ELK日志分析系统在CentOS 7.3的部署安装(RPM)

96
辉耀辉耀
2017.05.12 18:44* 字数 287

环境
server1: elk.test.com CentOS 7.3 192.168.81.11
server2: nginx.test.com CentOS 6.5 192.168.81.12
server3: rsyslog.test.com CentOS 6.5 192.168.81.13

1.基础环境检查

配置本地hosts文件

[root@elk ~]# cat /etc/hosts
192.168.81.11 elk.test.com
192.168.81.12 nginx.test.com
192.168.81.13 rsyslog.test.com

下载软件包:

[root@elk ~]# cd /usr/local/src
[root@elk src]# wget -c https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/rpm/elasticsearch/2.3.3/elasticsearch-2.3.3.rpm
[root@elk src]# wget -c https://download.elastic.co/logstash/logstash/packages/centos/logstash-2.3.2-1.noarch.rpm
[root@elk src]# wget https://download.elastic.co/kibana/kibana/kibana-4.5.1-1.x86_64.rpm
[root@elk src]# wget -c https://download.elastic.co/beats/filebeat/filebeat-1.2.3-x86_64.rpm
2.安装elasticsearch

安装JAVA环境(jdk版本1.8.0及以上)

[root@elk src]# yum install java-1.8.0-openjdk -y
[root@elk src]# java -version
openjdk version "1.8.0_121"
OpenJDK Runtime Environment (build 1.8.0_121-b13)
OpenJDK 64-Bit Server VM (build 25.121-b13, mixed mode)

安装elasticsearch

[root@elk src]# yum localinstall elasticsearch-2.3.3.rpm -y
[root@elk src]# systemctl daemon-reload
[root@elk src]# systemctl enable elasticsearch
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
[root@elk src]# systemctl start elasticsearch

检查服务状态

[root@elk src]# systemctl status elasticsearch
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-05-12 04:55:08 EDT; 8min ago
     Docs: http://www.elastic.co
  Process: 10661 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
 Main PID: 10663 (java)
   CGroup: /system.slice/elasticsearch.service
           └─10663 /bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParN...

May 12 04:55:09 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:09,233][INFO...]
May 12 04:55:09 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:09,233][WARN...]
May 12 04:55:10 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:10,806][INFO...d
May 12 04:55:10 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:10,806][INFO....
May 12 04:55:10 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:10,920][INFO...}
May 12 04:55:10 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:10,926][INFO...w
May 12 04:55:14 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:14,010][INFO...)
May 12 04:55:14 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:14,028][INFO...}
May 12 04:55:14 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:14,028][INFO...d
May 12 04:55:14 elk.test.com elasticsearch[10663]: [2017-05-12 04:55:14,047][INFO...e
Hint: Some lines were ellipsized, use -l to show in full.
[root@elk src]# rpm -qc elasticsearch
/etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/logging.yml
/etc/init.d/elasticsearch
/etc/sysconfig/elasticsearch
/usr/lib/sysctl.d/elasticsearch.conf
/usr/lib/systemd/system/elasticsearch.service
/usr/lib/tmpfiles.d/elasticsearch.conf
[root@elk src]# netstat -nltp | grep java
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      10663/java          
tcp6       0      0 ::1:9200                :::*                    LISTEN      10663/java          
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      10663/java          
tcp6       0      0 ::1:9300                :::*                    LISTEN      10663/java

开放firewalld端口

[root@elk src]# firewall-cmd --zone=public --add-port=80/tcp --permanent
success
[root@elk src]# firewall-cmd --permanent --add-port={9200/tcp,9300/tcp}
success
[root@elk src]# firewall-cmd --reload
success
[root@elk src]# firewall-cmd  --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 9200/tcp 80/tcp 9300/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:
3.安装kibana
[root@elk src]#  yum localinstall kibana-4.5.1-1.x86_64.rpm -y
[root@elk src]# systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /usr/lib/systemd/system/kibana.service.
[root@elk src]# systemctl start kibana
[root@elk src]# systemctl status kibana
● kibana.service - no description given
   Loaded: loaded (/usr/lib/systemd/system/kibana.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2017-05-12 05:16:28 EDT; 5min ago
 Main PID: 10978 (node)
   CGroup: /system.slice/kibana.service
           └─10978 /opt/kibana/bin/../node/bin/node /opt/kibana/bin/../src/cli

May 12 05:16:29 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-12...
May 12 05:16:29 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-..."}
May 12 05:16:29 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-..."}
May 12 05:16:29 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-..."}
May 12 05:16:29 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-..."}
May 12 05:16:29 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-..."}
May 12 05:16:29 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-..."}
May 12 05:16:29 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-..."}
May 12 05:16:35 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-12...
May 12 05:16:38 elk.test.com kibana[10978]: {"type":"log","@timestamp":"2017-05-..."}
Hint: Some lines were ellipsized, use -l to show in full.

