一、流程表:
在这里插入图片描述
二、配置表:
在这里插入图片描述
三、部署步骤:
1、在179上操作,关闭SElinux
因为是nginx代理上网,所以下面的域名是nginx的域名,还要加入到hosts里
[root@elk-01 ~]# hostnamectl set-hostname elk-01 --static (设置主机名)
[root@elk-01 ~]# vim /etc/yum.repos.d/CentOS-Base.repo (配置yum源)

[base]
name=CentOS-$releasever
enabled=1
failovermethod=priority
baseurl=http://mirrors.yourdomain.com/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://mirrors.yourdomain.com/centos/RPM-GPG-KEY-CentOS-7

[updates]
name=CentOS-$releasever
enabled=1
failovermethod=priority
baseurl=http://mirrors.yourdomain.com/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=http://mirrors.yourdomain.com/centos/RPM-GPG-KEY-CentOS-7

[extras]
name=CentOS-$releasever
enabled=1
failovermethod=priority
baseurl=http://mirrors.yourdomain.com/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=http://mirrors.yourdomain.com/centos/RPM-GPG-KEY-CentOS-7

[root@01 ~]# vim /etc/hosts

127.0.0.1	localhost	localhost.localdomain	localhost4	localhost4.localdomain4
::1	localhost	localhost.localdomain	localhost6	localhost6.localdomain6
172.17.22.179 elk-01
172.17.22.176   mirrors.yourdomain.com

2、开放端口:
[root@elk-01 ~]# firewall-cmd --zone=public --add-port=9200/tcp --permanent
[root@elk-01 ~]# firewall-cmd --zone=public --add-port=9300/tcp --permanent
[root@elk-01 ~]# firewall-cmd --zone=public --add-port=5044/tcp --permanent
[root@elk-01 ~]# firewall-cmd --zone=public --add-port=5601/tcp --permanent
[root@elk-01 ~]# firewall-cmd --zone=public --add-port=9600/tcp --permanent
[root@elk-01 ~]# firewall-cmd --zone=public --add-port=5045/tcp --permanent
[root@elk-01 ~]# systemctl restart firewalld

3、安装软件openjdk:
[root@elk-01 ~]# yum repolist (查看yum源是否正常,是否有软件包)
[root@elk-01 ~]# yum -y install java-1.8.0-openjdk* (安装openjdk)
[root@elk-01 ~]# yum -y install elasticsearch-7.9.0-x86_64.rpm
[root@elk-01 ~]# yum -y install kibana-7.9.0-x86_64.rpm
[root@elk-01 ~]# yum -y install logstash-7.9.0.rpm

4、修改配置文件:
[root@elk-01 ~]# vim /etc/kibana/kibana.yml

2行:server.port: 5601 (默认)
7行:server.host: "172.17.22.179" (本机IP)
25行:server.name: "elk-01" (本机主机名)
28行:elasticsearch.hosts: ["http://172.17.22.179:9200"](随便填一台elasticsearch服务器          IP和端口)
37行:kibana.index: ".kibana"(es存储的kibana索引名)
46行:elasticsearch.username: "kibana"(从ES里获取数据的用户名,后面要设置,要对应)
47行:elasticsearch.password: "123456"(从ES里获取数据的用户名的密码,之前在安装ES时设置了的)
115行:i18n.locale: "zh-CN" (控制面板按中文显示)
在末尾添加以下内容:
xpack.reporting.encryptionKey: "a_random_string"
xpack.security.encryptionKey: "something_at_least_32_characters"
注:不同版本配置文件有出入

[root@elk-01 ~]# vim /etc/logstash/logstash.yml

19行:node.name: elk-01
28行:path.data: /data/logstash
67行:pipeline.ordered: auto	
73行:path.config: /etc/logstash/conf.d
240行:log.level: info
241行:path.logs: /var/log/logstash
256行:xpack.monitoring.enabled: true
257行:xpack.monitoring.elasticsearch.username: logstash_system
258行:xpack.monitoring.elasticsearch.password: "123456"
259行:xpack.monitoring.elasticsearch.hosts: ["http://elk-01:9200"]

