Shulou(Shulou.com)06/02 Report--

Environment and related kernel, install java package.

[root@gz3_elk_001 /] # cat / etc/redhat-release CentOS Linux release 7.7.1908 (Core) [root@gz3_elk_001 /] # yum-y install Java [root @ gz3_elk_001 /] # echo "vm.max_map_count=262144" > > / etc/sysctl.conf [root@gz3_elk_001 /] # sysctl-p

There is no source code installation here, it is convenient to start the service without writing.

If you install it with source code, you can change the service to the corresponding directory with the user.

download

[root@gz3_elk_001 /] # cd / usr/local/ src [root @ gz3_elk_001 /] # wget https://artifacts.elastic.co/downloads/kibana/kibana-7.4.2-x86_64.rpm[root@gz3_elk_001 /] # wget https://artifacts.elastic.co/downloads/logstash/logstash-7.4.2.rpm[root@gz3_elk_001 /] # wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-x86_64.rpm

Install and set up the boot service

[root@gz3_elk_001 /] # cd / usr/local/ src [root @ gz3_elk_001 /] # rpm-ivh elasticsearch-7.4.2-x86_64.rpm [root@gz3_elk_001 /] # yum-y install logstash- 7.4.2.rpm [root @ gz3_elk_001 /] # rpm-ivh kibana-7.4.2-x86_64.rpm [root@gz3_elk_001 /] # systemctl enable elasticsearch.service kibana.service logstash.service

First, configure elasticsearch

Generate key

[root@gz3_elk_001 /] # cd / usr/share/elasticsearch/bin/ [root @ gz3_elk_001 /] #. / elasticsearch-certutil cert-out / etc/elasticsearch/elastic-certificates.p12-pass ""

There is a pit here, so you have to modify the file permissions.

[root@gz3_elk_001 /] # chown elasticsearch:elasticsearch / etc/elasticsearch/elastic-certificates.p12

Modify configuration

[root@gz3_elk_001 /] # cp elasticsearch.yml ElasticSearch.ymlback [root @ gz3_elk_001 /] # cd / etc/ ElasticSearcher [root @ gz3_elk_001 /] # cat elasticsearch.yml | grep-v "#" cluster.name: elknode.name: truenode.data: truepath.data: / data/elasticsearchpath.logs: / var/log/elasticsearchnetwork.host: 192.168.3.44http.port: 9200discovery.seed_hosts: ["192.168.3.44 "] cluster.initial_master_nodes: [" 192.168.3.44 "]

There is another pit here, and the permissions have to be modified.

[root@gz3_elk_001 /] # chown elasticsearch:elasticsearch / data/elasticsearch

Test start

[root@gz3_elk_001 /] # systemctl restart ElasticSearch.service [root @ gz3_elk_001 /] # systemctl status elasticsearch.service

If there is a startup error, check the log under / var/log/elasticsearch/.

Because the system emphasizes security, it is necessary to configure xpack, modify elasticsearch.yml configuration, and enable xpack.

[root@gz3_elk_001 /] # cat / etc/elasticsearch/elasticsearch.yml | grep-v "#" cluster.name: elknode.name: node-1node.master: truenode.data: truepath.data: / data/elasticsearchpath.logs: / var/log/elasticsearchnetwork.host: 192.168.3.44http.port: 9200discovery.seed_hosts: ["192.168.3.44"] cluster.initial_master_nodes: ["192.168.3.44"] xpack.security.enabled: truexpack .security.transport.ssl.enabled: truexpack.security.transport.ssl.verification_mode: certificatexpack.security.transport.ssl.keystore.path: / etc/elasticsearch/elastic-certificates.p12xpack.security.transport.ssl.truststore.path: / etc/elasticsearch/elastic-certificates.p12

Restart systemctl restart elasticsearch.service and generate the default password

[root@gz3_elk_001 /] # cd / usr/share/elasticsearch/bin/ [root @ gz3_elk_001 /] #. / elasticsearch-setup-passwords autoChanged password for user apm_systemPASSWORD apm_system = hyyhuxxxChanged password for user kibanaPASSWORD kibana = HbwFY0xxxChanged password for user logstash_systemPASSWORD logstash_system = nvrxxxChanged password for user beats_systemPASSWORD beats_system = VvAhnxxxChanged password for user remote_monitoring_userPASSWORD remote_monitoring_user = yGNFRTxxxChanged password for user elasticPASSWORD elastic = czF01xx

Remember the above information and use it later.

Second, configure kibana

[root@gz3_elk_001 /] # cd / etc/kibana/ [root @ gz3_elk_001 /] # cp kibana.yml kibana.ymlback[ root @ gz3_elk_001 /] # cat kibana.yml | grep-v "#" | grep-v "^ $" server.port: 5601server.host: "192.168.3.44" elasticsearch.hosts: ["root" kibana "elasticsearch.password:" kOHyFxxxx "i18n.locale:" zh-CN "

I18n.locale: "zh-CN" means in Chinese, and the interface is friendly.

three。 Configure logstash

[root@gz3_elk_001 /] # cd / etc/logstash/ [root @ gz3_elk_001 /] # logstash.ymlback [root @ gz3_elk_001 /] # cd / etc/logstash/conf.dcat nginx_access.confinput {beats {type = > "nginx_access" port = > 5044}} filter {if [type] = = "nginx_access" {match = > {"message" = > "% {IP:remote_ip}" -% {DATA:user_name}\ [% {HTTPDATE:time}\]\ "% {WORD:method}% {DATA:url} HTTP/% {NUMBER:http_version:float}\"% {NUMBER:response_code:int}% {NUMBER:body_sent:int}\ "% {DATA:referrer}\"% {DATA:agent}\ "% {DATA:x_forwarded_for}\"} remove_field = > "message"} date {match = > ["time" "yyyy-MM-dd HH:mm:ss,SSS"] target = > "@ timestamp"}} output {if [type] = "nginx_access" {elasticsearch {hosts = > ["http://192.168.3.44:9200"] index = >" nginx-access-% {+ YYYY.MM.dd} "user = >" elastic "password = >" czF01xx "}

The account password of logstash_system was used here, but it was not successful.

You can only use the most privileged elastic account.

Verify that the configuration is correct

[root@gz3_elk_001 /] # / usr/share/logstash/bin/logstash-f / etc/logstash/conf.d/nginx_access.conf-tThread.exclusive is deprecated, use Thread::MutexWARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or / etc/logstash. You can specify the path using-- path.settings. Continuing using the defaultsCould not find log4j2 configuration at path / usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console [WARN] 2019-11-27 14 LogStash::Runner 59 multilocal-Ignoring the 'pipelines.yml' file because modules or command line options are specified [INFO] 2019-11-27 14 14 multilocal 31.841 [LogStash::Runner] Reflections-Reflections took 56 ms to scan 1 urls, producing 20 keys and 40 values Configuration OK [INFO] 2019-11-27 1459 multilocal 32.487 [LogStash::Runner] runner-Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

When Configuration OK appears, it means configuring Ok.

[root@gz3_elk_001 /] # systemctl status logstash.service ● logstash.service-logstash Loaded: loaded (/ etc/systemd/system/logstash.service; enabled; vendor preset: disabled) Active: active (running) since three 2019-11-27 16:12:15 CST; 2min 11s ago

The configuration on the main server is ready. You can log in to kibana at this time.

Log in using the elastic account password.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.