Centos7 之安装Logstash ELK stack 日志管理系统

2022-06-18 15:22:02 浏览数 (2)

一、介绍

The Elastic Stack - 它不是一个软件,而是Elasticsearch,Logstash,Kibana 开源软件的集合,对外是作为一个日志管理系统的开源方案。它可以从任何来源,任何格式进行日志搜索,分析获取数据,并实时进行展示。像盾牌(安全),监护者(警报)和Marvel(监测)一样为你的产品提供更多的可能。

Elasticsearch:搜索,提供分布式全文搜索引擎

Logstash: 日志收集,管理,存储

Kibana :日志的过滤web 展示

Filebeat:监控日志文件、转发

二、测试环境规划图

环境:ip、主机名按照如上规划,系统已经 update. 所有主机时间一致。防火墙测试环境已关闭。下面是这次elk学习的部署安装

目的:通过elk 主机收集监控主要server的系统日志、以及线上应用服务日志。

三、Elasticsearch Logstash Kibana的安装(在 elk.test.com 上进行操作)

3.1.基础环境检查

代码语言:javascript复制
[root@elk ~]# hostname
elk.test.com
[root@elk ~]# cat /etc/hosts
192.168.0.2   elk.test.com
192.168.0.3   rsyslog.test.com
192.168.0.4   nginx.test.com

3.2.软件包

代码语言:javascript复制
[root@elk ~]# cd elk/
[root@elk elk]# wget -c https://download.elastic.co/elasticsearch/release/org/elasticsearch/distribution/rpm/elasticsearch/2.3.3/elasticsearch-2.3.3.rpm
[root@elk elk]# wget -c https://download.elastic.co/logstash/logstash/packages/centos/logstash-2.3.2-1.noarch.rpm
[root@elk elk]# wget https://download.elastic.co/kibana/kibana/kibana-4.5.1-1.x86_64.rpm
[root@elk elk]# wget -c https://download.elastic.co/beats/filebeat/filebeat-1.2.3-x86_64.rpm

3.3.检查

代码语言:javascript复制
[root@elk elk]# ls
elasticsearch-2.3.3.rpm  filebeat-1.2.3-x86_64.rpm  kibana-4.5.1-1.x86_64.rpm  logstash-2.3.2-1.noarch.rpm

服务器只需要安装e、l、k, 客户端只需要安装filebeat。

3.4.安装elasticsearch,先安装jdk,elk server 需要java 开发环境支持,由于客户端上使用的是filebeat软件,它不依赖java环境,所以不需要安装。

代码语言:javascript复制
[root@elk elk]# yum install java-1.8.0-openjdk -y

安装es

代码语言:javascript复制
[root@elk elk]# yum localinstall elasticsearch-2.3.3.rpm -y

重新载入 systemd,扫描新的或有变动的单元;启动并加入开机自启动

代码语言:javascript复制
[root@elk elk]# systemctl daemon-reload
[root@elk elk]# systemctl enable elasticsearch
[root@elk elk]# systemctl start elasticsearch
[root@elk elk]# systemctl status elasticsearch

检查服务

代码语言:javascript复制
[root@elk elk]# rpm -qc elasticsearch
/etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/logging.yml
/etc/init.d/elasticsearch
/etc/sysconfig/elasticsearch
/usr/lib/sysctl.d/elasticsearch.conf
/usr/lib/systemd/system/elasticsearch.service
/usr/lib/tmpfiles.d/elasticsearch.conf
[root@elk elk]# netstat -nltp | grep java
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      10430/java
tcp6       0      0 ::1:9200                :::*                    LISTEN      10430/java
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      10430/java
tcp6       0      0 ::1:9300                :::*                    LISTEN      10430/java

修改防火墙,将9200、9300 端口对外开放

代码语言:javascript复制
[root@elk elk]# firewall-cmd --permanent --add-port={9200/tcp,9300/tcp}
[root@elk elk]# firewall-cmd --reload
[root@elk elk]# firewall-cmd  --list-all

