准备三台虚拟机
elk-node01、elk-node02、elk-node03
三台机器都是 CentOS 7.6 ,内存 >=3G 1 、设置主机名和 hosts 解析[root@elk-node01 ~]# tail -3 /etc/hosts 192.168.163.143 elk-node01 192.168.163.147 elk-node02 192.168.163.146 elk-node032 、时间同步 3 、部署 jdk
三台机器都部署jdk,建议内存3G以上
[root@elk-node01 ~]# rpm -ivh jdk-8u144-linux-x64.rpm [root@elk-node01 ~]# java -version java version "1.8.0_144" Java(TM) SE Runtime Environment (build 1.8.0_144-b01) Java HotSpot(TM) 64-Bit Server VM (build 25.144-b01, mixed mode)
部署ElasticSearch集群环境
[root@elk-node01 ~]# cat /etc/yum.repos.d/elk.repo [elk] name=elk 7.x baseurl=https://mirrors.tuna.tsinghua.edu.cn/elasticstack/yum/elastic-7.x/ gpgcheck=0
或者离线包安装
[root@elk-node01 ~]# yum install -y elasticsearch-7.2.0
配置Elasticsearch集群
elk-node01 节点的配置[root@elk-node01 ~]# cp /etc/elasticsearch/elasticsearch.yml{,.bak}
[root@elk-node01 ~]# grep '^[a-Z]' /etc/elasticsearch/elasticsearch.yml
cluster.name: my-elk
node.name: elk-node01
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.163.143
http.port: 9200
discovery.seed_hosts: ["elk-node01", "elk-node02", "elk-node03"] cluster.initial_master_nodes: ["elk-node01"]
# 主节点相关配置 加在最后
node.master: true
node.data: false
node.ingest: false
node.ml: false
cluster.remote.connect: false
安装head插件
[root@elk-node01 ~]# yum install -y nodejs npm
下载head插件
cd /var/lib/elasticsearch/ wget https://github.com/mobz/elasticsearch-head/archive/master.zip #解压 yum install unzip unzip master.zip (3)安装依赖包 yum install openssl bzip2 unzip -y 下载运行head必要的文件(放置在文件夹/tmp下) cd /tmp wget https://npm.taobao.org/mirrors/phantomjs/phantomjs-2.1.1-linux-x86_64.tar.bz2
用以下命令把下载到的包添加到npm cache目录中 npm cache add phantomjs cd elasticsearch-head-master/ npm install -g cnpm --registry=https://registry.npm.taobao.org # 安装依赖 cnpm install
修改配置文件
vim Gruntfile.js
#找到并修改
options: {
port: 9100,
base: '.',
keepalive: true,
hostname: '*'
}
修改
elasticsearch-head
默认连接地址,将
localhost
改为本机
IP
# vim _site/app.js
this.base_uri = this.config.base_uri || this.prefs.get("app-base_uri") || "http:192.168.163.143:9200";
修改elasticSearch配置文件并启动ElasticSearch
//追加下列两行实现跨域访问 http.cors.enabled: true http.cors.allow-origin: "*"
[root@elk-node01 ~]systemctl restart elasticsearch 启动插件: # cd /var/lib/elasticsearch/elasticsearch-head-master/ # nohup ./node_modules/grunt/bin/grunt server &访问 IP:9100 就能看到我们集群信息
filebeat收集nginx的json格式日志
1、filebeat配置
[root@node3 filebeat]# cat /etc/filebeat/nginx.yml
filebeat.inputs:
- type: log
enabled: true
json.keys_under_root: true
json.overwrite_keys: true
paths:
- /var/log/nginx/access.log
fields:
log_topics: nginx
output.logstash:
hosts: ["127.0.0.1:10001"]
nginx配置(修改日志格式)
logstash配置
[root@node3 conf.d]# cat nginx.conf
input {
beats {
port=>10001
}
}
output {
if [fields][log_topics]=="nginx"{
elasticsearch {
hosts=>["192.168.163.143:9200"]
index=>"nginx-%{+YYYY.MM.dd}"
}
}
}
[root@localhost conf.d]# logstash -f nginx.conf [root@localhost filebeat]# filebeat -e -c nginx_json.yml
