sudo apt-get update
sudo apt-get install openjdk-8-jdk
export JAVA\_HOME="/usr/lib/jvm/java-8-openjdk-amd64/jre/bin"
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
sudo apt-get update && sudo apt-get install elasticsearch
####自启动:
sudo systemctl daemon-reload \#一旦修改文件,重新加载配置
sudo systemctl enable elasticsearch.service \#开机自启动
####运行:
sudo systemctl start elasticsearch.service \#开启服务
sudo systemctl stop elasticsearch.service \#停止服务
sudo systemctl restart elasticsearch.service \#重启服务
官方网址: https://www.elastic.co/guide/en/elasticsearch/reference/5.6/deb.html
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
sudo apt-get update && sudo apt-get install kibana
与Elasticsearch完全一致,将服务名换成kibana.server即可
官方文档: https://www.elastic.co/guide/en/kibana/5.6/deb.html
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list*
sudo apt-get update && sudo apt-get install logstash
进入/etc/logstash/conf.d目录,新建logstash-configure.conf 可用以下配置为参考
input {
beats {
port => 5000
ssl => true
ssl_certificate_authorities => ["/etc/pki/tls/elk-logstash-ssl/filebeat.crt"]
ssl_certificate => "/etc/pki/tls/elk-logstash-ssl/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/elk-logstash-ssl/logstash-forwarder.key"
ssl_verify_mode => "force_peer"
tls_min_version => 1.2
}
file {
type => "stellar_server"
path => ["/usr/ELK/logdata/stellar_server_log"]
codec => json {
charset => "UTF-8"
}
}
file {
type => "LED_control"
path => ["/usr/ELK/logdata/LED_control_log"]
}
file {
type => "stariver_api"
path => ["/usr/ELK/logdata/stariver_api_log"]
codec => json {
charset => "UTF-8"
}
}
file {
type => "stellar_alexa"
path => ["/usr/stellar_alexa_log"]
}
file {
type => "test_LED_control"
path => ["/usr/ELK/logdata/test202.11.4.67"]
}
}
filter{
if [type] == "stariver_api" {
date {
match => ["time", "ISO8601", "UNIX"]
target => "@timestamp"
locale => "cn"
}
}
else if [type] == "stellar_alexa" {
grok {
match => {"message" => "%{DATESTAMP:time} %{DATA:uuid} %{DATA:build_id} %{USERNAME:amazon_id} %{WORD:ctrl_name} %{DATA:ctrl_value} %{WORD:online_or_not} %{WORD:done_or_error} %{BASE10NUM:time_cost}"}
}
mutate {
convert => ["time_cost", "float"]
}
date {
match => ["time", "yy-MM-dd HH:mm:ss", "UNIX"]
target => "@timestamp"
locale => "cn"
}
}
else if [type] == "stellar_server" {
date {
match => ["time", "yyyy-MM-dd HH:mm:ss", "UNIX"]
target => "@timestamp"
locale => "cn"
}
}
else if [type] == "LED_control" {
grok {
match => {"message" => "%{DATESTAMP:time}\s+%{WORD:degree}:\s+%{GREEDYDATA:information}"}
}
date {
match => ["time", "yy-MM-dd HH:mm:ss.SSSSSS", "UNIX"]
target => "@timestamp"
locale => "cn"
}
}
}
output {
elasticsearch {
hosts => [ "127.0.0.1:9200" ]
index => "test_system_log"
user => logstash
password =>logstash
ssl => true
ssl_certificate_verification => true
truststore => "/usr/share/logstash/cert/truststore.jks"
truststore_password => changeit
}
# stdout {
#
# codec => rubydebug
# }
}
(1)通过IP生成SSL证书:
sudo vim /etc/ssl/openssl.cnf
修改subjectAltName = IP: ELK_server_IP字段,把ELK_server_IP替换为ELK服务器的ip地址。
sudo openssl req -config /etc/ssl/openssl.cnf -x509 -days 3650 -batch \
-nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out \
certs/logstash-forwarder.crt
(2)通过域名生成SSL证书:
sudo openssl req -subj '/CN=ELK\_server\_domain/' -x509 -days 3650 \
-batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key \
-out certs/logstash-forwarder.crt
把ELK_server_domain替换为域名
生成完成后,把logstash-forwarder.crt复制到要给ELK发送日志的服务器上。
与Elasticsearch完全一致,将服务名换成logstash.server即可
官方网址: https://www.elastic.co/guide/en/logstash/5.6/installing-logstash.html
备注:通过deb形式所安装软件的位置如下
a. 下载的软件包存放位置 /var/cache/apt/archives
b. 安装后软件默认位置 /usr/share
c. 可执行文件位置 /usr/bin
d. 配置文件位置 /etc
e. 库lib文件位置 /usr/lib
使用ElasticDump可以实现ES引索数据和映射关系的迁移。
官方网址:https://github.com/taskrabbit/elasticsearch-dump
sudo apt-get install npm
npm install elasticdump –g elasticdump
elasticdump \
--input=http://production.es.com:9200/my\_index \
--output=http://staging.es.com:9200/my\_index \
--type=mapping
将my_index替换成引索名,目前为test_system_log
上述过程转移映射关系,很快完成
elasticdump \
--input=http://production.es.com:9200/my\_index \
--output=http://staging.es.com:9200/my\_index \
--type=data
将my_index替换成引索名,目前为test_system_log
上述过程转移数据,由数据量大小决定与带宽完成时间
采用letsencrypt生成https证书,并在kibana.yml进行配置
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
sudo certbot certonly --webroot -w /etc/letsencrypt/live/elk.sansi.io -d elk.sansi.io
其中-w参数后为证书存放位置, -d 为域名
/etc/letsencrypt/live/elk.sansi.io将会有4个文件:
privkey.pem为私钥
fullchan.pem为CA证书
chain.pem供nginx使用(本次无需使用)
cert.pem(不建议使用)
由于文件夹访问权限问题。Kibana不可访问/etc/letsencrypt/live/elk.sansi.io/
因此将其中的证书复制至/usr/share/kibana/certs目录下,目前上述操作已写成脚本,放在/root目录下,名为renew-kibana-certs.sh
certbot renew
cp -f /etc/letsencrypt/live/elk.sansi.io/fullchain.pem /usr/share/kibana/certs
cp -f /etc/letsencrypt/live/elk.sansi.io/privkey.pem /usr/share/kibana/certs
通过crontab 每3小时更新一次(证书期限为90天,此脚本为为了防止证书忘记续签而设置)
在/etc/kibana/kibana.yml中添加一下字段,以启用证书
server.ssl.enabled: true
server.ssl.certificate: /usr/share/kibana/certs/fullchain.pem
server.ssl.key: /usr/share/kibana/certs/privkey.pem
官方文档V5版本:http://docs.search-guard.com/v5/index
service elasticsearch stop
cd /usr/share/elasticsearch
bin/elasticsearch-plugin install -b com.floragunn:search-guard-5:6.5.0-18
此处以本elasticsearch5.6.5版本为例,不同版本所需安装的searchguard不同,请查询: https://github.com/floragunncom/search-guard/wiki
/usr/share/elasticsearch /plugins/search-guard-5/tools目录,
/install\_demo\_configuration.sh
如果没有执行权限
chmod +x install\_demo\_configuration.sh
完成后会在/etc/elasticsearch下生成三个文件 分别为:
truststore.jksCA证书
keystore私钥
Kirk.jks运行配置文件的证书
其中truststore和keystore密码默认为changeit
可通过在elasticsearch.yml添加一下字段修改命令
searchguard.ssl.transport.keystore_password
searchguard.ssl.transport.truststore_password
service elasticsearch start
cd /usr/share/elasticsearch /plugins/search-guard-5/tools
./sgadmin_demo.sh
没有执行权限则先执行
chmod +x sgadmin_demo.sh
完成后,已载入基本配置
注:searchguard配置为热修改,即不需要停止elasticsearch服务,修改完/usr/share/elasticsearch/plugins/search-guard-5/sgconfig 下的配置文件后,再次执行/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin_demo.sh 即可
curl --insecure -u admin:admin 'https://localhost:9200/\_searchguard/authinfo?pretty'
如果返回json格式的admin用户信息 则安装配置成功
