rpm安装elk集群
<pre><code> rpm安装elk集群</code></pre>
<h4>1.安全JDK 11</h4>
<p>wget <a href="https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz">https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz</a>
tar -xzvf jdk-11.0.4_linux-x64_bin.tar.gz /usr/local/jdk
环境变量配置
vi /etc/profile
JAVA_HOME=/usr/local/jdk/jdk-11.0.1
CLASSPATH=$JAVA_HOME/lib/
PATH=$PATH:$JAVA_HOME/bin
export PATH JAVA_HOME CLASSPATH
环境变量生效
source /etc/profile
java -version</p>
<h4>2.下载ELK</h4>
<p>wget <a href="https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.0-x86_64.rpm">https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.0-x86_64.rpm</a>
wget <a href="https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-x86_64.rpm">https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-x86_64.rpm</a>
wget <a href="https://artifacts.elastic.co/downloads/logstash/logstash-7.10.0.rpm">https://artifacts.elastic.co/downloads/logstash/logstash-7.10.0.rpm</a></p>
<h4>3.安装</h4>
<p>rpm -ivh elasticsearch-7.10.0-x86_64.rpm
rpm -ivh kibana-7.10.0-x86_64.rpm
rpm -vih logstash-7.10.0.rpm</p>
<h4>4.修改elasticsearch配置文件</h4>
<p>vi /etc/elasticsearch/elasticsearch.yml
<img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/f25ef03a211f1583091019aa2a89a59b" alt="" />
<img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/948dbe293bb0bc4cab71656ab93e8717" alt="" />
<img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/5c7bbaa7b471ae25fd9163f1b993af4e" alt="" /></p>
<h4>5.修改kibana配置文件</h4>
<p>vi /etc/kibana/kibana.yml
<img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/638fe1b96352cf92d785a87cba12fa2a" alt="" />
<img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/6e3a431f03c9c0855b5537242b114126" alt="" /></p>
<h4>6.启动elk服务</h4>
<p>systemctl start elasticsearch
systemctl enable elasticsearch
systemctl start kibana
systemctl enable kibana</p>
<h4>7.启动用户名密码认证</h4>
<p>elasticsearch.yml 中添加如下配置
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
systemctl restart elasticsearch
./usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive</p>
<h4>8.启动logstash</h4>
<p>/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/waf.conf --path.data=/tmp/waf.conf
通过指定--path.data可以同时启动多个配置文件</p>
<h4>9.logstash解析规则。</h4>
<p>规则调试利用的kibana的开发工具
规则查询使用。
<a href="https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns">https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns</a>
常见解析字段:
NOTSAPCE:解析没有空格的字段
QS:解析双引号下的内容
GREEDYDATA:解析剩余的内容
[soc.conf<a href="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/e29e6b8f29572d7bc5c45aed3ba59513" title="[logstash1.conf">logstash1.conf</a>](<a href="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323">https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323</a> "[soc.conf")</p>
<p><img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/80915448807ac4f87516107f88597a54" alt="" /></p>
<h4>10.kibana配置</h4>
<p>1.添加索引字段
2.discover可视化。](<a href="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323">https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323</a> "[soc.conf")</p>