ELK 搭建

https://blog.51cto.com/zero01/2079879

https://blog.51cto.com/zero01/2082794

1.安装ES：　　

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

vim /etc/yum.repos.d/elastic.repo  # 增加以下内容

[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

 yum install -y elasticsearch

或者：

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.0.0.rpm

rpm -ivh elasticsearch-6.0.0.rpm

启动：

systemctl start elasticsearch.service

2.安装kibana

 yum -y install kibana 

或

wget https://artifacts.elastic.co/downloads/kibana/kibana-6.0.0-x86_64.rpm

rpm -ivh kibana-6.0.0-x86_64.rpm

对kibana进行配置：

 vim /etc/kibana/kibana.ym

启动

systemctl start kibana

3.安装logstash

yum install -y  logstash

或

wget https://artifacts.elastic.co/downloads/logstash/logstash-6.0.0.rpm

rpm -ivh logstash-6.0.0.rpm

配置

vim /etc/logstash/conf.d/syslog.conf 

检出配置文件

 ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit

• --path.settings 用于指定logstash的配置文件所在的目录
• -f 指定需要被检测的配置文件的路径
• --config.test_and_exit 指定检测完之后就退出，不然就会直接启动了

启动

systemctl start logstash

（sudo /usr/share/logstash/bin/system-install /etc/logstash/startup.options systemd）

启动失误时：

chown logstash /var/log/logstash/logstash-plain.log 

logstash 配置

input {  # 定义日志源
 # syslog {
 #   type => "system-syslog"  # 定义类型
 #   port => 10514    # 定义监听端口
 # }
  http {
    type => "http-log"  # 定义类型
    host => "0.0.0.0"
    port => 8010
    ssl => false
    additional_codecs => {"application/x-www-form-urlencoded" => "json"}
    codec => plain {
      charset => "GB2312"
     }
   }
}
filter {
  urldecode {
    field => "message"
  }
  mutate {
    remove_field => ["headers"]
  }
  kv {
    source => "message"
    field_split => "&?"
  }
}
output {  # 定义日志输出
 # if [type] == "http-log" {
 #   elasticsearch { 
 #     hosts => ["192.168.123.194:9200"]  # 定义es服务器的ip
 #     index => "http-log-%{+YYYY.MM}" # 定义索引
 #   }
   stdout {
     codec => rubydebug #输出到终端
   } 
 # }
 # if [type] == "system-syslog" {
 #   elasticsearch {
 #     hosts => ["192.168.123.194:9200"]  # 定义es服务器的ip
 #     index => "system-syslog-%{+YYYY.MM}" # 定义索引
 #   }
 # }
}