ELK collecting network device logs

ELK version: elasticsearch- 5.2 . 2 kibana- 5.2 . 2 logstash- 2.4 . 1 All plugins

Deployment environment for a single server is not configured cluster

First, download the official website address: HTTPS: // www.elastic.co/downloads

Two, elasticsearch installation

1 , due to the need to install ELK jdk, so there is no jdk, first install the 1.8 version of the above

[root@ELK-1 ~]# rpm -ivh jdk-8u121-linux-x64.rpm

2 , download and install Elasticsearch

[root@ELK-1 ~]# rpm -ivh elasticsearch-5.2.2.rpm

3 , edit the configuration file, the main change following items

[root @ ELK - 1 ~] # vi / etc / elasticsearch / elasticsearch.yml

Path.Data: / the Data / elasticsearch log storage directory #
path.logs: / Data / elasticsearch / log log path start #elasticsearch
network.host: 10.10 . 10.1 # Here is the host IP
http.port: 9200 #api Interface url
bootstrap.memory_lock: false # does not lock memory
bootstrap.system_call_filter: false # need to add their own

4 , create a configuration folder after start

[ELK the root @ - . 1 ~] # mkdir -pv / Data / elasticsearch / log
 . 5 , modify their user folders

[root @ ELK - 1 # ELAS grep / etc / ~] user is automatically created when you view the installation elasticsearch passwd #

[ELK the root @ - . 1 ~]. # chown -R & lt elasticsearch / Data / #elasticsearch need to use the user starts to avoid an error

6 , modify the contents of the parameters, otherwise it will error

[ELK the root @ - . 1 ~] # Vim / etc / Security / the limits.conf # in the last few lines of the document, modify the configuration is as follows:

soft core unlimited
hard core unlimited
soft nofile 65536 
hard nofile 131072 
soft nproc 2048 
hard nproc 4096

[ELK the root @ - . 1 ~] # Vim / etc / the sysctl.conf # add the following at the bottom:
vm.max_map_count=655360

[ELK root @ - 1 ~] # vi /etc/security/limits.d/ 90 - nproc.conf
Found the following:

soft nproc 1024
change into
soft nproc 2048

[root@ELK-1 ~]# sysctl -p

7 , start elasticsearch

[root@ELK-1 ~]# service elasticsearch start

Three, Kibana installation

1 , download and install Kibana

[root @ ELK - 1 ~] # rpm -ivh kibana- 5.2 . 2 - x86_64.rpm

2 , edit the configuration file, the main changes are as follows

[ELK root @ - 1 ~] # vi / opt / Kibana / config / kibana.yml

server.port: 5601
server.host: "10.10.10.10"
elasticsearch.url: "http://10.10.10.10:9200"
kibana.index: ".kibana“

3 , start and check whether the installation was successful

[root @ ELK - 1 ~ ] # service Kibana start

[root @ ELK - 1 ~] # netstat -ntlp | grep 5601 # 5601 to check whether the listener

Four, Logstash installation

1 , download and install Logstash

[root@ELK-1 ~]# rpm -ivh logstash-2.4.1.noarch.rpm 
# The default installation location: / opt / logstash

2 , create a profile
# Configuration file locations: / etc / logstash / conf.d

logstash the syslog configuration is as follows:

[root @ ELK - 1 ~] # cd / etc / logstash / conf.d

[ELK root @ - 1 ~ ] # vi syslog.conf
Add the following:
input {
syslog {
port => "514"
}
}
output {
elasticsearch {
hosts => ["10.10.10.10:9200"]
index => "logstash_syslog-%{+YYYY.MM.dd}"
}
}

3 , start logstash

[root @ ELK - 1 ~ ] # # Service rsyslog STOP to turn off the original system syslog service, or will occupy 514 port

[root@ELK-1 ~]# nohup /opt/logstash/bin/logstash -f syslog.conf

# To add a final index pattern called logstashsyslog will be able to use it on Management on kibana

Five, kibana web management interface configuration

1 , open HTTP: // 10.10.10.10:5601/ 


2. start using 


References: 
Reference article: 
https://jeffrycheng.com/2017/03/15/%E9%80%9A%E8%BF%87elk% E6% 90% the AD% E5% BB% BAsyslog% E5% 92% 8Csflow% E6% 94% B6% E9% 9B% 86% E4% B8% 8E% E5% 88% 86% E6% 9E% 90 / 
HTTPS: //segmentfault.com/a/1190000007728789 
http://www.cnblogs.com/liaojiafa/p/6139752.html 
https://blog.51cto.com/tryingstuff/1888978