配置kibana和logstash、filebeat 日志统一收集

参考官方文档 https://www.elastic.co/guide/en/kibana/current/rpm.html 进行安装

1，导入key

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

2，配置源

[kibana-6.x]
name=Kibana repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

3，安装、启动

yum install kibana
systemctl daemon-reload
systemctl enable kibana.service
systemctl start kibana.service
systemctl stop kibana.service

4，默认是localhost，修改为IP

vi /etc/kibana/kibana.yml
#server.host: "localhost"
server.host : "0.0.0.0"

5，安装logstash

rpm -ivh https://artifacts.elastic.co/downloads/logstash/logstash-6.2.4.rpm

6，修改配置

[root@node0 ~]# vim /etc/logstash/conf.d/test.conf
syslog {
type => "system-syslog"  # 定义类型
port => 10080    # 定义监听端口
}
}
output {  # 定义日志输出
stdout {
codec => rubydebug  # 将日志输出到当前的终端上显示
}
}

测试配置是否正确

[root@node0 ~]#  /usr/share/logstash/bin/logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/maillog.conf --config.test_and_exit
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK

命令说明：

--path.settings 主配置文件目录
-f 要检测的配置文件路径
--config.test_and_exit 检测后退出

logstash配置相对比较麻烦一些，也可以使用filebeat来收集，也可以filebeat收到，交给logstash过滤再给es

7，安装filebeat 收集日志

rpm -ivh https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.2.4-x86_64.rp

安装成功后修改filebeat配置文件

vim /etc/filebeat/filebeat.yml

这主要收集maillog

- type: log

# Change to true to enable this prospector configuration.
# 下面这行要注释掉
## enabled: false

# Paths that should be crawled and fetched. Glob based paths.
paths:
# 这修改为要收集的日志文件
- /var/log/maillog
#- c:\programdata\elasticsearch\logs\*

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
# 改成 elasticsearch地址
hosts: ["192.168.11.11:9200"]

正常的话现在访问kibana就可以看到采集到的日志了。

http://192.168.11.11:9200/_cat/indices?v