ELK安装

1.安装java环境 yum -y install java-1.8.0-openjdk 2.安装elasticsearch（9200,9300端口） 下载软件 wget https://down

1.安装java环境

yum -y install java-1.8.0-openjdk

 

2.安装elasticsearch（9200,9300端口）

 

下载软件

wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.7.0.tar.gz

 

解压

tar zxvf elasticsearch-1.7.0.tar.gz

 

复制到/usr/local下

mv elasticsearch-1.7.0 /usr/local/elasticsearch

 

进入配置文件目录并备份原配置文件

cd /usr/local/elasticsearch/config

cp elasticsearch.yml elasticsearch.yml.bak

 

编辑修改配置文件

vim elasticsearch.yml

 

cluster.name: elasticsearch

node.name: elk

node.master: true

node.data: true

index.number_of_shards: 5

index.number_of_replicas: 1（分片副本）

path.data: /usr/local/elasticsearch/data

path.conf: /usr/local/elasticsearch/config

path.work: /usr/local/elasticsearch/work

path.plugins: /usr/local/elasticsearch/plugins

path.logs: /usr/local/elasticsearch/logs

bootstrap.mlockall: true （内存）

 

启动elasticsearch

/usr/local/elasticsearch/bin/elasticsearch -d

 

检查node是否启动

curl http://124.250.244.12:9200

 

下载安装启动脚本

wget https://codeload.github.com/elastic/elasticsearch-servicewrapper/zip/master

unzip master

mv elasticsearch-servicewrapper-master/service/ /usr/local/elasticsearch/bin/

cd /usr/local/elasticsearch/bin/service

./elasticsearch install

 

用脚本启动elasticsearch

/etc/init.d/elasticsearch restart

 

安装elasticsearch插件

/usr/local/elasticsearch/bin/plugin -i elasticsearch/marvel/latest

/usr/local/elasticsearch/bin/plugin -i mobz/elasticsearch-head

 

3.下载安装logstash（syslog端口：514）

wget https://download.elastic.co/logstash/logstash/logstash-1.5.3.tar.gz

 

解压并复制到/usr/local下

tar zxvf logstash-1.5.3.tar.gz

mv logstash-1.5.3 /usr/local/logstash

 

测试logstash

/usr/local/logstash/bin/logstash -e 'input { stdin{} } output { stdout{codec => rubydebug} }'

 

编辑logstash配置文件

vim /etc/logstash.conf

 

input {

tcp {

port => 514

type => syslog

}

udp {

port => 514

type => syslog

}

}

 

filter {

if [type] == "syslog" {

grok {

match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_hostname}

%{DATA:syslog_program}(?:/[%{POSINT:syslog_pid}/])?: %{GREEDYDATA:syslog_message}" }

add_field => [ "received_at", "%{@timestamp}" ]

add_field => [ "received_from", "%{host}" ]

}

date {

match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

}

}

}

 

output {

elasticsearch {

host => ["124.250.244.12"]

index => "rsyslog-%{+YYYY.MM.DD}"

}

stdout { codec => rubydebug }

 

}

用配置文件后台启动logstash

nohup /usr/local/logstash/bin/logstash -f /etc/logstash.conf &

 

4.安装kibana（5601端口）

wget https://download.elastic.co/kibana/kibana/kibana-4.1.1-linux-x64.tar.gz

 

解压并复制到/usr/local下

tar zxvf kibana-4.1.1-linux-x64.tar.gz

mv kibana-4.1.1-linux-x64 /usr/local/kibana

 

修改配置文件

cd /usr/local/kibana/config/

vim kibana.yml

 

elasticsearch_url: "http://124.250.244.12:9200"

 

启动kibana

nohup /usr/local/kibana/bin/kibana &

 

setting下添加rsyslog-*