環境:centos6.8
準備好ELK三個安裝包,到官網下
1、安裝elasticsearch
這裏安裝1.8版本的
2、安裝elasticsearch
下載安裝包(tar)https://www.elastic.co/downloads/elasticsearch
直接解壓到/usr/local下面
tar -xzf elasticsearch-5.2.0.tar.gz -C /usr/local/
這個版本的elasticsearch跟之前的啓動方式不一樣了,因爲新版的是不允許使用root用戶啓動了得
我們先新建一個用戶elk
useradd elk
然後授權
chown -R elk:elk /usr/local/elasticsearch-5.2.0/
最後切換到elk用戶啓動
nohup /usr/local/elasticsearch-5.2.0/bin/elasticsearch &
最後檢查啓動狀態,如圖所示就對了
[root@nginx ~]# curl 127.0.0.1:9200
3、安裝logstash
解壓
# tar -xzf logstash-5.2.0.tar.gz -C /usr/local/
編輯配置文件
# cat /usr/local/logstash-5.2.0/config/nginx.yml
input {
beats { #監聽在5043端口接收來自filebeat的日誌
port => "5043"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"} #過濾規則
}
geoip {
source => "clientip" #過濾規則獲取IP
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}啓動
nohup /usr/local/logstash-5.2.0/bin/logstash -f /usr/local/logstash-5.2.0/config/nginx.yml &
4、安裝filebeat
在客戶端安裝filebeat,用於推送日誌
# tar -xzf filebeat-5.2.0-linux-x86_64.tar.gz -C /usr/local/
新建推送配置
vim /usr/local/filebeat-5.2.0-linux-x86_64/ipaper.yml
filebeat.prospectors: - input_type: log paths: - /data/wwwlogs/test1.log #指定推送日誌文件 - /data/wwwlogs/test2.log output.logstash: hosts: ["192.168.0.54:5043"] #指定接收logstash
啓動filebeat
# nohup /usr/local/filebeat-5.2.0-linux-x86_64/filebeat -e -c /usr/local/filebeat-5.2.0-linux-x86_64/ipaper.yml -d "publish" &
[root@ND31 ~]# tail -20 nohup.out
"input_type": "log",
"message": "119.147.33.18 - - [13/Feb/2017:02:20:17 +0800] \"GET /29204.htm HTTP/1.1\" 200 14344 \"http://epaper.oeeee.com/epaper/M/html/2016-12/06/content_101411.htm\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)\"",
"offset": 44870189,
"source": "/data/wwwlogs/test.log",
"type": "log"
}
2017/02/13 09:39:44.899627 client.go:184: DBG Publish: {
"@timestamp": "2017-02-13T09:39:32.116Z",
"beat": {
"hostname": "ND31",
"name": "ND31",
"version": "5.2.0"
},
"input_type": "log",
"message": "101.28.166.129 - - [13/Feb/2017:10:51:03 +0800] \"GET /guide.png?v=2 HTTP/1.1\" 200 63133 \"https://ipaper.oeeee.com/ipaper/A/html/2017-02/12/content_6417.htm?from=timeline\u0026isappinstalled=0\u0026wxuid=oq7TJv8NgymKH25j6gniiaODPvfM\u0026wxsalt=731af7\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_2 like Mac OS X) AppleWebKit/602.3.12 (KHTML, like Gecko) Mobile/14C92 MicroMessenger/6.5.4 NetType/WIFI Language/zh_CN\"",
"offset": 56286590,
"source": "/data/wwwlogs/test.log",
"type": "log"
}
2017/02/13 09:39:44.899691 output.go:109: DBG output worker: publish 2048 events狀態正常
5、安裝kibana
解壓kibana
elk]# tar -xzf kibana-5.2.0-linux-x86_64.tar.gz -C /usr/local/
修改監聽地址,不然只能本機訪問
]# vim /usr/local/kibana-5.2.0-linux-x86_64/config/kibana.ym
server.host: "0.0.0.0"
啓動
# /usr/local/kibana-5.2.0-linux-x86_64/bin/kibana &
最後訪問測試,正常
IP訪問分佈地圖
