ELK

[root@elk-1 ~]# vi /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.128.11.10 elk-1
172.128.11.17 elk-2
172.128.11.11 elk-3

[root@elk-1 ~]# mv /etc/yum.repos.d/* /media/
[root@elk-1 ~]# mkdir  /opt/centos-2009
[root@elk-1 ~]# vi /etc/yum.repos.d/local.repo
[centos]
name=centos
baseurl=file:///opt/centos-2009
gpgcheck=0
enabled=1
[root@elk-1 ~]# mount CentOS-7-x86_64-DVD-2009.iso  /mnt/
mount: /dev/loop0 is write-protected, mounting read-only
[root@elk-1 ~]# cp -rvf /mnt/* /opt/centos-2009
[root@elk-1 ~]# umount /mnt/
[root@elk-1 ~]# yum install -y java-1.8.0-openjdk java-1.8.0-openjdk-devel

[root@elk-1 ~]# ll
total 27332
-rw-------. 1 root root     6880 Oct 30  2020 anaconda-ks.cfg
-rw-r--r--. 1 root root 27970243 Nov 27 02:52 elasticsearch-6.
0.0.rpm
-rw-------. 1 root root     6587 Oct 30  2020 original-ks.cfg
[root@elk-1 ~]# rpm -ivh elasticsearch-6.0.0.rpm 
warning: elasticsearch-6.0.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
   1:elasticsearch-0:6.0.0-1          ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service

[root@elk-1 ~]# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: ELK          //取消注释，配置elasticsearch集群名称
node.name: elk-1         //配置节点名，默认随机指定一个name列表中名字，该列表在Elasticserach的jar包中config文件夹里name.txt文件中
node.master: true        //添加指定该节点是否有资格被选举成为node
node.data: false      //添加指定该节点是否有资格被选举成为node，Elasticserach是默认集群中的第一台机器为master，如果这台机挂了就会重新选举master，其他两节点为false。
network.host: 172.128.11.10    //设置绑定的ip地址，可以是ipv4或ipv6的，默认为0.0.0.0。
http.port: 9200           //启动的Elasticserach对外访问的http端口，默认9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"]   //设置集群中master节点的初始列表，可以通过这些节点来自动发现新加入集群的节点。

[root@elk-2 ~]# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: ELK
node.name: elk-2
node.master: false
node.data: true
network.host: 172.128.11.17
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"]

[root@elk-3 ~]# vi /etc/elasticsearch/elasticsearch.yml
cluster.name: ELK
node.name: elk-3
node.master: false
node.data: true
network.host: 172.128.11.11
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"]

[root@elk-1 ~]# systemctl start elasticsearch
[root@elk-1 ~]# systemctl  enable elasticsearch
[root@elk-1 ~]# ps -ef |grep elasticsearch
elastic+ 15943     1 90 07:46 ?        00:00:11 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -server -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/elasticsearch -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -p /var/run/elasticsearch/elasticsearch.pid --quiet
root     16023 15676  0 07:47 pts/0    00:00:00 grep --color=auto elasticsearch
[root@elk-1 ~]# netstat -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address        Foreign Address    State       PID/Program name 
tcp        0      0 0.0.0.0:22           0.0.0.0:*          LISTEN      1268/sshd         
tcp        0      0 127.0.0.1:25         0.0.0.0:*          LISTEN      1139/master       
tcp        0      0 0.0.0.0:111          0.0.0.0:*          LISTEN      565/rpcbind       
tcp6       0      0 172.128.11.10:9300   :::*               LISTEN      15943/java       
tcp6       0      0 :::22                :::*               LISTEN      1268/sshd         
tcp6       0      0 ::1:25               :::*               LISTEN      1139/master       
tcp6       0      0 :::111               :::*               LISTEN      565/rpcbind       
tcp6       0      0 172.128.11.10:9200   :::*               LISTEN      15943/java

部署Kibana

[root@elk-1 ~]# rpm -ivh kibana-6.0.0-x86_64.rpm 
warning: kibana-6.0.0-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:kibana-6.0.0-1                   ################################# [100%]

[root@elk-1 ~]# cat /etc/kibana/kibana.yml |grep -v ^#
server.port: 5601       
server.host: 172.128.11.10   
elasticsearch.url: "http://172.128.11.10:9200"

[root@elk-1 ~]# systemctl  start kibana
[root@elk-1 ~]# systemctl  enable  kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.
[root@elk-1 ~]# ps -ef |grep kibana
kibana   16141     1  9 08:26 ?        00:00:03 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
root     16192 15676  0 08:27 pts/0    00:00:00 grep --color=auto kibana
[root@elk-1 ~]# netstat  -ntpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address        Foreign Address   State       PID/Program name   
tcp        0      0 0.0.0.0:22           0.0.0.0:*         LISTEN      1268/sshd         
tcp        0      0 127.0.0.1:25         0.0.0.0:*         LISTEN      1139/master       
tcp        0      0 172.128.11.10:5601   0.0.0.0:*         LISTEN      16141/node         
tcp        0      0 0.0.0.0:111          0.0.0.0:*         LISTEN      565/rpcbind       
tcp6       0      0 172.128.11.10:9300   :::*              LISTEN      15943/java         
tcp6       0      0 :::22                :::*              LISTEN      1268/sshd         
tcp6       0      0 ::1:25               :::*              LISTEN      1139/master       
tcp6       0      0 :::111               :::*              LISTEN      565/rpcbind       
tcp6       0      0 172.128.11.10:9200   :::*              LISTEN      15943/java 

