ELK收集windows服务器⽇志笔记
⼀、软件版本
  1.jdk-8u211-linux-x64.rpm
  2.elasticsearch-6.8.1.rpm
  3.logstash-6.8.1.rpm
  4.kibana-6.8.1-x86_64.rpm
5.winlogbeat-
6.8.4-windows-x86_64  在windows服务器安装配置
说明:elasticsearch做集主机1:192.168.1.102 主机2:192.168.1.104
    logstash和kibana安装在主机1上
⼆、安装软件
  2.1 主机1和主机2:jdk-8u211-linux-x64.rpm和elasticsearch-6.8.1.rpm 并配置elasticsearch
   说明:elasticsearch依赖jdk环境,所以先安装jdk-8u211-linux-x64.rpm
    yum -y localinstall  jdk-8u211-linux-x64.rpm
yum -y localinstall  elasticsearch-6.8.1.rpm
  创建数据⽬录和⽇志⽬录及权限修改
  [root@linux-elk1 ~]# mkdir -p /elk/{data,logs}
  [root@linux-elk1 ~]# chown elasticsearch.elasticsearch /elk/ -R
  修改内存限制,内存锁定需要进⾏配置需要2g以上内存,否则会导致⽆法启动elasticsearch。
  [root@linux-elk1 ~]# vim /usr/lib/systemd/system/elasticsearch.service
  在[Service]下加⼊下⾯这⾏内容
  LimitMEMLOCK=infinity
  [root@linux-elk1 ~]# vim /etc/elasticsearch/jvm.options
  -Xms2g
  -Xmx2g #最⼩和最⼤内存限制.
编辑配置⽂件:vim /etc/l 
  [root@logsystem src]# grep -v "^#" /etc/l
  cluster.name: my-log
  node.name: node-1
  path.data: /elk/data
  path.logs: /elk/logs
  network.host: 192.168.1.102
  http.port: 9200
  ping.unicast.hosts: ["192.168.1.102","192.168.1.104"]
  设置开机启动
  systemctl enable elasticsearch.service
  systemctl daemon-reload
  systemctl start elasticsearch.service
  查看状态
  systemctl status elasticsearch.service
  正在运⾏,查看端⼝
  ss -tnl
  集有状态: green ,red , yellow
  绿⾊表⽰⼀切是好的(集功能齐全)
  黄⾊意味着所有数据是可⽤的,但是⼀些副本尚未分配(集功能齐全)
  红⾊意味着⼀些数据不可⽤
  即使⼀个集是红⾊的,它仍然是部分功能(即它将继续搜索请求从服务可⽤的碎⽚)但是你可能需要尽
快修复它,因为你有缺失的数据。
  Restful API:
  四类API
  1. 检查集,节点,索引等健康与否,以及获取其相应状态
  2.管理集,节点,索引及元数据
  3.执⾏CRUD操作
  4.执⾏⾼级操作,如paging ,filtering等
  ES访问接⼝:9200/tcp
  语法:
  curl -X<VERB> '<PROTOCOL>://host:port/<PATH>?QUERY_STRING/' -d '<BODY>'
  [root@logsystem ~]# curl -X GET '192.168.1.102:9200/_cluster/state/version?pretty'
  {
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "qKuBK9TlQ3G-Rj6IFAXzTQ",
  "version" : 16,
  "state_uuid" : "SzhdF4PvRIGFbwlI_PD_cg"
  }
  2.2主机1: logstash-6.8.1.rpm 并配置
   yum -y localinstall  logstash-6.8.1.rpm
  [root@logsystem ~]cd /etc/logstash/conf/
  f 
  input{
    beats{
    add_field => {"myid"=>"windows_log"}
    port => 5044
  }
    beats {
    add_field => {"myid"=>"nginx_log"}
    port => 5400
    }
  stdin{}
linux安装jdk rpm安装  }
  output{
    if [myid] == "windows_log"{
      elasticsearch{
      hosts=>"192.168.1.102:9200"
      index=>"%{type}-%{+YYYY-MM-dd}"
      }
  }
  if [myid] == "nginx_log"{
      elasticsearch{
      hosts=>"192.168.1.102:9200"
      index=>"nginx_pj_log-%{+YYYY-MM-dd}"
      }
      }
  stdout{ codec=>rubydebug }
  }
  启动logstash:
    [root@logsystem src]# nohup logstash -f /etc/logstash/conf.d/f & 
  测试配置⽂件是否有语法错误:
  [root@logsystem ~]logstash -f /etc/logstash/f
  数据类型
  Array: [item1,item2,...]
