Centos7下使用ELK(Elasticsearch + Logstash + Kibana)搭建日誌集中分析平臺
阿新 • • 發佈:2018-11-15
Centos7下使用ELK(Elasticsearch + Logstash + Kibana)搭建日誌集中分析平臺
日誌監控和分析在保障業務穩定執行時,起到了很重要的作用,不過一般情況下日誌都分散在各個生產伺服器,且開發人員無法登陸生產伺服器,這時候就需要一個集中式的日誌收集裝置,對日誌中的關鍵字進行監控,觸發異常時進行報警,並且開發人員能夠檢視相關日誌。logstash+elasticsearch+kibana3就是實現這樣功能的一套系統,並且功能更強大。
Logstash:負責日誌的收集,處理和儲存
Elasticsearch:負責日誌檢索和分析
Kibana:負責日誌的視覺化
1、環境介紹
elkServer
IP:192.168.7.27
OS:Centos7.1
FQDN:elk.server.com
elkClient
IP:192.168.31.23
OS:Centos7.1
2、下載準備
官網下載最新的安裝包:https://www.elastic.co/downloads(目前有些版本的包可能下載不到了,請到該地址下載——連結:http://pan.baidu.com/s/1gfohO2Z 密碼:5s1f)
elasticsearch-1.7.3.noarch.rpm (server上安裝) kibana-4.1.2-linux-x64.tar.gz (server上安裝) logstash-1.5.4-1.noarch.rpm (server上安裝) logstash-forwarder-0.4.0-1.x86_64.rpm (client上安裝)
3、Server端安裝
3.1安裝jdk1.7
[[email protected] ~]# yum install java-1.7.0-openjdk Loaded plugins: fastestmirror, langpacks base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 Loading mirror speeds from cached hostfile * base: mirrors.btte.net * extras: mirrors.163.com * updates: mirrors.163.com Package 1:java-1.7.0-openjdk-1.7.0.91-2.6.2.1.el7_1.x86_64 already installed and latest version Nothing to do
3.2安裝elasticsearch
[[email protected] elk]# yum localinstall elasticsearch-1.7.3.noarch.rpm (yum 本地安裝elasticsearch) Loaded plugins: fastestmirror, langpacks Examining elasticsearch-1.7.3.noarch.rpm: elasticsearch-1.7.3-1.noarch elasticsearch-1.7.3.noarch.rpm: does not update installed package. Nothing to do [[email protected] elk]# systemctl daemon-reload [[email protected] elk]# systemctl enable elasticsearch.service (設定開機自啟動) ln -s '/usr/lib/systemd/system/elasticsearch.service' '/etc/systemd/system/multi-user.target.wants/elasticsearch.service' [[email protected] elk]# systemctl start elasticsearch.service (開啟服務) [[email protected] elk]# systemctl status elasticsearch.service (檢視服務狀態) elasticsearch.service - Elasticsearch Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled) Active: active (running) since Sun 2015-11-08 11:05:09 CST; 28s ago Docs: http://www.elastic.co Main PID: 15345 (java) CGroup: /system.slice/elasticsearch.service ?..15345 java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+Heap... Nov 08 11:05:09 localhost.localdomain systemd[1]: Started Elasticsearch. [[email protected] elk]# rpm -qc elasticsearch /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/logging.yml /etc/init.d/elasticsearch /etc/sysconfig/elasticsearch /usr/lib/sysctl.d/elasticsearch.conf /usr/lib/systemd/system/elasticsearch.service /usr/lib/tmpfiles.d/elasticsearch.conf [[email protected] elk]# netstat -nltp (檢視埠監聽狀況) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 784/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1457/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3213/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2656/master tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 14407/sshd: [email protected] tcp6 0 0 :::111 :::* LISTEN 784/rpcbind tcp6 0 0 :::9200 :::* LISTEN 15345/java tcp6 0 0 :::9300 :::* LISTEN 15345/java tcp6 0 0 :::22 :::* LISTEN 1457/sshd tcp6 0 0 ::1:631 :::* LISTEN 3213/cupsd tcp6 0 0 ::1:25 :::* LISTEN 2656/master tcp6 0 0 ::1:6010 :::* LISTEN 14407/sshd: [email protected] [[email protected] elk]# firewall-cmd --permanent --add-port={9200/tcp,9300/tcp} (防火牆新增兩個埠) success [[email protected] elk]# firewall-cmd --reload (過載防火牆) success [[email protected] elk]# firewall-cmd --list-all (檢視防火牆開發埠) public (default, active) interfaces: ens33 sources: services: dhcpv6-client ssh ports: 9200/tcp 9300/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
3.3安裝kibana