[root@elk-01 ~]# vim /etc/elasticsearch/elasticsearch.yml

17行:cluster.name: elk
23行:node.name: elk-01
33行:path.data: /data/elk/data
37行:path.logs: /var/log/elasticsearch
55行:network.host: 172.17.22.179
59行:http.port: 9200
68行:discovery.seed_hosts: ["elk-01"]
72行:cluster.initial_master_nodes: ["172.17.22.179"]
末尾加入:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.monitoring.collection.enabled: true

[root@elk-01 ~]# vim /etc/elasticsearch/jvm.options
以下参数
-Xmx1g改为-Xmx13g
-Xms1g改为-Xmx13g (主要看内存大小,给一半就行)

5、配置证书,如下操作在其中一个node节点执行即可,生成完证书传到集群其他节点
[root@elk-01 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca
[root@elk-01 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
(以上两个命令执行后一路回车,完成后会生成2个文件elastic-certificates.p12和elastic-stack-ca.p12,文件放在执行命令的当前路径下或者是在/usr/share/elasticsearch/

把这两个文件移动到/etc/elasticsearch/
[root@elk-01 ~]# mv /usr/share/elasticsearch/elastic-* /etc/elasticsearch/
[root@elk-01 ~]#chown -R elasticsearch:elasticsearch /etc/elasticsearch/
[root@elk-01 ~]#mkdir -p /data/elk/data
[root@elk-01 ~]#mkdir /data/logstash
[root@elk-01 ~]# chown -R logstash:logstash /data/logstash
[root@elk-01 ~]#chown -R elasticsearch:elasticsearch /data/elk/
[root@elk-01 ~]#systemctl start elasticsearch
[root@elk-01 ~]#systemctl status elasticsearch
如果服务没起起来要去查看日志里的报错信息:tail -100 /var/log/elasticsearch/elk.log

6、创建各个用户的密码,密码全部填写一样的,后面都要用!
[root@elk-01 ~]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]: 123456
Reenter password for [elastic]: 123456
Enter password for [apm_system]: 123456
Reenter password for [apm_system]: 123456
Enter password for [kibana]: 123456
Reenter password for [kibana]: 123456
Enter password for [logstash_system]: 123456
Reenter password for [logstash_system]: 123456
Enter password for [beats_system]: 123456
Reenter password for [beats_system]: 123456
Enter password for [remote_monitoring_user]: 123456
Reenter password for [remote_monitoring_user]:123456
出现以下内容说明设置成功:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

[root@elk-01 ~]#/usr/share/kibana/bin/kibana-keystore --allow-root create
A Kibana keystore already exists. Overwrite? [y/N] y
Created Kibana keystore in /var/lib/kibana/kibana.keystore
[root@elk-01 ~]#/usr/share/kibana/bin/kibana-keystore --allow-root add elasticsearch.username
Enter value for elasticsearch.username: kibana
[root@elk-01 ~]#/usr/share/kibana/bin/kibana-keystore --allow-root add elasticsearch.password
Enter value for elasticsearch.password: ******
[root@elk-01 ~]#systemctl start kibana

[root@elk-01 ~]#vim /etc/logstash/conf.d/filebeats.conf

input{
    beats {
      port  => 5044
    add_field => {OS_type => "linux"}
   }

    beats {
       port => 5045
    add_field => {OS_type => "windows"}
   }
}
output{
  if [OS_type] == "linux" {
  elasticsearch{
    hosts => ["elk-01:9200"]
    user => "elastic"
    password => "123456"
    manage_template => true
    index => "filebeat-7.9.0-%{+YYYY.MM.dd}"
  }
}
  if [OS_type] == "windows" {
  elasticsearch{
    hosts => ["elk-01:9200"]
    user => "elastic"
    password => "123456"
    manage_template => true
    index => "winlogbeat-%{+YYYY.MM.dd}"
     }
 }
}

