Elk 搭建记录

下载rpm安装包

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.7.0-x86_64.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.7.0-x86_64.rpm
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.7.0.rpm
wget https://artifacts.elastic.co/GPG-KEY-elasticsearch
wget https://mirrors.tuna.tsinghua.edu.cn/AdoptOpenJDK/11/jdk/x64/linux/OpenJDK11U-jdk_x64_linux_hotspot_11.0.10_9.tar.gz

安装java (logstash必须是java9以上版本)

tar xvf OpenJDK11U-jdk_x64_linux_hotspot_11.0.10_9.tar.gz
mv jdk-11.0.10+9 /usr/local/java
vi /etc/profile.d/java.sh
  export JAVA_HOME=/usr/local/java
  export JRE_HOME=$JAVA_HOME/jre
  export CLASSPATH=.:$JAVA_HOME/lib:$JRE_HOME/lib
  export PATH=$JAVA_HOME/bin:$PATH
source /etc/profile.d/java.sh
java -version

安装Elasticsearch

rpm --import GPG-KEY-elasticsearch
rpm -ivh elasticsearch-7.7.0-x86_64.rpm
#修改配置文件
vim /etc/elasticsearch/elasticsearch.yml
node.name: node-1
network.host: 0.0.0.0
cluster.initial_master_nodes: ["node-1"]
#加载服务并启动
systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch
systemctl status elasticsearch

安装Kibana

rpm -ivh kibana-7.7.0-x86_64.rpm
#修改配置文件
vim /etc/kibana/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
i18n.locale: "zh-CN"
#加载服务并启动
systemctl daemon-reload
systemctl enable kibana
systemctl start kibana
systemctl status kibana

安装Logstash

rpm --import GPG-KEY-elasticsearch
rpm -ivh logstash-7.7.0.rpm

Ruby语法报错,这个不影响

创建配置文件测试

vim /etc/logstash/conf.d/test_log.conf

input {
    file {
        path => ["/var/log/test.log"]
        #监听文件的起始位置，默认是end
        start_position => "beginning"
    }
 }

filter {
        grok {
                match => { "message" => "%{COMBINEDAPACHELOG}" }
        }
}

output {
        elasticsearch {
                hosts => ["127.0.0.1:9200"]
                index => "test-log"
        }
}

#测试
/usr/share/logstash/bin/logstash -t -f /etc/logstash/conf.d/test_log.conf 
#启动
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/*.conf &
#停止
ps -ef  | grep  logstash
kill -TERM  pid