[[email protected] elk]# tar zxf kibana-4.1.2-linux-x64.tar.gz -C /usr/local/ (解壓縮安裝包到指定目錄中) [[email protected] elk]# cd /usr/local/ [[email protected] local]# ls bin etc games include kibana-4.1.2-linux-x64 lib lib64 libexec sbin share src [[email protected] local]# mv kibana-4.1.2-linux-x64/ kibana (重新命名) [[email protected] local]# cd kibana/ [[email protected] kibana]# ls bin config LICENSE.txt node plugins README.txt src [[email protected] kibana]# cd bin/ [[email protected] bin]# ls (執行./kibana即可開啟服務,但我們將其做到service) kibana kibana.bat [[email protected] bin]# cd /etc/systemd/system/ [[email protected] system]# vi kibana.service (編輯kibana服務) [Service] ExecStart=/usr/local/kibana/bin/kibana [Install] WantedBy=multi-user.target [[email protected] system]# systemctl enable kibana.service (設定開機自啟動) ln -s '/etc/systemd/system/kibana.service' '/etc/systemd/system/multi-user.target.wants/kibana.service' [[email protected] system]# systemctl start kibana.service (開啟服務) [[email protected] system]# systemctl status kibana.service (檢視服務執行狀態) kibana.service Loaded: loaded (/etc/systemd/system/kibana.service; enabled) Active: active (running) since Sun 2015-11-08 11:16:28 CST; 10s ago Main PID: 16131 (node) CGroup: /system.slice/kibana.service ?..16131 /usr/local/kibana/bin/../node/bin/node /usr/local/kibana/bin/../src/bin/kibana.js Nov 08 11:16:28 localhost.localdomain systemd[1]: Started kibana.service. Nov 08 11:16:34 localhost.localdomain kibana[16131]: {"name":"Kibana","hostname":"localhost.localdomain","pid":16131,"level":30,"msg":"No existing kibana index found","time":"20...43Z","v":0} Nov 08 11:16:34 localhost.localdomain kibana[16131]: {"name":"Kibana","hostname":"localhost.localdomain","pid":16131,"level":30,"msg":"Listening on 0.0.0.0:5601","time":"2015-11...93Z","v":0} Hint: Some lines were ellipsized, use -l to show in full. [[email protected] system]# netstat -nltp (檢視埠監聽狀態) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 16131/node tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 784/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1457/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3213/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2656/master tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 14407/sshd: [email protected] tcp6 0 0 :::111 :::* LISTEN 784/rpcbind tcp6 0 0 :::9200 :::* LISTEN 15345/java tcp6 0 0 :::9300 :::* LISTEN 15345/java tcp6 0 0 :::22 :::* LISTEN 1457/sshd tcp6 0 0 ::1:631 :::* LISTEN 3213/cupsd tcp6 0 0 ::1:25 :::* LISTEN 2656/master tcp6 0 0 ::1:6010 :::* LISTEN 14407/sshd: [email protected] [[email protected] system]# firewall-cmd --permanent --add-port=5601/tcp (防火牆開啟5601埠) success [[email protected] system]# firewall-cmd --reload (過載防火牆) success [[email protected] system]# firewall-cmd --list-all (檢視防火牆開放埠) public (default, active) interfaces: ens33 sources: services: dhcpv6-client ssh ports: 9200/tcp 9300/tcp 5601/tcp masquerade: no forward-ports: icmp-blocks: rich rules: [[email protected] system]# firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=5601 (為5601埠新增80埠的對映,這樣在瀏覽器中就可以不用輸入埠了) success [[email protected] system]# firewall-cmd --reload (過載防火牆) success [[email protected] system]# firewall-cmd --list-all (檢視防火牆開放埠) public (default, active) interfaces: ens33 sources: services: dhcpv6-client ssh ports: 9200/tcp 9300/tcp 5601/tcp masquerade: no forward-ports: port=80:proto=tcp:toport=5601:toaddr= icmp-blocks: rich rules:
3.4安裝logstash
[[email protected] system]# cd /home/elk/ [[email protected] elk]# ls elasticsearch-1.7.3.noarch.rpm kibana-4.1.2-linux-x64.tar.gz logstash-1.5.4-1.noarch.rpm logstash-forwarder-0.4.0-1.x86_64.rpm [[email protected] elk]# yum localinstall logstash-1.5.4-1.noarch.rpm (yum本地安裝logstash) Loaded plugins: fastestmirror, langpacks Examining logstash-1.5.4-1.noarch.rpm: 1:logstash-1.5.4-1.noarch Marking logstash-1.5.4-1.noarch.