rpm安装elk集群

                  rpm安装elk集群

1.安全JDK 11

wget https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz
tar -xzvf jdk-11.0.4_linux-x64_bin.tar.gz /usr/local/jdk
环境变量配置
vi /etc/profile
JAVA_HOME=/usr/local/jdk/jdk-11.0.1
CLASSPATH=$JAVA_HOME/lib/
PATH=$PATH:$JAVA_HOME/bin
export PATH JAVA_HOME CLASSPATH
环境变量生效
source /etc/profile
java -version

2.下载ELK

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.0-x86_64.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-x86_64.rpm
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.10.0.rpm

3.安装

rpm -ivh elasticsearch-7.10.0-x86_64.rpm
rpm -ivh kibana-7.10.0-x86_64.rpm
rpm -vih logstash-7.10.0.rpm

4.修改elasticsearch配置文件

vi /etc/elasticsearch/elasticsearch.yml


5.修改kibana配置文件

vi /etc/kibana/kibana.yml

6.启动elk服务

systemctl start elasticsearch
systemctl enable elasticsearch
systemctl start kibana
systemctl enable kibana

7.启动用户名密码认证

elasticsearch.yml 中添加如下配置
http.cors.enabled: true
http.cors.allow-origin: “*”
http.cors.allow-headers: Authorization
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
systemctl restart elasticsearch
./usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

8.启动logstash

/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/waf.conf —path.data=/tmp/waf.conf
通过指定—path.data可以同时启动多个配置文件

9.logstash解析规则。

规则调试利用的kibana的开发工具
规则查询使用。
https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns
常见解析字段:
NOTSAPCE:解析没有空格的字段
QS:解析双引号下的内容
GREEDYDATA:解析剩余的内容
[soc.conflogstash1.conf](https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323 “[soc.conf”)

10.kibana配置

1.添加索引字段
2.discover可视化。](https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323 “[soc.conf”)