Ubuntu 20.04环境下部署Elastic Stack 8.18日志系统完整指南
一、环境准备
系统要求
- Ubuntu 20.04 LTS
- 硬件配置:4核CPU / 8GB内存 / 100GB硬盘
- 网络:需外网访问权限
1. 基础环境配置
首先安装SSH服务以便远程管理:
# 更新软件源
apt update
# 安装SSH服务
apt install openssh-server
二、Docker与1Panel安装
1. 安装Docker
# 使用脚本安装Docker
bash <(curl -sSL https://linuxmirrors.cn/docker.sh)
2. 配置Docker国内镜像源
操作步骤:
- 编辑配置文件:
sudo vim /etc/docker/daemon.json - 写入以下内容:
{
"registry-mirrors": [
"https://docker.1ms.run",
"https://docker.xuanyuan.me"
]
}
- 重启Docker服务:
systemctl restart docker
3. 安装1Panel面板
curl -sSL https://resource.fit2cloud.com/1panel/package/quick_start.sh -o quick_start.sh && sudo bash quick_start.sh
三、Elasticsearch部署
1. 通过1Panel部署
- 访问1Panel面板:
http://服务器IP:9000 - 在应用商店搜索"Elasticsearch"并安装
2. 查看初始密码
docker exec -it elasticsearch bin/elasticsearch-reset-password -u elastic
3. 修改密码(交互式)
# 进入容器
docker exec -it elasticsearch bash
# 执行密码重置
./bin/elasticsearch-setup-passwords interactive
四、Kibana部署
1. 拉取镜像
docker pull docker.elastic.co/kibana/kibana:8.18.1
2. 运行容器
docker run -it -p 5601:5601 --name kibana ea060a9f9103
- 访问kibana面板:`http://服务器IP:5601’
- 选择手工配置
- 输入你的elasticsearchip:9200
- 输入kibana_system 用户名密码
- 进入控制面板 portal
五、Logstash部署
1. 拉取镜像
docker pull docker.elastic.co/logstash/logstash:8.18.2
2. 创建配置目录
mkdir logstash
# 复制默认配置
docker cp logstash:/usr/share/logstash/config /home/elk8.18.2/logstash/
docker cp logstash:/usr/share/logstash/pipeline /home/elk8.18.2/logstash/
3. 配置logstash.yml
编辑/home/elk8.18.2/logstash/config/logstash.yml:
http.host: "0.0.0.0"
xpack.monitoring.elasticsearch.hosts: [ "http://192.168.197.130:9200" ]
xpack.monitoring.elasticsearch.username: "elastic"
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.password: "123456"
4. 配置输入输出管道
编辑/home/elk8.18.2/logstash/pipeline/logstash.conf:
input {
beats {
port => 5044
}
}
filter {
date {
match => [ "@timestamp", "yyyy-MM-dd HH:mm:ss Z" ]
}
mutate {
remove_field => ["@version", "agent", "cloud", "host", "input", "log", "tags", "_index", "_source", "ecs", "event"]
}
}
output {
elasticsearch {
hosts => ["http://192.168.197.130:9200"]
index => "server-%{+YYYY.MM.dd}"
user => "elastic"
password => "123456"
}
}
5. 运行容器
docker run -it -d --name logstash -p 9600:9600 -p 5044:5044 -v /home/ubuntu/logstash/config:/usr/share/logstash/config -v /home/ubuntu/logstash/config:/usr/share/logstash/config -v /home/ubuntu/logstash/pipeline:/usr/share/logstash/pipeline 136202d783b6
六、Windows日志收集配置
1. 下载Winlogbeat
官网地址:https://www.elastic.co/cn/downloads/beats/winlogbeat
2. 安装服务(PowerShell)
# 进入安装目录
cd D:\2渗透工具\winlogbeat-9.0.2-windows-x86_64\winlogbeat-9.0.2-windows-x86_64
# 执行安装(首次需解除安全限制)
PowerShell.exe -ExecutionPolicy Unrestricted -File .\install-service-winlogbeat.ps1
3. 配置winlogbeat.yml
编辑C:\Program Files\Winlogbeat\winlogbeat.yml,添加:
output.logstash:
hosts: ["192.168.197.130:5044"]
4. 启动服务
# 启动服务
Start-Service winlogbeat
# 查看状态
Get-Service winlogbeat
七、验证与测试
- Elasticsearch:访问
http://服务器IP:9200,返回JSON信息即正常。 - Kibana:访问
http://服务器IP:5601,使用elastic用户登录。 - 日志收集:在Kibana的"Discover"页面查看是否有Windows日志数据。