或者

iptables -A INPUT -p tcp --dport 9200 -j ACCEPT
iptables -A INPUT -p tcp --dport 9300 -j ACCEPT
service iptables save
systemctl restart iptables.service

3.5 安装kibana

代码语言:javascript复制
[root@elk elk]# yum localinstall kibana-4.5.1-1.x86_64.rpm –y
[root@elk elk]# systemctl enable kibana
[root@elk elk]# systemctl start kibana
[root@elk elk]# systemctl status kibana

检查kibana服务运行(Kibana默认 进程名:node ,端口5601)

代码语言:javascript复制
[root@elk elk]# netstat -nltp|grep 5601
tcp        0      0 0.0.0.0:5601            0.0.0.0:*               LISTEN      3969/node 

修改防火墙,对外开放tcp/5601

代码语言:javascript复制
iptables -A INPUT -p tcp --dport 5601 -j ACCEPT

service iptables save
systemctl restart iptables.service

这时,我们可以打开浏览器,测试访问一下kibana服务器http://192.168.0.2:5601/,确认没有问题,如下图:

3.6 安装logstash,以及添加配置文件

代码语言:javascript复制
[root@elk elk]# yum localinstall logstash-2.3.2-1.noarch.rpm -y

生成证书

代码语言:javascript复制
[root@elk elk]# cd /etc/pki/tls/
[root@elk tls]# ls
cert.pem  certs  misc  openssl.cnf  private
[root@elk tls]# openssl req -subj '/CN=elk.test.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

之后创建logstash 的配置文件。如下:

代码语言:javascript复制
[root@elk ~]# cat /etc/logstash/conf.d/01-logstash-initial.conf
input {
  beats {
    port => 5000
    type => "logs"
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

filter {
  if [type] == "syslog-beat" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    geoip {
      source => "clientip"
    }
    syslog_pri {}
    date {
      match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { }
  stdout { codec => rubydebug }
}

启动logstash,并检查端口,配置文件里,我们写的是5000端口

代码语言:javascript复制
[root@elk conf.d]# systemctl start logstash
[root@elk elk]# /sbin/chkconfig logstash on
[root@elk conf.d]# netstat -ntlp |grep 5000
tcp6       0      0 :::5000                 :::*                    LISTEN      4250/java   

修改防火墙,将5000端口对外开放。

代码语言:javascript复制
iptables -A INPUT -p tcp --dport 5000 -j ACCEPT

service iptables save
systemctl restart iptables.service

3.7 修改elasticsearch 配置文件

查看目录,创建文件夹es-01(名字不是必须的),logging.yml是自带的,elasticsearch.yml是创建的文件,内如见下:

代码语言:javascript复制
[root@elk ~]# cd /etc/elasticsearch/
[root@elk ~]# mkdir es-01

[root@elk elasticsearch]# tree
.
├── es-01
│   ├── elasticsearch.yml
│   └── logging.yml
└── scripts

[root@elk elasticsearch]# cat es-01/elasticsearch.yml 
----
http:
  port: 9200
network:
  host: elk.test.com
node:
  name: elk.test.com
path:
  data: /etc/elasticsearch/data/es-01

3.8 重启elasticsearch、logstash服务。

代码语言:javascript复制
# systemctl restart elasticsearch
# systemctl restart logstash

3.9 将 fiebeat安装包拷贝到 rsyslog、nginx 客户端上

代码语言:javascript复制
[root@elk elk]# scp filebeat-1.2.3-x86_64.rpm root@rsyslog.test.com:/root/elk
[root@elk elk]# scp filebeat-1.2.3-x86_64.rpm root@nginx.test.com:/root/elk
[root@elk elk]# scp /etc/pki/tls/certs/logstash-forwarder.crt rsyslog.test.com:/root/elk
[root@elk elk]# scp /etc/pki/tls/certs/logstash-forwarder.crt nginx.test.com:/root/elk

