4.3:9200"]
# 日志来源从redis取日志
input {
redis {
host => "127.0.0.1"
port => "6379"
batch_count => 1
data_type => "list"
db => 0
password => "*******"
key => "rename-fs-log"
}
}
# 过滤到host和agent字段
filter {
mutate {
remove_field => ["host", "agent"]
}
}
# 日志采集到es
output {
elasticsearch {
hosts => ["192.168.4.2:9200", "192.168.4.3:9200"]
user => "elastic"
password => "*******"
index => "%{[@metadata][beat]}-%{[@metadata][version]}-fs-log"
}
}
3、启动logstash
启动logstash服务:systemctl start logstash
logstash开机自启动:systemctl enable logstash
将日志文件采集到redis队列,再由logstash采集到ES数据库
1、安装filebeatcd /opt # ----根据实际系统发行版本下载不同的包---- # redhat发行系列 wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.2-x86_64.rpm # Ubuntu发行系列 wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.10.2-amd64.deb # ----------------------------------- # centos7 安装-其他系统发行版本自测 rpm -ivh filebeat-7.10.2-x86_64.rpm # ubuntu16 安装-其他系统发行版本自测 dpkg -i filebeat-7.10.2-amd64.deb2、编辑配置文件
filebeat.inputs:
- type: log
enabled: true
# 需要采集的日志路径可用*.log
paths:
- /usr/local/freeswitch/log/freeswitch.log
# 对接redis配置
output.redis:
hosts: ["1.1.1.1:6899"]
password: ""
key: "rename-fs-log"
db: 0
timeout: 5
# 以下内容是默认的没有调整过
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
logging.level: debug
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644
3、启动filebeat
启动服务:systemctl start filebeat
开机自启:systemctl enable filebeat
访问:http://kibana.woziji.xyz:5601
如果有数据第一次访问会让添加索引,具体的自己研究吧,只是提供了安装过程,如果安装过程中有问题可以联系下发留言,或者联系本人QQ:4-9-5-8-4-3-2-3-6不长在线
