乐趣区

关于ELK:ELK

[client]


vi /etc/rsyslog.conf 
<code>
# rsyslog configuration file manager by ansble
#### MODULES ####
$ModLoad imuxsock
$ModLoad imjournal
$ModLoad imklog

#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate      RSYSLOG_TraditionalFileFormat   # Use default timestamp format
$WorkDirectory                  /var/lib/rsyslog                # Where to place auxiliary files
$IncludeConfig                  /etc/rsyslog.d/*.conf           # Include all config files in /etc/rsyslog.d/
$MaxMessageSize 128k

$OmitLocalLogging on
$IMJournalStateFile imjournal.state

#### RULES ####
# ### begin forwarding rule ###
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
*.* @@10.1.100.12:514
# ### end of the forwarding rule ###
</code>

systemctl restart rsyslog
systemctl status rsyslog


[server]
==rsyslog==
mkdir -p /var/log/LOGS
firewall-cmd --add-rich-rule='rule family="ipv4"source address="10.1.0.0/16"port port="514"protocol="tcp"accept'   --permanent


vi /etc/rsyslog.conf
<code>
$MaxMessageSize 128k
$ModLoad imuxsock.so
$ModLoad imklog.so
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0

$ModLoad imtcp
$InputTCPServerRun 514

:msg,contains,"GET /daemon.php?tableid" ~
:rawmsg,contains,"ASKMQ-WORKER 29" ~

# Standard System Services
$template DYNmessages,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"
$template DYNsecure,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure"
$template DYNmaillog,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/maillog"
$template DYNcron,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron"
$template DYNspooler,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/spooler"
$template DYNboot,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/boot.log"
$template DYNiptables,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/iptables.log"
$template DYNaudit,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/audit.log"
$template DYNapache-access,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-access.log"
$template DYNapache-error,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-error.log"

if $programname == 'apache-access' then ?DYNapache-access
&~
if $programname == 'apache-error' then ?DYNapache-error
&~
if $programname == 'audispd' then ?DYNaudit
&~
if $msg contains 'iptables:' then ?DYNiptables
&~

if $syslogseverity <= '6' and ($syslogfacility-text != 'mail' and $syslogfacility-text != 'authpriv' and $syslogfacility-text != 'cron') then ?DYNmessages
if $syslogfacility-text == 'authpriv' then ?DYNsecure
if $syslogfacility-text == 'mail' then -?DYNmaillog
if $syslogfacility-text == 'cron' then ?DYNcron
if ($syslogfacility-text == 'uucp' or $syslogfacility-text == 'news') and $syslogseverity-text == 'crit' then ?DYNspooler
if $syslogfacility-text == 'local7' then ?DYNboot
</code>

systemctl restart rsyslog
systemctl status rsyslog

ll /var/log/LOGS


==logstash==
参考文档
https://www.elastic.co/cn/downloads/logstash

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

vi /etc/yum.repos.d/logstash.repo
<code>
[logstash-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
</code>

yum install logstash

vi /etc/systemd/system/logstash.service
<code>
#User=logstash
#Group=logstash
User=root
Group=root
</code>


vi /etc/logstash/jvm.options
<code>
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms8g
-Xmx24g
</code>


systemctl start logstash
systemctl status logstash


vi /etc/logstash/conf.d/apache.conf 
<code>
input {
    file {
        type => "syslog"
        path => [
        "/var/log/LOGS/**/cron",
                "/var/log/LOGS/**/messages",
                "/var/log/LOGS/**/secure"
            ]
        start_position => "beginning"
        exclude => ["*.gz"]
    }

    file {
            type => "apache-access"
            path => ["/var/log/LOGS/**/apache-access.log"]
        start_position => "beginning"
        exclude => ["*.gz"]
    }

        file {
        type => "apache-error"
            path => ["/var/log/LOGS/**/apache-error.log"]
        start_position => "beginning"
        exclude => ["*.gz"]
    }
}

filter {if [type] == "apache-access" {
        grok {match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST:webserver} %{SYSLOGPROG}: %{HOSTNAME:host} \"%{GREEDYDATA:X-Forwarded-For}\"%{IPORHOST:HA_IP} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\"%{NUMBER:response:int} (?:%{NUMBER:bytes:int}|-) \"%{GREEDYDATA:referrer}\"\"%{GREEDYDATA:agent}\""}
        }
        if [X-Forwarded-For] == "-" {drop {}
        }
        mutate {remove_field => [ "message"]
            split  => {"X-Forwarded-For" => ","}
        }
        geoip {source => "X-Forwarded-For"}
        date {match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
           remove_field => ["timestamp"]
       }
    }

    if [type] == "apache-error" {
        grok {match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST:hostname} %{DATA}: \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\]    ){0,1}%{GREEDYDATA:error_message}"
            }
        }

        date {match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
        }
        mutate {rename => ["hostname", "host"]
        }
    }
}
</code>

vi /etc/logstash/conf.d/output.conf
<code>
output {
    elasticsearch {hosts => ["127.0.0.1:9200"]
        index => "logstash-%{type}-%{+YYYY.MM.dd}"
        template_overwrite => true
    }
}
</code>


===elasticsearch===
参考:https://www.elastic.co/cn/downloads/elasticsearch

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/elasticsearch.repo 
<code>
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
</code>

yum install --enablerepo=elasticsearch elasticsearch

vi /etc/elasticsearch/elasticsearch.yml
<code>
cluster.name: gwj-elk
node.name: gwj-log
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: ["gwj-log"]
</code>


vi /etc/elasticsearch/jvm.options
<code>
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms4g
-Xmx4g
</code>

vi /etc/security/limits.conf
<code>
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
</code>


systemctl edit elasticsearch
<code>
[Service]
LimitMEMLOCK=infinity
</code>


systemctl restart elasticsearch
systemctl status elasticsearch

netstat -tln
curl http://localhost:9200
<code>
{
  "name" : "gwj-log",
  "cluster_name" : "gwj-elk",
  "cluster_uuid" : "8KPET2yDSCaQwfwncWSTQQ",
  "version" : {
    "number" : "7.10.0",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
    "build_date" : "2020-11-09T21:30:33.964949Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
</code>

查看是否生成索引
ls -lh /var/lib/elasticsearch/nodes/0/indices/

http://10.1.100.12:9200/_cat/indices?v

===kibana===
参考:https://www.elastic.co/guide/en/kibana/current/install.html

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/systemd/system/kibana.service
<code>
[Unit]
Description=Kibana

[Service]
Type=simple
User=kibana
Group=kibana
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/kibana
EnvironmentFile=-/etc/sysconfig/kibana
ExecStart=/usr/share/kibana/bin/kibana
Restart=on-failure
RestartSec=3
StartLimitBurst=3
StartLimitInterval=60
WorkingDirectory=/

[Install]
WantedBy=multi-user.target
</code>

yum install kibana

systemctl restart kibana
systemctl status kibana


kibana - management - stack management
kibana - Index Patterns - create index pattern 

http://10.1.100.12:9200/_cat/indices?v
退出移动版