目录
3、解压文件,下载elasticsearch、kibana、 logstash
ELK日志分析
1、下载lrzsc
[root@localhost ~]# hostnamectl set-hostname elk ##更改主机名
[root@localhost ~]# bash
[root@elk ~]# history yum isntall -y lrzsc
2、下载源包
https://www.elastic.co/downloads/past-releases/ ##下载网址
压缩成elfk.tar.gz压缩包,并加载到主机上
3、解压文件,下载elasticsearch、kibana、 logstash
[root@elk ~]# tar xf elfk.tar.gz
[root@elk ~]# cd /rpm
[root@elk ~]# ls
elasticsearch-7.1.1-x86_64.rpm filebeat-7.1.1-x86_64.rpm kibana-7.1.1-x86_64.rpm logstash-7.1.1.rpm
[root@elk ~]# yum localinstall elasticsearch-7.1.1-x86_64.rpm
[root@elk ~]# yum localinstall kibana-7.1.1-x86_64.rpm
[root@elk ~]# yum localinstall logstash-7.1.1.rpm
4、配置elasticsearch
[root@elk ~]# vim /etc/elasticsearch/elasticsearch.yml ##配置elasticsearch
找到Cluster定义
Elasticsearch 集群名称
node.name:elk 节点名称
找到 Memory
network:192.168.11.160 主机IP
http.port: 9200 HTTP端口
找到 Discovery
cluster.initial_master_nodes 集群初始主节点
[root@elk ~]# systemctl start elasticsearch.service ##启动程序
[root@elk kibana]# netstat -anptu | grep java ##查看程序
tcp6 0 0 192.168.11.160:9200 :::* LISTEN 48445/java
tcp6 0 0 192.168.11.160:9300 :::* LISTEN 48445/java
tcp6 0 0 192.168.11.160:9200 192.168.11.160:58732 ESTABLISHED 48445/java
tcp6 0 0 192.168.11.160:9200 192.168.11.160:58738 ESTABLISHED 48445/java
5、配种域名解析
[root@elk ~]# vim /etc/hosts ##配置域名解析
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.11.160 elk
6、配置kibana
[root@elk ~]# vim /etc/kibana/kibana.yml ##配置kibana
server.port:5601 打开服务器端口5601
server.host:192.168.11.160 服务器主机 (也可以为elk ,因为hosts已经配置)
sercer.name: elk 服务器名
elasticsearch.hosts: ["http://192.168.11.160:9200"] elasticsearch主机
kibana.index: ".kibana" kibana索引
i18n.locale: "zh-CN" 中文表达
[root@elk ~]# systemctl start kibana ##启动kibana
[root@elk ~]# netstat -anptu | grep 5601 ##查看kibana
tcp 0 0 192.168.11.160:5601 0.0.0.0:* LISTEN 57307/node
7、配置logstash
[root@elk ~]# cat /etc/logstash/logstash.yml ##查看logstash配置但不进行配置
[root@elk ~]# vim /etc/logstash/conf.d/pipline.conf ##创建pipline.conf配置文件进行如下配置
input { ## 使用 file 插件从文件中读取数据
file { ##指定要读取的日志文件路径
path => "/var/log/messages" ##设定首次运行时的起始读取位置
start_position => "beginning" ##设定首次运行时的起始读取位置
##"beginning" - 从头读取文件所有内容
}
}
output { ##输出部分:定义数据的去向
elasticsearch { ##使用 elasticsearch 插件将数据发送到 Elasticsearch
hosts => ["http://192.168.11.160:9200"] ##指定 Elasticsearch 集群的节点地址
##支持多个节点地址,实现高可用
index => "system-log-%{+YYYY.MM.dd}" ##定义索引名称模板,自动按日期创建索引
}
stdout { ##同时输出到标准输出(控制台)
codec => rubydebug ##指定输出格式为 rubydebug
##rubydebug 格式会将数据以易读的 JSON 格式打印
}
}
~
8、进行测试
对logstash测试
[root@elk ~]# logstash -e 'input{ stdin{} }output { stdout{} }'
[INFO ] 2025-07-16 21:21:29.007 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
1
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"message" => "1",
"@version" => "1",
"host" => "elk",
"@timestamp" => 2025-07-16T13:21:33.148Z
[root@elk conf.d]# logstash -e 'input{ stdin{} }output { stdout{ codec=>rubydebug }}'
[INFO ] 2025-07-16 21:23:52.835 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
1
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"@timestamp" => 2025-07-16T13:23:54.454Z,
"@version" => "1",
"host" => "elk",
"message" => "1"
}
[root@elk conf.d]# logstash -e 'input{ stdin{} }output { elasticsearch{ hosts=>["192.168.11.160:9200"]}}'
[INFO ] 2025-07-16 20:11:13.660 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"message" => "Jul 17 03:24:55 elk systemd[2400]: Starting Tracker metadata extractor...",
"@version" => "1",
"path" => "/var/log/messages",
"@timestamp" => 2025-07-16T12:11:15.233Z,
"host" => "elk"
}
...... ##不主动关闭一直刷新
对elasticsearch测试
[root@localhost ~]# curl 192.168.11.160:9200
{
"name" : "elk",
"cluster_name" : "my-application",
"cluster_uuid" : "WzA4MSNsRV6vMYSgX5EePw",
"version" : {
"number" : "7.1.1",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "7a013de",
"build_date" : "2019-05-23T14:04:00.380842Z",
"build_snapshot" : false,
"lucene_version" : "8.0.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
对kibana测试
http://192.168.11.160:5601
在进行如下操作时,会出先system-log索引 如下图
[root@elk conf.d]# logstash -e 'input{ stdin{} }output { elasticsearch{ hosts=>["192.168.11.160:9200"]}}'
查看到如上界面,kibana配置成功