四、客户端部署filebeat(在rsyslog、nginx客户端上操作)

filebeat客户端是一个轻量级的,从服务器上的文件收集日志资源的工具,这些日志转发到处理到Logstash服务器上。该Filebeat客户端使用安全的Beats协议与Logstash实例通信。lumberjack协议被设计为可靠性和低延迟。Filebeat使用托管源数据的计算机的计算资源,并且Beats输入插件尽量减少对Logstash的资源需求。

4.1.(node1)安装filebeat,拷贝证书,创建收集日志配置文件

代码语言:javascript复制
[root@rsyslog elk]# yum localinstall filebeat-1.2.3-x86_64.rpm -y
#拷贝证书到本机指定目录中
[root@rsyslog elk]# cp logstash-forwarder.crt /etc/pki/tls/certs/.
[root@rsyslog elk]# cd /etc/filebeat/
[root@rsyslog filebeat]# tree
.
├── conf.d
│   ├── authlogs.yml
│   └── syslogs.yml
├── filebeat.template.json
└── filebeat.yml
directory, 4 files

修改的文件有3个,filebeat.yml,是定义连接logstash 服务器的配置。conf.d目录下的2个配置文件是自定义监控日志的,下面看下各自的内容:

filebeat.yml

代码语言:javascript复制
[root@rsyslog filebeat]# cat filebeat.yml 
filebeat:
  spool_size: 1024
  idle_timeout: 5s
  registry_file: .filebeat
  config_dir: /etc/filebeat/conf.d
output:
  logstash:
    hosts:
    - elk.test.com:5000
    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
    enabled: true
shipper: {}
logging: {}
runoptions: {}

authlogs.yml & syslogs.yml

代码语言:javascript复制
[root@rsyslog filebeat]# cat conf.d/authlogs.yml 
filebeat:
  prospectors:
    - paths:
      - /var/log/secure
      encoding: plain
      fields_under_root: false
      input_type: log
      ignore_older: 24h
      document_type: syslog-beat
      scan_frequency: 10s
      harvester_buffer_size: 16384
      tail_files: false
      force_close_files: false
      backoff: 1s
      max_backoff: 1s
      backoff_factor: 2
      partial_line_waiting: 5s
      max_bytes: 10485760

[root@rsyslog filebeat]# cat conf.d/syslogs.yml                     
filebeat:
  prospectors:
    - paths:
      - /var/log/messages
      encoding: plain
      fields_under_root: false
      input_type: log
      ignore_older: 24h
      document_type: syslog-beat
      scan_frequency: 10s
      harvester_buffer_size: 16384
      tail_files: false
      force_close_files: false
      backoff: 1s
      max_backoff: 1s
      backoff_factor: 2
      partial_line_waiting: 5s
      max_bytes: 10485760

修改完成后,启动filebeat服务

代码语言:javascript复制
[root@rsyslog filebeat]# service filebeat start
Starting filebeat:                                         [  OK  ]
[root@rsyslog filebeat]# chkconfig filebeat on

systemctl enable filebeat

[root@rsyslog filebeat]# netstat -altp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 localhost:25151             *:*                         LISTEN      6230/python2        
tcp        0      0 *:ssh                       *:*                         LISTEN      5509/sshd           
tcp        0      0 localhost:ipp               *:*                         LISTEN      1053/cupsd          
tcp        0      0 localhost:smtp              *:*                         LISTEN      1188/master         
tcp        0      0 rsyslog.test.com:51155      elk.test.com:commplex-main  ESTABLISHED 7443/filebeat       
tcp        0     52 rsyslog.test.com:ssh        192.168.30.65:10580         ESTABLISHED 7164/sshd           
tcp        0      0 *:ssh                       *:*                         LISTEN      5509/sshd           
tcp        0      0 localhost:ipp               *:*                         LISTEN      1053/cupsd          
tcp        0      0 localhost:smtp              *:*                         LISTEN      1188/master