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package logstash.noarch 1:1.5.4-1 will be installed --> Finished Dependency Resolution base/7/x86_64 | 3.6 kB 00:00:00 extras/7/x86_64 | 3.4 kB 00:00:00 extras/7/x86_64/primary_db | 116 kB 00:00:00 updates/7/x86_64 | 3.4 kB 00:00:00 updates/7/x86_64/primary_db | 4.7 MB 00:00:03 Dependencies Resolved =============================================================================================================================================================================================== Package Arch Version Repository Size =============================================================================================================================================================================================== Installing: logstash noarch 1:1.5.4-1 /logstash-1.5.4-1.noarch 136 M Transaction Summary =============================================================================================================================================================================================== Install 1 Package Total size: 136 M Installed size: 136 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 1:logstash-1.5.4-1.noarch 1/1 Verifying : 1:logstash-1.5.4-1.noarch 1/1 Installed: logstash.noarch 1:1.5.4-1 Complete! [[email protected] tls]# hostname -f (檢視當前FQDN,FQDN設定參見http://www.cnblogs.com/zhenyuyaodidiao/p/4947930.html) elk.server.com [[email protected] ~]# cd /etc/pki/tls/ (進入到/etc/pki/tls/資料夾) [[email protected] tls]# ls cert.pem certs misc openssl.cnf private (以下生成openssl key用於客戶端上傳日誌檔案用,在客戶端配置時會用到) [[email protected] tls]# openssl req -subj '/CN=elk.server.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt Generating a 2048 bit RSA private key ..............+++ .............+++ writing new private key to 'private/logstash-forwarder.key' ----- [[email protected] tls]# ls cert.pem certs misc openssl.cnf private [[email protected] tls]# cd private/ [[email protected] private]# ll total 4 -rw-r--r--. 1 root root 1704 Nov 8 17:20 logstash-forwarder.key [[email protected] private]# cd ../certs/ [[email protected] certs]# ll total 16 lrwxrwxrwx. 1 root root 49 Apr 14 2015 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 55 Apr 14 2015 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -rw-r--r--. 1 root root 1107 Nov 8 17:20 logstash-forwarder.crt -rwxr-xr-x. 1 root root 610 Mar 24 2015 make-dummy-cert -rw-r--r--. 1 root root 2388 Mar 24 2015 Makefile -rwxr-xr-x. 1 root root 829 Mar 24 2015 renew-dummy-cert [[email protected] ~]# cd /etc/logstash/conf.d/ [[email protected] conf.d]# vi 01-logstash-initial.conf (編輯logstash配置檔案) input { lumberjack { port => 5000 type => "logs" ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } } filter { if [type] == "syslog" { grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] } syslog_pri { } date { match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } } } output { elasticsearch { host => localhost } stdout { codec => rubydebug } } [[email protected] conf.d]# systemctl enable logstash (設定開機自啟動) logstash.service is not a native service, redirecting to /sbin/chkconfig. Executing /sbin/chkconfig logstash on The unit files have no [Install] section. They are not meant to be enabled using systemctl. Possible reasons for having this kind of units are: 1) A unit may be statically enabled by being symlinked from another unit's .wants/ or .requires/ directory. 2) A unit's purpose may be to act as a helper for some other unit which has a requirement dependency on it. 3) A unit may be started when needed via activation (socket, path, timer, D-Bus, udev, scripted systemctl call, ...). [[email protected] conf.d]# systemctl start logstash.service (開啟logstash服務) [[email protected] conf.d]# systemctl status logstash.service (檢視服務執行狀態) logstash.service - LSB: Starts Logstash as a daemon. Loaded: loaded (/etc/rc.d/init.d/logstash) Active: active (running) since Sun 2015-11-08 17:28:34 CST; 14s ago Process: 20799 ExecStart=/etc/rc.d/init.d/logstash start (code=exited, status=0/SUCCESS) CGroup: /system.slice/logstash.service ?..20805 java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -Djava.awt.headless=true -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.io.tmpdir=/var/lib... Nov 08 17:28:34 elk logstash[20799]: logstash started. Nov 08 17:28:34 elk systemd[1]: Started LSB: Starts Logstash as a daemon.. [[email protected] conf.d]# netstat -nltp (檢視端口占用) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 16131/node tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 784/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1457/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3213/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2656/master tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 14407/sshd: [email protected] tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 17715/sshd: [email protected] tcp6 0 0 :::5000 :::* LISTEN 20805/java tcp6 0 0 :::111 :::* LISTEN 784/rpcbind tcp6 0 0 :::9200 :::* LISTEN 15345/java tcp6 0 0 :::9300 :::* LISTEN 15345/java tcp6 0 0 :::9301 :::* LISTEN 20805/java tcp6 0 0 :::22 :::* LISTEN 1457/sshd tcp6 0 0 ::1:631 :::* LISTEN 3213/cupsd tcp6 0 0 ::1:25 :::* LISTEN 2656/master tcp6 0 0 ::1:6010 :::* LISTEN 14407/sshd: [email protected] tcp6 0 0 ::1:6012 :::* LISTEN 17715/sshd: [email protected] [[email protected] conf.d]# cd /var/log/logstash/ [[email protected] logstash]# ls (日誌檔案) logstash.err logstash.log logstash.stdout [[email protected] logstash]# firewall-cmd --permanent --add-port=5000/tcp (防火牆開放5000埠) success [[email protected] logstash]# firewall-cmd --reload (過載防火牆) success [[email protected] logstash]# firewall-cmd --list-all (檢視埠開放情況) public (default, active) interfaces: ens33 sources: services: dhcpv6-client ssh ports: 9200/tcp 9300/tcp 5000/tcp 5601/tcp masquerade: no forward-ports: port=80:proto=tcp:toport=5601:toaddr= icmp-blocks: rich rules:
4、Client端安裝
[[email protected] elk]# vi /etc/hosts (編輯hosts檔案) 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.7.27 elk.server.com [[email protected] elk]# service network restart Restarting network (via systemctl): [ OK ] [[email protected] elk]# ping elk.server.com (測試連線) PING elk.server.com (192.168.7.27) 56(84) bytes of data. 64 bytes from elk.server.com (192.168.7.27): icmp_seq=1 ttl=63 time=0.754 ms 64 bytes from elk.server.com (192.168.7.27): icmp_seq=2 ttl=63 time=0.477 ms ^C --- elk.server.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.477/0.615/0.754/0.140 ms [[email protected] laizy]# mkdir elk [[email protected] laizy]# cd elk/ [[email protected] elk]# ls [[email protected] elk]# scp [email protected]:/home/elk/logstash-forwarder-0.4.0-1.x86_64.rpm . (拷貝logstash-forwarder到本地) The authenticity of host '192.168.7.27 (192.168.7.27)' can't be established. ECDSA key fingerprint is 49:b9:53:89:55:f2:93:87:9b:81:bb:23:a5:24:f1:f9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.7.27' (ECDSA) to the list of known hosts. [email protected]'s password: logstash-forwarder-0.4.0-1.x86_64.rpm 100% 1692KB 1.7MB/s 00:00 [[email protected] elk]# ls logstash-forwarder-0.4.0-1.x86_64.rpm [[email protected] elk]# scp [email protected]:/etc/pki/tls/certs/logstash-forwarder.crt . (拷貝Server端的key到本地) [email protected]'s password: logstash-forwarder.crt 100% 1107 1.1KB/s 00:00 [[email protected] elk]# ll total 1700 -rw-r--r--. 1 root root 1732758 Nov 8 17:36 logstash-forwarder-0.4.0-1.x86_64.rpm -rw-r--r--. 1 root root 1107 Nov 8 17:37 logstash-forwarder.crt [[email protected] elk]# cp logstash-forwarder.crt /etc/pki/tls/certs/ (將key拷貝到/etc/pki/tls/certs/下) [[email protected] elk]# cd /etc/pki/tls/certs/ [[email protected] certs]# ls ca-bundle.crt ca-bundle.trust.crt logstash-forwarder.crt make-dummy-cert Makefile renew-dummy-cert [[email protected] certs]# cd /home/laizy/elk/ [[email protected] elk]# ls logstash-forwarder-0.4.0-1.x86_64.rpm logstash-forwarder.crt [[email protected] elk]# yum localinstall logstash-forwarder-0.4.0-1.x86_64.rpm (yum本地安裝logstash-forwarder) Loaded plugins: fastestmirror, langpacks