  Boolean: true,false
  Bytes:
  Codec: 编码器
  Hash: key=>value
  Number:
  Password:
  Path:⽂件系统路径
  String:字符串
  字段引⽤ []
  条件判断: == ,!=,<,>, in ,not in ,and,or ....
  常⽤imput Plugin
  imput插件:
  File :从指定的⽂件中读取事件流,按⾏来标记⼀个事件。
  使⽤FileWatch(Ruby开发)来监听⽂件是否变化; .sincedb保存⽂件的相关信息数据库中。  [root@logsystem logstash]# rpm -ql logstash |grep "patterns" 查pattern
elasticsearch服务收到数据验证:
  2.3主机1:安装配置kibana   
  配置
  [root@logsystem src]# vim /etc/l
  server.port: 5601 #监听端⼝
  server.host: "192.168.1.102" #监听地址
  elasticsearch.hosts: ["192.168.1.102:9200"] #elasticsearch服务器地址  i18n.locale: "zh-CN" #修改中⽂
  [root@logsystem src]# systemctl start kibana
  [root@logsystem src]# systemctl enable kibana
查看服务
  2.4 收集服务器⽇志上安装winlogbeat-6.8.4-windows-x86_64
  解压到 C:\Program Files
  重新命名⽂件夹为winlogbeat
  ⽤管理员⾝份打开windows的 powershell
  运⾏以下命令来安装服务
  PS C:\Users\Administrator> cd 'C:\Program Files\Winlogbeat'
  PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
  不能安装时,令来关闭⼀些安全防护,输⼊命令后按Y确认
  PS C:\Program Files\Winlogbeat> set-executionpolicy remotesigned
  PS C:\Program Files\Winlogbeat> set-executionpolicy Bypass
  winlogbeat.event_logs:
  - name: Application #应⽤程序事件;
  ignore_older: 8h #忽略8⼩时后的⽇志,初次启⽤传⽇志很有⽤;
  provider: #过虑源yml列表
  - Application Error
  - Application Hang
  - Windows Error Reporting
  - name: Security #安全⽇志
  ignore_older: 8h
  event_id: 4624, 4625, 4700-4800, -4735 #事件ID 匹配中事件ID发送
  - name: System #系统⽇志
  ignore_older: 8h
  检查配置语法
.  \ test config -c .\l -e
  启动winlogbeat
  C:\Program Files\Winlogbeat> Start-Service winlogbeat
  Windlogbeat基本配置
  1.配置发送⽇志到logstash
  output.logstash:
  # The Logstash hosts
  hosts: ["10.10.10.10:5044"]
  2.配置发送⽇志到elasticsearch
  output.elasticsearch:
  hosts: ["10.10.10.10:9200"]
  template.name: "winlogbeat"
  template.path: "plate.json"
  template.overwrite: false
坑1:插件存放路径
报错:
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: Property [elasticsearch.version] is missing for plugin [head]        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.ute(Elasticsearch.java:112) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.ute(SettingCommand.java:54) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.2.2.jar:5.2.2]        at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:89) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:82) ~[elasticsearch-5.2.2.jar:5.2.2]
原因:新版本的elasticsearch不允许插件放⼊/usr/share/elasticsearch/plugins ⽬录下。(插件bigdesk,head ...)
解决:把插件移到其它⽬录即可

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。