[root@node3 filebeat]# netstat -altp 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      3098/sshd           
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN      3314/master         
tcp        0     52 rsyslog.test.com:ssh    192.168.1.251:60090     ESTABLISHED 4144/sshd: root@pts 
tcp        0      0 rsyslog.test.com:49826  elk.test.:commplex-main ESTABLISHED 4345/filebeat       
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      3098/sshd           
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN      3314/master  

如果连接不上,状态不正常的话,检查下客户端的防火墙。

4.2. (node2)安装filebeat,拷贝证书,创建收集日志配置文件

代码语言:javascript复制
[root@nginx elk]# yum localinstall filebeat-1.2.3-x86_64.rpm -y
[root@nginx elk]# cp logstash-forwarder.crt /etc/pki/tls/certs/.
[root@nginx elk]# cd /etc/filebeat/
[root@nginx filebeat]# tree
.
├── conf.d
│   ├── nginx.yml
│   └── syslogs.yml
├── filebeat.template.json
└── filebeat.yml
directory, 4 files

修改filebeat.yml 内容如下:

代码语言:javascript复制
[root@rsyslog filebeat]# cat c
filebeat:
  spool_size: 1024
  idle_timeout: 5s
  registry_file: .filebeat
  config_dir: /etc/filebeat/conf.d
output:
  logstash:
    hosts:
    - elk.test.com:5000
    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
    enabled: true
shipper: {}
logging: {}
runoptions: {}

syslogs.yml & nginx.yml

代码语言:javascript复制
[root@nginx filebeat]# cat conf.d/syslogs.yml 
filebeat:
  prospectors:
    - paths:
      - /var/log/messages
      encoding: plain
      fields_under_root: false
      input_type: log
      ignore_older: 24h
      document_type: syslog-beat
      scan_frequency: 10s
      harvester_buffer_size: 16384
      tail_files: false
      force_close_files: false
      backoff: 1s
      max_backoff: 1s
      backoff_factor: 2
      partial_line_waiting: 5s
      max_bytes: 10485760

[root@nginx filebeat]# cat conf.d/nginx.yml 
filebeat:
  prospectors:
    - paths:
      - /var/log/nginx/access.log
      encoding: plain
      fields_under_root: false
      input_type: log
      ignore_older: 24h
      document_type: syslog-beat
      scan_frequency: 10s
      harvester_buffer_size: 16384
      tail_files: false
      force_close_files: false
      backoff: 1s
      max_backoff: 1s
      backoff_factor: 2
      partial_line_waiting: 5s
      max_bytes: 10485760

修改完成后,启动filebeat服务,并检查filebeat进程

代码语言:javascript复制
[root@nginx filebeat]# systemctl restart filebeat
Starting filebeat:                                         [  OK  ]
[root@nginx filebeat]# systemctl enable filebeat

[root@nginx filebeat]# netstat -aulpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 *:ssh                       *:*                         LISTEN      1076/sshd           
tcp        0      0 localhost:smtp              *:*                         LISTEN      1155/master         
tcp        0      0 *:http                      *:*                         LISTEN      1446/nginx          
tcp        0     52 nginx.test.com:ssh          192.168.30.65:11690         ESTABLISHED 1313/sshd           
tcp        0      0 nginx.test.com:49500        elk.test.com:commplex-main  ESTABLISHED 1515/filebeat       
tcp        0      0 nginx.test.com:ssh          192.168.30.65:6215          ESTABLISHED 1196/sshd           
tcp        0      0 nginx.test.com:ssh          192.168.30.65:6216          ESTABLISHED 1200/sshd           
tcp        0      0 *:ssh                       *:*                         LISTEN      1076/sshd

通过上面可以看出,客户端filebeat进程已经和 elk 服务器连接了。下面去验证。

五、验证,访问kibana http://192.168.0.2:5601

参考: Centos7 之安装Logstash ELK stack 日志管理系统

0 人点赞