使用Elasticsearch + Logstash + Kibana搭建日志集中分析(3)

cd /etc/pki/tls
sudo openssl req -subj '/CN=<^>logstash_server_fqdn/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

Logstash安装： Logstash Forwarder（客户端）：

安装Logstash Forwarder
wget https://download.elastic.co/logstash-forwarder/binaries/logstash-forwarder-0.4.0-1.x86_64.rpm
yum localinstall logstash-forwarder-0.4.0-1.x86_64.rpm

#查看logstash-forwarder的配置文件位置
rpm -qc logstash-forwarder
/etc/logstash-forwarder.conf

#备份配置文件
cp /etc/logstash-forwarder.conf /etc/logstash-forwarder.conf.save

#编辑 /etc/logstash-forwarder.conf，需要根据实际情况进行修改

vim /etc/logstash-forwarder.conf
{
  "network": {
    "servers": [ "这里写服务器的ip:5000" ],

"ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt",

"timeout": 15
  },

"files": [
    {
      "paths": [
        "/var/log/messages",
        "/var/log/secure"
      ],

"fields": { "type": "syslog" }
    }
  ]
}

Logstash Server（服务端）：

#下载rpm包
wget https://download.elastic.co/logstash/logstash/packages/centos/logstash-1.5.4-1.noarch.rpm
#安装
yum localinstall logstash-1.5.4-1.noarch.rpm
#创建一个01-logstash-initial.conf文件
vim /etc/logstash/conf.d/01-logstash-initial.conf
input {
  lumberjack {
    port => 5000
    type => "logs"
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }
}

#启动logstash服务
service logstash start
service logstash status

#访问Kibana，Time-field name 选择 @timestamp 要在下一步操作 Nginx 日志配置之后访问 不然会没有数据不能创建
:5601/

#增加节点和客户端配置一样，注意同步证书(可以通过SSH的方式同步)
/etc/pki/tls/certs/logstash-forwarder.crt

配置Nginx日志：

#修改客户端配置
vim /etc/logstash-forwarder.conf

{
  "network": {
    "servers": [ "自己服务器的ip地址:5000" ],

"ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt",

"timeout": 15
  },