Elfk service setup

Server planning

Execute the following command on all three servers to shut down selinux：

setenforce 0
sed -i -e 's/^SELINUX=.*$/SELINUX=disabled/g' /etc/selinux/config

Install... On all three servers java：

yum install -y java

Install... On all three servers elasticsearch Of rpm package ：

yum install -y https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.rpm

Modify on three servers elasticsearch Configuration file for ：

cat << EOF > /etc/elasticsearch/elasticsearch.yml
cluster.name: DemoESCluster
#  Note the of different nodes node.name Set it differently 
node.name: demo-es-node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["10.211.55.11", "10.211.55.12", "10.211.55.13"]
discovery.zen.minimum_master_nodes: 2
gateway.recover_after_nodes: 2
EOF

Start on three servers elasticsearch:

systemctl daemon-reload
systemctl enable elasticsearch
systemctl start elasticsearch

Check the list of nodes in the cluster on any server ：

yum install -y jq
curl --silent -XGET 'http://localhost:9200/_cluster/state?pretty'|jq '.nodes'

You can see the cluster related information in the output of the above command , meanwhile nodes The field contains the details of each node , Such a basic elasticsearch The cluster is deployed .

install Kibana

Next we need to install a Kibana To help visual management Elasticsearch, stay host12 Installation on kibana:

yum install -y https://artifacts.elastic.co/downloads/kibana/kibana-6.3.2-x86_64.rpm

modify kibana Configuration file for ：

cat << EOF > /etc/kibana/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://localhost:9200"
EOF

Note the configuration here elasticsearch.url For the native es example , In fact, there is a single point of failure , The official advice Deploy a on the machine Elasticsearch Coordinate （Coordinating only node） The node of , The address of the coordination node is configured here .

start-up kibana:

systemctl daemon-reload
systemctl enable kibana
systemctl start kibana

Configuration authentication needs to be upgraded License, I use it on the intranet , This configuration is not required . If you need to configure access authentication, please refer to here .

You can also enable SSL, May refer to here To configure .

To avoid a single point of failure ,kibana Multiple can be deployed , Then from nginx Acting as a reverse agent , Realize to kibana Load balanced access to services .

install logstash

Install... On each server logstash:

yum install -y https://artifacts.elastic.co/downloads/logstash/logstash-6.3.2.rpm

modify logstash Configuration file for ：

cat << EOF > /etc/logstash/logstash.yml
path.data: /var/lib/logstash
path.logs: /var/log/logstash
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.url: ["http://10.211.55.11:9200", "http://10.211.55.12:9200", "http://10.211.55.13:9200"]
EOF

cat << EOF > /etc/logstash/conf.d/beat-elasticsearch.conf
input {
  beats {
    port => 5044
    ssl => false
  }
}
filter {
}
output {
  elasticsearch {
    hosts => ["10.211.55.11:9200","10.211.55.12:9200","10.211.55.13:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}
EOF

In order to parse some meaningful field Field , Some... Can be enabled filter, Usable filter List in here .

start-up logstash:

systemctl daemon-reload
systemctl enable logstash
systemctl start logstash

install filebeat

Install... On each server filebeat:

yum install -y https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.2-x86_64.rpm

Modify the on each server filebeat The configuration file ：

#  Here, according to the log path collected in , Write appropriate inputs The rules 
cat << EOF > /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
output.logstash:
  hosts: ["10.211.55.11:5044", "10.211.55.12:5044", "10.211.55.13:5044"]
  ssl.enabled: false
  index: 'var_log'
EOF

filebeat There are many configuration file options , A complete reference can be found here .

Start on each server filebeat:

systemctl daemon-reload
systemctl enable filebeat
systemctl start filebeat

Other security settings

To guarantee Data security ,filebeat And logstash、filebeat And elasticsearch、logstash And elasticsearch、kibana And elasticsearch Communication and kibana Can be enabled by itself SSL encryption , The specific enabling method is to configure one in the configuration file SSL certificate That's all right. , This is simpler , I won't repeat .

kibana Login authentication needs to be upgraded License, This point is not pleasant , If you consider the cost , Still on the front-end processor nginx On the top HTTP Basic Certification handled .

The deployment of test

So far, a more complete ELFK The log collection system is set up , Access with browser http://192.168.10.2:5601/, stay kibana You can view the captured log by simply setting it on the interface of ：

Add index entries