Examining logstash-forwarder-0.4.0-1.x86_64.rpm: logstash-forwarder-0.4.0-1.x86_64 Marking logstash-forwarder-0.4.0-1.x86_64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package logstash-forwarder.x86_64 0:0.4.0-1 will be installed --> Finished Dependency Resolution base/7/x86_64 | 3.6 kB 00:00:00 extras/7/x86_64 | 3.4 kB 00:00:00 updates/7/x86_64 | 3.4 kB 00:00:00 Dependencies Resolved =============================================================================================================================================================================================== Package Arch Version Repository Size =============================================================================================================================================================================================== Installing: logstash-forwarder x86_64 0.4.0-1 /logstash-forwarder-0.4.0-1.x86_64 5.7 M Transaction Summary =============================================================================================================================================================================================== Install 1 Package Total size: 5.7 M Installed size: 5.7 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : logstash-forwarder-0.4.0-1.x86_64 1/1 Logs for logstash-forwarder will be in /var/log/logstash-forwarder/ Verifying : logstash-forwarder-0.4.0-1.x86_64 1/1 Installed: logstash-forwarder.x86_64 0:0.4.0-1 Complete! [[email protected] elk]# systemctl enable logstash-forwarder (設定開機自啟動) logstash-forwarder.service is not a native service, redirecting to /sbin/chkconfig. Executing /sbin/chkconfig logstash-forwarder on The unit files have no [Install] section. They are not meant to be enabled using systemctl. Possible reasons for having this kind of units are: 1) A unit may be statically enabled by being symlinked from another unit's .wants/ or .requires/ directory. 2) A unit's purpose may be to act as a helper for some other unit which has a requirement dependency on it. 3) A unit may be started when needed via activation (socket, path, timer, D-Bus, udev, scripted systemctl call, ...). [[email protected] elk]# systemctl start logstash-forwarder.service (開啟服務) [[email protected] elk]# cd /var/log/logstash-forwarder/ (日誌目錄) [[email protected] logstash-forwarder]# ls logstash-forwarder.err logstash-forwarder.log [[email protected] elk]# vi /etc/logstash-forwarder.conf (編輯配置檔案) { "network": { "servers": [ "elk.server.com:5000" ], "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt", "timeout": 15 }, "files": [ { "paths": [ "/var/log/messages", "/var/log/secure" ], "fields": { "type": "syslog" } } ] } [[email protected] elk]# systemctl restart logstash-forwarder.service (重啟服務) [[email protected] elk]# systemctl status logstash-forwarder.service (檢視服務執行狀態) logstash-forwarder.service - LSB: no description given Loaded: loaded (/etc/rc.d/init.d/logstash-forwarder) Active: active (running) since Sun 2015-11-08 18:30:51 CST; 18s ago Process: 10788 ExecStop=/etc/rc.d/init.d/logstash-forwarder stop (code=exited, status=0/SUCCESS) Process: 10794 ExecStart=/etc/rc.d/init.d/logstash-forwarder start (code=exited, status=0/SUCCESS) CGroup: /system.slice/logstash-forwarder.service ?..10798 /opt/logstash-forwarder/bin/logstash-forwarder -config /etc/logstash-forwarder.conf Nov 08 18:30:51 localhost.localdomain systemd[1]: Starting LSB: no description given... Nov 08 18:30:51 localhost.localdomain /etc/init.d/logstash-forwarder[10799]: logstash-forwarder started Nov 08 18:30:51 localhost.localdomain logstash-forwarder[10794]: logstash-forwarder started Nov 08 18:30:51 localhost.localdomain systemd[1]: Started LSB: no description given.
5、介面驗證
首先在client中手動增加一條日誌:
[[email protected] elk]# logger zhenyuLogtest
介面登入 http://192.168.7.27/ ,做如下操作
從圖中可以看到,手動新增的日誌已經在介面中被搜尋到了。
本文主要參考了國外一個搭建ELK的視訊,操作的很詳細,附上視訊的下載連結,僅供參考。
連結:http://pan.baidu.com/s/1jGuBWCQ 密碼:h0pq