开放防火墙端口

[root@elk src]# firewall-cmd --permanent --add-port=5601/tcp
success
[root@elk src]# firewall-cmd --reload
success
[root@elk src]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 9200/tcp 3306/tcp 80/tcp 9300/tcp 5601/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:
访问elkIP:5601验证kibana安装

做端口转发,将对端口80的访问转发到5601上(方便访问,非必须)

[root@elk src]# firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=5601
success
[root@elk src]# firewall-cmd --reload
success
4.安装logstash,添加配置文件
[root@elk src]# yum localinstall logstash-2.3.2-1.noarch.rpm -y

生成证书

[root@elk tls]# openssl req -subj '/CN=elk.test.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
Generating a 2048 bit RSA private key
.........+++
.+++
writing new private key to 'private/logstash-forwarder.key'
-----

创建logstash的配置文件

[root@elk tls]# vim /etc/logstash/conf.d/01-logstash-initial.conf
input {
  beats {
    port => 5000
    type => "logs"
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

filter {
  if [type] == "syslog-beat" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    geoip {
      source => "clientip"
    }
    syslog_pri {}
    date {
      match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { }
  stdout { codec => rubydebug }
}

启动logstash检查端口

[root@elk tls]# systemctl start logstash
[root@elk tls]# /sbin/chkconfig logstash on
[root@elk tls]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1761/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      3306/master         
tcp        0      0 0.0.0.0:5601            0.0.0.0:*               LISTEN      10978/node          
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      3491/php-fpm: maste 
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      10663/java          
tcp6       0      0 ::1:9200                :::*                    LISTEN      10663/java          
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      10663/java          
tcp6       0      0 ::1:9300                :::*                    LISTEN      10663/java          
tcp6       0      0 :::22                   :::*                    LISTEN      1761/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      3306/master         
tcp6       0      0 :::5000                 :::*                    LISTEN      11110/java          
tcp6       0      0 :::3306                 :::*                    LISTEN      2135/mysqld

修改防火墙,开放5000端口

[root@elk src]# firewall-cmd --permanent --add-port=5000/tcp
success
[root@elk src]# firewall-cmd --reload
success
5.修改elasticsearch配置文件
[root@elk elasticsearch]# mkdir es-01
[root@elk elasticsearch]# mv elasticsearch.yml es-01/
[root@elk elasticsearch]# mv logging.yml es-01/
[root@elk elasticsearch]# tree
.
├── es-01
│   ├── elasticsearch.yml
│   └── logging.yml
└── scripts

2 directories, 2 files

[root@elk elasticsearch]# cat es-01/elasticsearch.yml
http:
  port: 9200
network:
  host: elk.test.com
node:
  name: elk.test.com
path:
  data: /etc/elasticsearch/data/es-01

重启elasticsearch和logstash服务

[root@elk elasticsearch]# systemctl restart elasticsearch
[root@elk elasticsearch]# systemctl restart logstash
6.将fiebeat安装包拷贝到rsyslog、nginx客户端上
[root@elk elk]# scp filebeat-1.2.3-x86_64.rpm root@rsyslog.test.com:/root/elk
[root@elk elk]# scp filebeat-1.2.3-x86_64.rpm root@nginx.test.com:/root/elk
[root@elk elk]# scp /etc/pki/tls/certs/logstash-forwarder.crt rsyslog.test.com:/root/elk
[root@elk elk]# scp /etc/pki/tls/certs/logstash-forwarder.crt nginx.test.com:/root/elk
7.在rsyslog上安装filebeat
[root@rsyslog src]# yum localinstall filebeat-1.2.3-x86_64.rpm -y
[root@rsyslog src]# cp logstash-forwarder.crt /etc/pki/tls/certs/.
[root@rsyslog src]# cd /etc/filebeat/
[root@rsyslog filebeat]# tree
.
├── conf.d
│   ├── authlogs.yml
│   └── syslogs.yml
├── filebeat.template.json
└── filebeat.yml
[root@rsyslog filebeat]# vim filebeat.yml
filebeat:
  spool_size: 1024
  idle_timeout: 5s
  registry_file: .filebeat
  config_dir: /etc/filebeat/conf.d
output:
  logstash:
    hosts:
    - elk.test.com:5000
    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
    enabled: true
shipper: {}
logging: {}
runoptions: {}
[root@rsyslog filebeat]# vim conf.d/authlogs.yml
filebeat:
  prospectors:
    - paths:
      - /var/log/secure
      encoding: plain
      fields_under_root: false
      input_type: log
      ignore_older: 24h
      document_type: syslog-beat
      scan_frequency: 10s
      harvester_buffer_size: 16384
      tail_files: false
      force_close_files: false
      backoff: 1s
      max_backoff: 1s
      backoff_factor: 2
      partial_line_waiting: 5s
      max_bytes: 10485760
[root@rsyslog filebeat]# vim conf.d/syslogs.yml
filebeat:
  prospectors:
    - paths:
      - /var/log/messages
      encoding: plain
      fields_under_root: false
      input_type: log
      ignore_older: 24h
      document_type: syslog-beat
      scan_frequency: 10s
      harvester_buffer_size: 16384
      tail_files: false
      force_close_files: false
      backoff: 1s
      max_backoff: 1s
      backoff_factor: 2
      partial_line_waiting: 5s
      max_bytes: 10485760
8.修改完成,启动filebeat服务(时间要一致,否则报X509错误)
[root@rsyslog filebeat]# service filebeat start
Starting filebeat:                                         [确定]
[root@rsyslog filebeat]# chkconfig filebeat on
9.安装Nginx在nginx上安装filebeat,拷贝证书,创建收集日志配置文件
[root@nginx ~]# yum -y install nginx-1.8.0-1.el6.ngx.x86_64.rpm
[root@nginx ~]# service nginx start
Starting nginx:                                            [  OK  ]

[root@nginx src]# yum localinstall filebeat-1.2.3-x86_64.rpm -y
[root@nginx src]# cp logstash-forwarder.crt /etc/pki/tls/certs/.
[root@nginx src]# cd /etc/filebeat/
....
....
(配置同上7、8)
10.这时filebeat进程已经和elk服务器连接了,浏览器访问elkIP验证
创建
检查所有日志
检查nginx服务器的日志
ELK
Web note ad 1