ELK 安裝

2022-07-03

ELK 官網

https://www.elastic.co/

ELK 要安裝 java

客戶要 Ubuntu 18.04 LTS 版

我裝

OpenJDK 11.0.15+10-Ubuntu-0ubuntu0.18.04.1

https://ubuntu.pkgs.org/18.04/ubuntu-updates-main-amd64/openjdk-11-jre_11.0.15+10-0ubuntu0.18.04.1_amd64.deb.html

http://archive.ubuntu.com/ubuntu/pool/main/o/openjdk-lts/openjdk-11-jre_11.0.15+10-0ubuntu0.18.04.1_amd64.deb
dpag -i openjdk-11-jre_11.0.15+10-0ubuntu0.18.04.1_amd64.deb

FIlebeats 安裝

https://www.elastic.co/downloads/beats/filebeat
https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html

可選版本如 filebeat-7-8-0

https://www.elastic.co/downloads/past-releases/filebeat-7-8-0

Logstash 安裝

https://www.elastic.co/downloads/logstash
https://www.elastic.co/guide/en/logstash/current/docker.html

可選版本如 logstash-7-8-0

https://www.elastic.co/downloads/past-releases/logstash-7-8-0

Elasticsearch 安裝

https://www.elastic.co/downloads/elasticsearch
https://www.elastic.co/guide/en/elasticsearch/reference/current/docker.html

可選版本如 elasticsearch-7-6-0

https://www.elastic.co/downloads/past-releases/elasticsearch-7-6-0

Kibana 安裝

https://www.elastic.co/downloads/kibana
https://www.elastic.co/guide/en/kibana/current/docker.html

可選版本如 kibana-7-6-0

https://www.elastic.co/downloads/past-releases/kibana-7-6-0

我客戶是 Ubuntu 18.04 那就下載 deb 裝一裝

基本設定部分

/etc/filebeat/filebeat.yml

#複製貼上下面內容 (localhost改成自己的IP)

name: localhost
output:
  logstash:
    enabled: true
    hosts:
      - localhost:5044
    index: "localhost"
filebeat.inputs:
    - type: log
      paths:
        - /usr/local/nginx/logs/access.log
      tags: ["access"]
#開啟debug模式
logging.level: debug
logging.selectors: [publish]
logging.to_files: true
logging.files:
    path: /var/log/filebeat
    name: filebeat-localhost

/etc/logstash/logstash.yml

#複製貼上下面內容 (localhost改成自己的IP)

input {
  beats {
    port => 5044
  }
}
filter {
    if "access" in [tags]{ #可以根據自訂Tag產生不同檔案
        json {
            source => "message"
        }
        mutate {
            add_field => { "[@metadata][tags]" => "nginx-access-logs"}
        }
    }
}
output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][tags]}-%{+YYYY.MM.dd}"
  }
}

/etc/elasticsearch/elasticsearch.yml

#複製貼上下面內容 (localhost改成自己的IP)

node.name: node-1
network.host: localhost
cluster.initial_master_nodes: ["node-1"]

/etc/kibana/kibana.yml

#複製貼上下面內容 (172.16.0.1改成自己的IP) (帳密請自行更換)
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.username: "kibana"
elasticsearch.password: "123456"
elasticsearch.hosts: ["http://172.16.0.1:9200"]
i18n.locale: "zh-CN"

客戶要裝 APM

https://www.elastic.co/downloads/apm
https://www.docker.elastic.co/r/apm

可選版本

https://www.elastic.co/downloads/past-releases/apm-server-7-6-0
docker pull docker.elastic.co/apm/apm-server:7.6.0

啟動與檢查就用標準方式

systemctl start filebeat
systemctl status filebeat
systemctl start logstash
systemctl status logstash
systemctl start elasticsearch
systemctl status elasticsearch
systemctl start kibana
systemctl status kibana