Elasticsearch+Logstash+Filebeat+Kibana部署【7.1.1版本】
目录
一、准备阶段
二、实验阶段
1.配置kibana主机
2.配置elasticsearch主机
3.配置logstash主机
4.配置/etc/filebeat/filebeat.yml
三、验证
1.开启Filebeat
2.在logstash查看
3.浏览器访问kibana
一、准备阶段
1.准备四台主机kibana、es、logstash、filebeat
2.在四台主机分别安装kibana、elasticsearch、logstash、filebeat
3.在elasticsearch、logstash两台主机安装java
4.在filebeat主机安装nginx
二、实验阶段
1.配置kibana主机
(1)修改kibana主机的hosts文件
vim /etc/hosts
(2)修改/etc/kibana/kibana.yml文件
- 开启端口和定义服务监听地址
- 开启节点
- 定义 Elasticsearch 节点地址
- 开启并定义 Kibana 系统数据的存储索引名称
- 修改kibana语言
2.配置elasticsearch主机
(1)修改elasticsearch主机的hosts文件
vim /etc/hosts
(2)修改/etc/elasticsearch/elasticsearch.yml文件
- 开启集群名称和节点配置
- 开启监听
- 开启候选节点名称
(3)启动elasticsearch
3.配置logstash主机
(1)修改logstash主机的hosts文件
vim /etc/hosts
(2)将 Logstash 的可执行文件路径映射到系统的通用可执行目录中
ln -s /usr/share/logstash/bin/logstash /usr/local/bin/
(3)在/etc/logstash/conf.d/下随机 vim 一个 后缀.conf的文件(名称任意起)
- 配置该文件
input {
file {
path => "/var/log/messages"
start_position => "beginning"
}
beats {
port => 5044
}
}
filter {
if [host][name] {
mutate { add_field => { "hostname" => "%{[host][name]}" } }
}
else if [agent][hostname] {
mutate { add_field => { "hostname" => "%{[agent][hostname]}" } }
}
else {
mutate { add_field => { "hostname" => "%{host}" } }
}
}
output {
if [hostname] == "logstash" {
elasticsearch {
hosts => ["192.168.33.134:9200"]
index => "system-log-%{+YYYY.MM.dd}"
}
}
else if [hostname] == "filebeat" {
elasticsearch {
hosts => ["192.168.33.134:9200"]
index => "filebeat-log-%{+YYYY.MM.dd}"
}
}
stdout {
codec => rubydebug
}
}
4.配置/etc/filebeat/filebeat.yml
- 开启日志
- 关闭elasticsearch
- 开启logstash
三、验证
1.开启Filebeat
systemctl start filebeat
2.在logstash查看
logstash -f /etc/logstash/conf.d/sys.conf
3.浏览器访问kibana
四、添加收集nginx的日志
1.修改Filebeat主机的/etc/filebeat/filebeat.yml文件
- 添加nginx日志
2.重启filebeat,开启nginx
3.修改logstash主机/etc/logstash/conf.d/pipline.conf文件
input {
file {
path => "/var/log/messages"
start_position => "beginning"
}
beats {
port => 5044
}
}
filter {
if [host][name] {
mutate { add_field => { "hostname" => "%{[host][name]}" } }
}
else if [agent][hostname] {
mutate { add_field => { "hostname" => "%{[agent][hostname]}" } }
}
else {
mutate { add_field => { "hostname" => "%{host}" } }
}
}
output {
if [hostname] == "logstash" {
elasticsearch {
hosts => ["192.168.33.134:9200"]
index => "system-log-%{+YYYY.MM.dd}"
}
}
else if [hostname] == "web1" {
if "system" == [tags] {
elasticsearch {
hosts => ["192.168.33.134:9200"]
index => "web1-log-%{+YYYY.MM.dd}"
}
}
if "nginx-access" in [tags] {
elasticsearch {
hosts => ["192.168.33.134:9200"]
index => "web1-nginx-access-log-%{+YYYY.MM.dd}"
}
}
if "nginx-error" in [tags] {
elasticsearch {
hosts => ["192.168.33.134:9200"]
index => "web1-nginx-error-log-%{+YYYY.MM.dd}"
}
}
}
stdout {
codec => rubydebug
}
}
4.收集日志
logstash -f /etc/logstash/conf.d/pipline.conf
5.浏览器访问kibana
