ELK
Posted 芒果牛奶
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ELK相关的知识,希望对你有一定的参考价值。
[client]
vi /etc/rsyslog.conf
<code>
# rsyslog configuration file manager by ansble
#### MODULES ####
$ModLoad imuxsock
$ModLoad imjournal
$ModLoad imklog
#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Use default timestamp format
$WorkDirectory /var/lib/rsyslog # Where to place auxiliary files
$IncludeConfig /etc/rsyslog.d/*.conf # Include all config files in /etc/rsyslog.d/
$MaxMessageSize 128k
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
#### RULES ####
# ### begin forwarding rule ###
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
*.* @@10.1.100.12:514
# ### end of the forwarding rule ###
</code>
systemctl restart rsyslog
systemctl status rsyslog
[server]
==rsyslog==
mkdir -p /var/log/LOGS
firewall-cmd --add-rich-rule=\'rule family="ipv4" source address="10.1.0.0/16" port port="514" protocol="tcp" accept\' --permanent
vi /etc/rsyslog.conf
<code>
$MaxMessageSize 128k
$ModLoad imuxsock.so
$ModLoad imklog.so
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$ModLoad imtcp
$InputTCPServerRun 514
:msg,contains,"GET /daemon.php?tableid" ~
:rawmsg,contains,"ASKMQ-WORKER 29" ~
# Standard System Services
$template DYNmessages,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"
$template DYNsecure,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure"
$template DYNmaillog,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/maillog"
$template DYNcron,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron"
$template DYNspooler,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/spooler"
$template DYNboot,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/boot.log"
$template DYNiptables,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/iptables.log"
$template DYNaudit,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/audit.log"
$template DYNapache-access,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-access.log"
$template DYNapache-error,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-error.log"
if $programname == \'apache-access\' then ?DYNapache-access
&~
if $programname == \'apache-error\' then ?DYNapache-error
&~
if $programname == \'audispd\' then ?DYNaudit
&~
if $msg contains \'iptables:\' then ?DYNiptables
&~
if $syslogseverity <= \'6\' and ( $syslogfacility-text != \'mail\' and $syslogfacility-text != \'authpriv\' and $syslogfacility-text != \'cron\') then ?DYNmessages
if $syslogfacility-text == \'authpriv\' then ?DYNsecure
if $syslogfacility-text == \'mail\' then -?DYNmaillog
if $syslogfacility-text == \'cron\' then ?DYNcron
if ( $syslogfacility-text == \'uucp\' or $syslogfacility-text == \'news\' ) and $syslogseverity-text == \'crit\' then ?DYNspooler
if $syslogfacility-text == \'local7\' then ?DYNboot
</code>
systemctl restart rsyslog
systemctl status rsyslog
ll /var/log/LOGS
==logstash==
参考文档
https://www.elastic.co/cn/downloads/logstash
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/logstash.repo
<code>
[logstash-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
</code>
yum install logstash
vi /etc/systemd/system/logstash.service
<code>
#User=logstash
#Group=logstash
User=root
Group=root
</code>
vi /etc/logstash/jvm.options
<code>
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms8g
-Xmx24g
</code>
systemctl start logstash
systemctl status logstash
vi /etc/logstash/conf.d/apache.conf
<code>
input {
file {
type => "syslog"
path => [
"/var/log/LOGS/**/cron",
"/var/log/LOGS/**/messages",
"/var/log/LOGS/**/secure"
]
start_position => "beginning"
exclude => ["*.gz"]
}
file {
type => "apache-access"
path => [ "/var/log/LOGS/**/apache-access.log" ]
start_position => "beginning"
exclude => ["*.gz"]
}
file {
type => "apache-error"
path => [ "/var/log/LOGS/**/apache-error.log" ]
start_position => "beginning"
exclude => ["*.gz"]
}
}
filter {
if [type] == "apache-access" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST:webserver} %{SYSLOGPROG}: %{HOSTNAME:host} \\"%{GREEDYDATA:X-Forwarded-For}\\" %{IPORHOST:HA_IP} \\[%{HTTPDATE:timestamp}\\] \\"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\\" %{NUMBER:response:int} (?:%{NUMBER:bytes:int}|-) \\"%{GREEDYDATA:referrer}\\" \\"%{GREEDYDATA:agent}\\""}
}
if [X-Forwarded-For] == "-" {
drop {}
}
mutate {
remove_field => [ "message"]
split => { "X-Forwarded-For" => ", " }
}
geoip {
source => "X-Forwarded-For"
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
remove_field => ["timestamp"]
}
}
if [type] == "apache-error" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST:hostname} %{DATA}: \\[%{HTTPDERROR_DATE:timestamp}\\] \\[%{LOGLEVEL:loglevel}\\] (?:\\[client %{IPORHOST:clientip}\\] ){0,1}%{GREEDYDATA:error_message}"
}
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
mutate {
rename => ["hostname", "host"]
}
}
}
</code>
vi /etc/logstash/conf.d/output.conf
<code>
output {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
template_overwrite => true
}
}
</code>
===elasticsearch===
参考: https://www.elastic.co/cn/downloads/elasticsearch
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/elasticsearch.repo
<code>
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
</code>
yum install --enablerepo=elasticsearch elasticsearch
vi /etc/elasticsearch/elasticsearch.yml
<code>
cluster.name: gwj-elk
node.name: gwj-log
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: ["gwj-log"]
</code>
vi /etc/elasticsearch/jvm.options
<code>
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms4g
-Xmx4g
</code>
vi /etc/security/limits.conf
<code>
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
</code>
systemctl edit elasticsearch
<code>
[Service]
LimitMEMLOCK=infinity
</code>
systemctl restart elasticsearch
systemctl status elasticsearch
netstat -tln
curl http://localhost:9200
<code>
{
"name" : "gwj-log",
"cluster_name" : "gwj-elk",
"cluster_uuid" : "8KPET2yDSCaQwfwncWSTQQ",
"version" : {
"number" : "7.10.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
"build_date" : "2020-11-09T21:30:33.964949Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
</code>
查看是否生成索引
ls -lh /var/lib/elasticsearch/nodes/0/indices/
http://10.1.100.12:9200/_cat/indices?v
===kibana===
参考: https://www.elastic.co/guide/en/kibana/current/install.html
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/systemd/system/kibana.service
<code>
[Unit]
Description=Kibana
[Service]
Type=simple
User=kibana
Group=kibana
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with \'-\' makes it try to load, but if the file doesn\'t
# exist, it continues onward.
EnvironmentFile=-/etc/default/kibana
EnvironmentFile=-/etc/sysconfig/kibana
ExecStart=/usr/share/kibana/bin/kibana
Restart=on-failure
RestartSec=3
StartLimitBurst=3
StartLimitInterval=60
WorkingDirectory=/
[Install]
WantedBy=multi-user.target
</code>
yum install kibana
systemctl restart kibana
systemctl status kibana
kibana - management - stack management
kibana - Index Patterns - create index pattern
http://10.1.100.12:9200/_cat/indices?v以上是关于ELK的主要内容,如果未能解决你的问题,请参考以下文章