CentOS ELK 7.6.2 安装笔记

0x01.下载&安装

cd /app/elk
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.2-x86_64.rpm
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.6.2.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.6.2-x86_64.rpm

采用 rpm 方式安装:

[root@m elk]# rpm -ivh elasticsearch-7.6.2-x86_64.rpm 
warning: elasticsearch-7.6.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
   1:elasticsearch-0:7.6.2-1          ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
future versions of Elasticsearch will require Java 11; your Java version from [/usr/java/jdk1.8.0_191-amd64/jre] does not meet this requirement
Created elasticsearch keystore in /etc/elasticsearch
[root@m elk]# rpm -ivh kibana-7.6.2-x86_64.rpm 
warning: kibana-7.6.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:kibana-7.6.2-1                   ################################# [100%]
[root@m elk]# rpm -ivh logstash-7.6.2.rpm 
warning: logstash-7.6.2.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:logstash-1:7.6.2-1               ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/pleaserun-0.0.30/lib/pleaserun/platform/base.rb:112: warning: constant ::Fixnum is deprecated
Successfully created system startup script for Logstash

0x02 启动 elasticsearch

修改配置文件: vim /etc/elasticsearch/elasticsearch.yml

开启远程访问和数据存储位置:

## 自定义数据目录 
path.data: /app/elk/elasticsearch/data
path.logs: /app/elk/elasticsearch/log
## 远程访问
network.host: 127.0.0.1
http.host: 0.0.0.0
## 开启跨域
http.cors.enabled: true
http.cors.allow-origin: "*"

## 启动
systemctl start elasticsearch.service

命令行执行 curl http://localhost:9200/ 验证一下服务启动信息

0x03 启动 kibana

配置文件: /etc/kibana/kibana.yml
启动文件:/usr/share/kibana/bin/kibana

## 配置文件,指定 es位置
vim /etc/kibana/kibana.yml
## 配置公网访问IP
server.host: "0.0.0.0"
## 打开 elasticsearch.hosts设置:
elasticsearch.hosts: ["http://localhost:9200"]

## 创建子账号
useradd elk

## 启动
su elk
nohup /usr/share/kibana/bin/kibana &

启动完成后访问:
http://your-ip:5601

kibana

0x04 启动 logstash

启动文件: /usr/share/logstash/bin/logstash
配置文件: /etc/logstash/conf.d
在上述目录下手动生成 logstash.conf
内容如下, 意为监听 stdin标准输入信息:

input { stdin { } }
output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

启动:

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/logstash.conf

此时, 直接在启动结果下面输入文字, 会立即回显logstash处理结果:

logstash

同时,logstash会产生一个服务,端口号为 9600

curl http://localhost:9600

0x04 配置第一条 Kibana

第一条pattern

选择过滤器

结果

到这一步后, 一顿乱戳那个图标,直到下图出现:

查看数据

到此, 最基本的一配置已经完成, 后续其他文章会更新基于日志文件的配置效果.