部署Logstash

[root@elk-2 ~]# rpm -ivh logstash-6.0.0.rpm 
warning: logstash-6.0.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:logstash-1:6.0.0-1               ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
Successfully created system startup script for Logstash

[root@elk-2 ~]# vi /etc/logstash/logstash.yml
http.host: "XXXXXXXX"  //第二台主机IP

[root@elk-2 ~]# vi /etc/logstash/conf.d/syslog.conf
input {
    file {
        path => "/var/log/messages"
        type => "systemlog"
        start_position => "beginning"
        stat_interval => "3"
    }
}
output {
    if [type] == "systemlog" {
        elasticsearch {
            hosts => ["172.128.11.10:9200"]   
 #这里的地址为第一台主机地址
            index => "system-log-%{+YYYY.MM.dd}"
        }
    }
}

[root@elk-2 ~]# chmod  644 /var/log/messages    //给这个文件赋权限，如果不给权限，则无法读取日志
[root@elk-2 ~]# ln -s /usr/share/logstash/bin/logstash /usr/bin
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK      //结果显示OK则证明没问题

[root@elk-2 ~]# systemctl start logstash

[root@elk-2 ~]# ps -ef |grep logstash
logstash 17891     1 99 09:06 ?        00:00:18 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -Djava.awt.headless=true -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -Xmx1g -Xms256m -Xss2048k -Djffi.boot.library.path=/usr/share/logstash/vendor/jruby/lib/jni -Xbootclasspath/a:/usr/share/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/usr/share/logstash/vendor/jruby -Djruby.lib=/usr/share/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main /usr/share/logstash/lib/bootstrap/environment.rb logstash/runner.rb --path.settings /etc/logstash
root     17927 15677  0 09:06 pts/0    00:00:00 grep --color=auto logstash
[root@elk-2 ~]# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address        Foreign Address     State       PID/Program name 
tcp        0      0 0.0.0.0:22           0.0.0.0:*           LISTEN      1273/sshd       
tcp        0      0 127.0.0.1:25         0.0.0.0:*           LISTEN      1084/master     
tcp        0      0 0.0.0.0:111          0.0.0.0:*           LISTEN      580/rpcbind     
tcp6       0      0 172.128.11.17:9200   :::*                LISTEN      15918/java       
tcp6       0      0 172.128.11.17:9300   :::*                LISTEN      15918/java       
tcp6       0      0 :::22                :::*                LISTEN      1273/sshd       
tcp6       0      0 ::1:25               :::*                LISTEN      1084/master     
tcp6       0      0 :::111               :::*                LISTEN      580/rpcbind 

[root@elk-2 ~]# ll /var/lib/logstash/
total 0
drwxr-xr-x. 2 root root 6 Feb 10 09:00 dead_letter_queue
drwxr-xr-x. 2 root root 6 Feb 10 09:00 queue
[root@elk-2 ~]# chown -R logstash /var/lib/logstash/
[root@elk-2 ~]# ll /var/lib/logstash/
total 0
drwxr-xr-x. 2 logstash root 6 Feb 10 09:00 dead_letter_queue
drwxr-xr-x. 2 logstash root 6 Feb 10 09:00 queue
[root@elk-2 ~]# systemctl restart logstash
[root@elk-2 ~]# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address        Foreign Address    State       PID/Program nam   
tcp        0      0 0.0.0.0:22           0.0.0.0:*          LISTEN      1273/sshd         
tcp        0      0 127.0.0.1:25         0.0.0.0:*          LISTEN      1084/master       
tcp        0      0 0.0.0.0:111          0.0.0.0:*          LISTEN      580/rpcbind       
tcp6       0      0 172.128.11.17:9200   :::*               LISTEN      15918/java       
tcp6       0      0 172.128.11.17:9300   :::*               LISTEN      15918/java       
tcp6       0      0 :::22                :::*               LISTEN      1273/sshd         
tcp6       0      0 ::1:25               :::*               LISTEN      1084/master       
tcp6       0      0 172.128.11.17:9600   :::*               LISTEN      18724/java       
tcp6       0      0 :::111               :::*               LISTEN      580/rpcbind

启动完毕后，让syslog产生日志，用第三台主机登录elk-2机器，登录后退出。

 [root@elk-3 ~]# ssh elk-2
 The authenticity of host 'elk-2 (172.128.11.17)' can't be established.
 ECDSA key fingerprint is SHA256:nJT1L6Cz5MvNxC/ib2Rk+WN6Q/a3E3yi/67VwVOjt5k.
 ECDSA key fingerprint is MD5:10:0c:b0:88:e6:03:76:cb:53:0b:ea:97:5e:b7:8f:10.
 Are you sure you want to continue connecting (yes/no)? yes
 Warning: Permanently added 'elk-2,172.128.11.17' (ECDSA) to the list of known hosts.
 root@elk-2's password:  //输入密码Abc@1234
 Last login: Thu Feb 10 01:34:28 2022 from 192.168.0.112
 [root@elk-2 ~]# 
 [root@elk-2 ~]# logout
 Connection to elk-2 closed.

[root@elk-1 ~]# curl '172.128.11.17:9200/_cat/indices?v'
health status index                 uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   system-log-2022.02.10 E6kpwHcdRmy8iO42S3zlTg   5   1      20933            0      7.9mb          3.9mb
green  open   .kibana               OdfKD6JFTx-pPwfJNZtpLA   1   1          1            0      7.3kb          3.6kb

（2）Web页面配置

浏览器访问172.128.11.10:5601，到kibana上配置，索引的目录为:system-log-2022.02.10，修改完成后点击“Create”按钮