安装Logstash
https://www.elastic.co/guide/en/logstash/current/index.html
创建logstash.repo
$ sudo vim /etc/yum.repos.d/logstash.repo
[logstash-2.2]
name=logstash repository for 2.2 packages
baseurl=http://packages.elasticsearch.org/logstash/2.2/centos
gpgcheck=1
gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch
enabled=1
使用yum install安装logstash
$ sudo yum -y install logstash
注:
1、logstash默认安装在/opt/logstash目录
2、Logstash默认配置文件目录rpm -qc logstash
/etc/init.d/logstash
/etc/logrotate.d/logstash
/etc/sysconfig/logstash
生成ssl证书
根据ip生成
修改/etc/pki/tls/openssl.cnf文件,找到[ v3_ca ]节点。修改subjectAltName为IP:ELK安装机器IP。
sudo vim /etc/pki/tls/openssl.cnf
内容如下:
[ v3_ca ]
subjectAltName = IP: 192.168.0.228
切换到/etc/pki/tls目录,生成证书
$ cd /etc/pki/tls
$ sudo openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
根据域名生成
$ cd /etc/pki/tls
$ sudo openssl req -subj '/CN=www.elk.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
Logstash配置
这里所有的配置均在/etc/logstash/conf.d目录下。
2.6.4.1. Input
创建一个beats input
$ sudo vim /etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate =>"/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key =>"/etc/pki/tls/private/logstash-forwarder.key"
}
}
这里使用beats input,监听在5044端口上,使用之前生成的证书文件。
Filter
为syslog创建一个filter
$ sudo vim /etc/logstash/conf.d/10-syslog-filter.conf
filter {
if [type] == "syslog" {
grok {
match => { "message" =>"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
Output
将beat输入输出到elasticsearch
$ sudo vim /etc/logstash/conf.d/30-elasticsearch-output.conf
output {
elasticsearch {
hosts => ["192.168.0.228:9200"]
sniffing => true
manage_template => false
index =>"%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type =>"%{[@metadata][type]}"
}
}
测试配置是否正确
$ sudo service logstash configtest
如果显示Configuration OK则表示没有任何语法错误。
启动logstash并添加为开机自启动服务
$ sudo systemctl restart logstash
$ sudo chkconfig logstash on
安装 Kibana Dashboards
$ curl -L -O http://download.elastic.co/beats/dashboards/beats-dashboards-1.2.2.zip
$ unzip beats-dashboards-1.2.2.zip
$ cd beats-dashboards-1.2.2/
$ vim ./load.sh
ELASTICSEARCH=http://192.168.0.228:9200
$ ./load.sh
执行完后会创建如下index pattern
[packetbeat-]YYYY.MM.DD
[topbeat-]YYYY.MM.DD
[filebeat-]YYYY.MM.DD
[winlogbeat-]YYYY.MM.DD
使用kibana时,选择filebeat模式