Environment and related kernel, install java package.
[root@gz3_elk_001 /]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@gz3_elk_001 /]# yum -y install java
[root@gz3_elk_001 /]# echo "vm.max_map_count=262144" >> /etc/sysctl.conf
[root@gz3_elk_001 /]# sysctl -p
Here goes the source installed for the convenience of not writing to start the service
if the source installation, you can modify the service into the corresponding directory with the user can
download
[root@gz3_elk_001 /]# cd /usr/local/src
[root@gz3_elk_001 /]# wget https://artifacts.elastic.co/downloads/kibana/kibana-7.4.2-x86_64.rpm
[root@gz3_elk_001 /]# wget https://artifacts.elastic.co/downloads/logstash/logstash-7.4.2.rpm
[root@gz3_elk_001 /]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-x86_64.rpm
Installation and set boot service
[root@gz3_elk_001 /]# cd /usr/local/src
[root@gz3_elk_001 /]# rpm -ivh elasticsearch-7.4.2-x86_64.rpm
[root@gz3_elk_001 /]# yum -y install logstash-7.4.2.rpm
[root@gz3_elk_001 /]# rpm -ivh kibana-7.4.2-x86_64.rpm
[root@gz3_elk_001 /]# systemctl enable elasticsearch.service kibana.service logstash.service
First, configure the elasticsearch
Key generation
[root@gz3_elk_001 /]# cd /usr/share/elasticsearch/bin/
[root@gz3_elk_001 /]# ./elasticsearch-certutil cert -out /etc/elasticsearch/elastic-certificates.p12 -pass ""
Here pit, you have to modify the file permissions
[root@gz3_elk_001 /]# chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12
Change setting
[root@gz3_elk_001 /]# cp elasticsearch.yml elasticsearch.ymlback
[root@gz3_elk_001 /]# cd /etc/elasticsearch
[root@gz3_elk_001 /]# cat elasticsearch.yml|grep -v "#"
cluster.name: elk
node.name: node-1
node.master: true
node.data: true
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.3.44
http.port: 9200
discovery.seed_hosts: ["192.168.3.44"]
cluster.initial_master_nodes: ["192.168.3.44"]
Here there is a pit, had to modify permissions
[root@gz3_elk_001 /]# chown elasticsearch:elasticsearch /data/elasticsearch
Test start
[root@gz3_elk_001 /]# systemctl restart elasticsearch.service
[root@gz3_elk_001 /]# systemctl status elasticsearch.service
If the error start, the / var / log / elasticsearch / look at the log
That system emphasizes safety, so you need to configure xpack, modify elasticsearch.yml configuration, open xpack
[root@gz3_elk_001 /]# cat /etc/elasticsearch/elasticsearch.yml|grep -v "#"
cluster.name: elk
node.name: node-1
node.master: true
node.data: true
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.3.44
http.port: 9200
discovery.seed_hosts: ["192.168.3.44"]
cluster.initial_master_nodes: ["192.168.3.44"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
Restart systemctl restart elasticsearch.service, and then generate the default password
[root@gz3_elk_001 /]# cd /usr/share/elasticsearch/bin/
[root@gz3_elk_001 /]# ./elasticsearch-setup-passwords auto
Changed password for user apm_system
PASSWORD apm_system = hyyhuxxx
Changed password for user kibana
PASSWORD kibana = HbwFY0xxx
Changed password for user logstash_system
PASSWORD logstash_system = nvrxxx
Changed password for user beats_system
PASSWORD beats_system = VvAhnxxx
Changed password for user remote_monitoring_user
PASSWORD remote_monitoring_user = yGNFRTxxx
Changed password for user elastic
PASSWORD elastic = czF01xx
Remember the above information, the latter use
Second, the configuration kibana
[root@gz3_elk_001 /]# cd /etc/kibana/
[root@gz3_elk_001 /]# cp kibana.yml kibana.ymlback
[root@gz3_elk_001 /]# cat kibana.yml |grep -v "#"|grep -v "^$"
server.port: 5601
server.host: "192.168.3.44"
elasticsearch.hosts: ["http://192.168.3.44:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "kOHyFxxxx"
i18n.locale: "zh-CN"
i18n.locale: "zh-CN" represented by the Chinese version, more friendly interface
III. Configuration logstash
[root@gz3_elk_001 /]# cd /etc/logstash/
[root@gz3_elk_001 /]# cp logstash.yml logstash.ymlback
[root@gz3_elk_001 /]# cd /etc/logstash/conf.d
cat nginx_access.conf
input {
beats {
type => "nginx_access"
port => 5044
}
}
filter {
if[type] =="nginx_access" {
grok {
match => { "message" => "%{IP:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:time}\] \"%{WORD:method} %{D
ATA:url} HTTP/%{NUMBER:htt
p_version:float}\" %{NUMBER:response_code:int} %{NUMBER:body_sent:int} \"%{DATA:referrer}\" \"%{DATA:agent}\
" \"%{DATA:x_forwarded_
for}\"" }
remove_field => "message"
}
date {
match => ["time", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "@timestamp"
}
}
}
output {
if[type]=="nginx_access"{
elasticsearch {
hosts => ["http://192.168.3.44:9200"]
index => "nginx-access-%{+YYYY.MM.dd}"
user => "elastic"
password => "czF01xx"
}
}
}
Here logstash_system used this account password, but did not succeed
only elastic account with the highest authority
Verify the configuration is correct
[root@gz3_elk_001 /]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf -t
Thread.exclusive is deprecated, use Thread::Mutex
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2019-11-27 14:59:29.515 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-27 14:59:31.841 [LogStash::Runner] Reflections - Reflections took 56 ms to scan 1 urls, producing 20 keys and 40 values
Configuration OK
[INFO ] 2019-11-27 14:59:32.487 [LogStash::Runner] runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
Configuration OK Configuration instructions appear on Ok
[root@gz3_elk_001 /]# systemctl status logstash.service
● logstash.service - logstash
Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
Active: active (running) since 三 2019-11-27 16:12:15 CST; 2min 11s ago
Configuration on the master server with a good, this time can log kibana
use this account password elastic.