[root@elk-01 ~]#systemctl start logstash
7、在服务端centos7上安装filebeat
[root@agnode3 ~]#yum -y install filebeat-7.9.0-x86_64.rpm
[root@agnode3 ~]# vim /etc/filebeat/filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
    - /var/log/messages*
    - /var/log/secure*
    - /var/log/cron*
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
fields:
ip: 172.17.22.178
setup.kibana:
output.logstash:
   hosts: ["172.17.22.179:5044"]
 codec: json
processors:
      - drop_fields:
             fields:   ["agent.ephemeral_id",  "agent.hostname", "agent.id", "agent.type", "agent.version", "ecs.version", "event.code", "event.created", "event.kind", "event.provider", "host.architecture", "host.id", "host.name", "host.os.build", "host.os.family", "host.os.kernel", "host.os.platform", "host.os.version", "process.name", "user.domain", "winlog.activity_id", "winlog.api", "winlog.computer_name", "winlog.event_data.CallerProcessld", "winlog.event_data.SubjectDomainName", "winlog.event_data.SubjectLogonld", "winlog.event_data.SubjectUserName", "winlog.event_data.SubjectUserSid", "winlog.event_data.TargetDomainName", "winlog.event_data.TargetSid", "winlog.event_data.TargetUserName", "winlog.logon.id", "winlog.opcode", "winlog.process.pid","winlog.process.thread.id", "winlog.provider_name", "winlog.record_id"]
             ignore_missing: false
logging.level: info
monitoring.enabled: false

[root@agnode3 ~]#systemctl start filebeat
[root@agnode3 ~]#systemctl status filebeat
[root@agnode3 ~]#systemctl enable filebeat

8、在服务端windows服务器上安装winlogbeat
(1)、下载winlogbeat的zip包
(2)、把下载好的zip包拷贝到C:\Program Files
(3)、解压winlogbeat-7.9.0-windows-x86_64.zip
(4)、把解压出来的文件夹修改名称为winlogbeat
(5)、进入文件夹winlogbeat,用写字板打开winlogbeat.yml修改里面内容(这是配置文件)
正确内容如下:

 setup.template.settings:
     index.number_of_shards: 3
   fields:
     ip: 172.17.22.166
   #output.elasticsearch:
        # Array of hosts to connect to.
  #hosts: ["localhost:9200"]
   output.logstash:
  hosts: ["172.17.22.179:5045"]
   logging.level: info

9、启动服务;
第一步:打开服务控制器
在这里插入图片描述
第二步:点击本地服务器
在这里插入图片描述
第三步:在服务栏搜索winlog
在这里插入图片描述
第四步:右击查询出来的服务,点击启动!
注:也可通过任务管理器开启服务

# elk # centos # nginx
Logo
Linux

更多推荐

网卡速率和双工模式的配置

http://linux.chinaitlab.com/system/792187.html1、mii-tool 配置网络设备协商方式的工具;    1.1 mii-tool 介绍;    mii-tool - view, manipulate media-independent interface status (mii-tool 是查看,管理介质的网络接口的状态)

avatar Linux

Linux虚拟文件系统之文件系统卸载(sys_umount())

Linux中卸载文件系统由umount系统调用实现,入口函数为sys_umount()。较于文件系统的安装较为简单,下面是具体的实现。1. /*sys_umont系统调用*/2. SYSCALL_DEFINE2(umount, char __user *, name, int, flags)3. {4.struct path path;

avatar Linux

Linux系统下超级终端Minicom的使用方法(例如:连接交换机,路由器等)转http://baike.baidu.com/view/2911642.htm?fr=ala0_1

<br />  Linux系统下超级终端Minicom的使用方法 <br />  Linux下的Minicom的功能与下的超级终端功能相似,适于在通过超级终端对设备的管理以及对嵌入操作系统的升级,现写出Minicom的使用手册: <br />  1. 启动minicom <br />  以root权限登录系统 <br />  使用命令 <br />  minicom –s 则minicom启动,屏

avatar Linux