一、安装elasticsearch
elasticsearch-6.1.2安装
- 解压 进入目录
- 配置文件 elasticsearch.yml
- 修改 ip 和端口
- 创建运行用户 elk
- 授权 chown -R elk:elk /data1/elasticsearch-6.1.2
- elk 用户启动 :
cd /data1/elasticsearch-6.1.2/bin/
nohup ./elasticsearch &
二、安装logstash
input {
redis {
data_type => "list"
key => "220"
host => "192.168.1.235"
port => 6379
password => "redis"
db => 2
threads => 1
}
}
output {
if [type] == "220messages" {
elasticsearch {
hosts => [ "192.168.1.235:9200"]
index => "220messages"
}
}
if [type] == "220ssh" {
elasticsearch {
hosts => [ "192.168.1.235:9200"]
index => "220ssh"
}
}
if [type] == "220tomcat" {
elasticsearch {
hosts => [ "192.168.1.235:9200"]
index => "220tomcat"
}
}
stdout{
codec => rubydebug
}
}
nohup /data1/elk/logstash-6.1.2/bin/logstash -f /data1/elk/logstash-6.1.2/config/test.conf &
三、kibana 安装
- 解压进入目录 kibana-6.1.2-linux-x86_64
- 配置配置文件kibana.yml
* 端口 server.port: 5601
* server.host: "0.0.0.0"
* elasticsearch.url: "http://192.168.1.235:9200"
cd /data1/elk/kibana-6.1.2-linux-x86_64/bin
nohup ./kibana &
四、安装filebeat
- 解压进入目录 filebeat-6.1.2-linux-x86_64
- 配置文件
filebeat.prospectors:
- input_type: log
paths:
- /data1/tomcat-9.0/logs/logback.log
#定义额外字段
fields:
type: 220tomcat
#覆盖重名字段
fields_under_root: true
## 注意 fields 和 fields_under_root 处于同一层级
- input_type: log
paths:
- /var/log/messages
fields:
type: 220messages
fields_under_root: true
- input_type: log
paths:
- /var/log/secure
fields:
type: 220ssh
fields_under_root: true
# 输出到redis
output.redis:
hosts: ["192.168.1.235"]
port: 6379
password: "redis"
db: 2
timeout: 5
key: "220"
nohup ./filebeat -c test.yml &
安装redis
