rpm安装elk集群

<pre><code> rpm安装elk集群</code></pre> <h4>1.安全JDK 11</h4> <p>wget <a href="https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz">https://download.java.net/java/GA/jdk11/13/GPL/openjdk-11.0.1_linux-x64_bin.tar.gz</a> tar -xzvf jdk-11.0.4_linux-x64_bin.tar.gz /usr/local/jdk 环境变量配置 vi /etc/profile JAVA_HOME=/usr/local/jdk/jdk-11.0.1 CLASSPATH=$JAVA_HOME/lib/ PATH=$PATH:$JAVA_HOME/bin export PATH JAVA_HOME CLASSPATH 环境变量生效 source /etc/profile java -version</p> <h4>2.下载ELK</h4> <p>wget <a href="https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.0-x86_64.rpm">https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.0-x86_64.rpm</a> wget <a href="https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-x86_64.rpm">https://artifacts.elastic.co/downloads/kibana/kibana-7.10.0-x86_64.rpm</a> wget <a href="https://artifacts.elastic.co/downloads/logstash/logstash-7.10.0.rpm">https://artifacts.elastic.co/downloads/logstash/logstash-7.10.0.rpm</a></p> <h4>3.安装</h4> <p>rpm -ivh elasticsearch-7.10.0-x86_64.rpm rpm -ivh kibana-7.10.0-x86_64.rpm rpm -vih logstash-7.10.0.rpm</p> <h4>4.修改elasticsearch配置文件</h4> <p>vi /etc/elasticsearch/elasticsearch.yml <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/f25ef03a211f1583091019aa2a89a59b" alt="" /> <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/948dbe293bb0bc4cab71656ab93e8717" alt="" /> <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/5c7bbaa7b471ae25fd9163f1b993af4e" alt="" /></p> <h4>5.修改kibana配置文件</h4> <p>vi /etc/kibana/kibana.yml <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/638fe1b96352cf92d785a87cba12fa2a" alt="" /> <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/6e3a431f03c9c0855b5537242b114126" alt="" /></p> <h4>6.启动elk服务</h4> <p>systemctl start elasticsearch systemctl enable elasticsearch systemctl start kibana systemctl enable kibana</p> <h4>7.启动用户名密码认证</h4> <p>elasticsearch.yml 中添加如下配置 http.cors.enabled: true http.cors.allow-origin: &quot;*&quot; http.cors.allow-headers: Authorization xpack.security.enabled: true xpack.security.transport.ssl.enabled: true systemctl restart elasticsearch ./usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive</p> <h4>8.启动logstash</h4> <p>/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/waf.conf --path.data=/tmp/waf.conf 通过指定--path.data可以同时启动多个配置文件</p> <h4>9.logstash解析规则。</h4> <p>规则调试利用的kibana的开发工具 规则查询使用。 <a href="https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns">https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns</a> 常见解析字段： NOTSAPCE：解析没有空格的字段 QS：解析双引号下的内容 GREEDYDATA：解析剩余的内容 [soc.conf<a href="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/e29e6b8f29572d7bc5c45aed3ba59513" title="[logstash1.conf">logstash1.conf</a>](<a href="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323">https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323</a> &quot;[soc.conf&quot;)</p> <p><img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/80915448807ac4f87516107f88597a54" alt="" /></p> <h4>10.kibana配置</h4> <p>1.添加索引字段 2.discover可视化。](<a href="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323">https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/b03749de86ea3a42e4dc484e20455323</a> &quot;[soc.conf&quot;)</p>