# kibana-6.2.4(单台即可)
解压安装改名
cd kibana/
vim config/kibana.yml
#开启默认端口5601如果5601被占用可用5602或其他
server.port: 5601
server.host: “hostname” 这里填你的主机名
#指向elasticsearch服务的ip地址
elasticsearch.url: :9200
kibana.index: “.kibana”
启动
/usr/local/kibana/bin/kibana &
测试ip:5601
# logstash-6.2.4
这个要安装在你日志所在服务器上
解压安装改名到目录下
vim config/*-logst.conf新建一个配置文件名字自定
input{
file {
path => "/usr/loca/*.log" #你的日志路径
start_position => beginning
ignore_older => 0
sincedb_path =>"/dev/null"
}}
filter{
grok {
match => { "message" =>"%{IPORHOST:clientip} - %{USER:auth}
\"(?:%{WORD:verb}%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\"%{NUMBER:response} (?:%{NUMBER:bytes}|-)"}
}date {
match => [ "timestamp" ,"dd/MMM/YYYY:HH:mm:ss +0800" ]
}
}
output{
elasticsearch { hosts => ["ip:9200" ] index => "logs-%{+YYYY.MM.dd}" }
stdout {}
}
该配置只是匹配单个项目如果多个请参考以下
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
file {
path => "/var/log/elasticsearch/chuck-clueser.log"
type => "es-error"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
}
output {
if [type] == "system" {
elasticsearch {
hosts => ["192.168.56.11:9200"]
index => "system-%{+YYYY.MM.dd}"
}
}
if [type] == "es-error" {
elasticsearch {
hosts => ["192.168.56.11:9200"]
index => "es-error-%{+YYYY.MM.dd}"
}
}
}
然后启动
/usr/local/logstash/bin/logstash -f /usr/local/logstash/config/*-logst.conf
然后去kibana看下是否有数据!要先创建索引!
此安装模式ELK的head和kibana基本等于无任何安全措施,建议基于nginx反向代理IP限制或者内网使用。
Linux公社的RSS地址:https://www.linuxidc.com/rssFeed.aspx