所有配置文件都在/usr/share/elasticsearch /plugins/search-guard-5/sgconfig目录下,共计六个文件
elasticsearch.yml.exampleelastcsearch.yml示例,无用
sg\_config.yml安装配置文件(无需修改)
sg\_roles.mapping.yml定义每个用户所在的职能组
sg\_roles.yml定义每个职能组所拥有的权限
sg\_action\_groups.yml定义权限包括哪些及其名称
sg\_internal\_users.yml定义用户及其密码
密码可通过tool/hash.sh生成 指令为:
./hash.sh –p 明文密码
service kibana stop
/usr/share/kibana
bin/kibana-plugin install file:///path/to/search-guard-kibana-plugin-version.zip
插件下载地址:(6.X版本官网上保存,5.X版本都保存在github上)
https://github.com/floragunncom/search-guard-kibana-plugin/releases
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
该用户名与密码为searchguard中默认配置,可在sgconfig/sg_internal_users.yml文件中修改,用于Kibana与Elasticsearch通讯
elasticsearch.url:https://localhost:9200
如果没有配置CA认证:
elasticsearch.ssl.verificationMode: none
如果配置了CA认证:
elasticsearch.ssl.verificationMode: true
elasticsearch.ssl.ca: "/path/to/your/root-ca.pem"
service kibana start
Logstash无需安装插件,只需在/etc/logstash/conf.d/first-piple.conf下添加一下字段:(logstash为默认用户)
output {
elasticsearch {
user => logstash
password => logstash
ssl => true
ssl_certificate_verification => true
truststore => "/etc/logstash /truststore.jks"
truststore_password => changeit
}
}
Logstash5.6.5版本中 还需要给默认的logstash:logstash用户添加data/write/bulk*权限,修改sgconfig/sg_roles.yml
sg_logstash:
cluster:
- indices:admin/template/get
- indices:admin/template/put
- indices:data/write/bulk*
- CLUSTER_MONITOR
- CLUSTER_COMPOSITE_OPS
indices:
'*':
'*':
- CRUD
- CREATE_INDEX
'*beat*':
'*':
- CRUD
- CREATE_INDEX
重新载入配置,完成操作
以deb安装为例
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-5.6.6-amd64.deb
sudo dpkg -i filebeat-5.6.6-amd64.deb
openssl req -subj '/CN=127.0.0.1/' -x509 -days $((100 * 365)) -batch -nodes -newkey rsa:2048 -keyout \
./filebeat.key -out ./filebeat.crt
其中将CN=127.0.0.1 换成服务器的IP地址 如CN=192.168.0.1 生成的.crt及.key文件在当前目录下
在https://wiki.openssl.org/index.php/Binaries处下载openssl并安装
openssl req -x509 -sha256 -nodes -days 3650 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
按提示一次输入信息 其中CN需要输入服务器 外网IP
#====================Filebeat prospectors===================
filebeat.prospectors:
#input_type:默认log即可
- input_type: log
#path 监控的Log文件,可以多个,也可以一个文件夹下所有以.log类型结尾的文件
paths:
- /home/ec2-user/*.log
#document_type:传送到logstash的type类型,用以分类Log来源
document_type: "stellar_alexa"
#如果设置为true,Filebeat从文件尾开始监控文件新增内容,把新增的每一行文件作为一个事件依次发送,
#而不是从文件开始处重新发送所有内容
tail_files: false
#=====================Outputs==========================
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["198.58.124.6:5000"]
# ["elk.sansi.io:5000"]
# 域名和ip都可以使用 注意 这里使用的是5000端口
bulk_max_size: 1024
ssl.enabled: true
ssl.certificate_authorities: ["/home/ec2-user/F/logstash-forwarder.crt"]
ssl.certificate: "/home/ec2-user/F/filebeat.crt"
ssl.key: "/home/ec2-user/F/filebeat.key"
ssl.supported_protocols: [TLSv1.2]
# 与Logstash通讯双向SSL加密
# ssl.certificate_authorities填写logstash的crt
# ssl.certificate 和 ssl.key填写filebeat的crt和key
请注意,在window下 “/”符号需要转义 路径请使用“//” 如果自签名使用IP 则host使用IP,如果使用域名,Host使用域名,否则验证无法通过
sudo /etc/init.d/filebeat start
官方网站:[https://www.elastic.co/guide/en/beats/filebeat/5.6/index.html](https://www.elastic.co/guide/en/beats/filebeat/5.6/index.html