# Ubuntu 20.04上安装Elasticsearch，Logstash和Kibana（ELK Stack） ## 安裝 java 檢查系統上是否安裝（有，安裝其他套件。沒有，安裝 java 及其他套件） >$ java -version 安裝其他套件 >$ sudo apt install -y wget apt-transport-https curl >$ sudo apt update 輸出最後結果： ``` Fetched 3,858 kB in 1s (5,945 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. ``` 安裝 java 及其他套件 >$ sudo apt install -y openjdk-11-jdk wget apt-transport-https curl 輸出最後結果： ``` Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. done. ``` 檢查Java版本。 >$ java -version 輸出： ``` openjdk version "11.0.10" 2021-01-19 OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04) OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing) ``` ## 添加ELK存儲庫 ELK堆棧軟件包可在Elastic官方存儲庫中找到。 >$ `wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -` 輸出： ``` OK ``` >$ `echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list` 輸出： ``` deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main ``` --- ## 安裝和配置Elasticsearch Elasticsearch是一個開源搜索引擎，它為實時分佈式，支持多租戶的全文本搜索引擎提供Web界面（HTTP）和無模式的JSON文檔。 使用apt命令安裝最新版本的Elasticsearch。 >$ sudo apt update 輸出最後結果： ``` Fetched 61.4 kB in 2s (33.5 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. ``` >$ sudo apt install -y elasticsearch-oss 輸出： ``` Reading package lists... Done Building dependency tree Reading state information... Done elasticsearch-oss is already the newest version (7.10.2). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. ``` 啟動並啟用Elasticsearch服務。 >$ sudo systemctl start elasticsearch >$ sudo systemctl enable elasticsearch 輸出： ``` Synchronizing state of elasticsearch.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable elasticsearch Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service. ``` 等待一兩分鐘，然後運行以下命令以查看Elasticsearch的狀態。 >$ `curl -X GET http://localhost:9200` 輸出： ``` { "name" : "ub20042s", "cluster_name" : "elasticsearch", "cluster_uuid" : "j1W7chkhTZ-HJGZjj1HADA", "version" : { "number" : "7.10.2", "build_flavor" : "oss", "build_type" : "deb", "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9", "build_date" : "2021-01-13T00:42:12.435326Z", "build_snapshot" : false, "lucene_version" : "8.7.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search" } ``` 上面的輸出確認Elasticsearch正常運行。 --- ## 安裝和配置Logstash Logstash是開源日誌分析軟件，可收集日誌，解析並將其存儲在Elasticsearch上以備將來使用。借助可用的插件，它可以處理不同類型的事件，而無需額外的工作。 >$ sudo apt install -y logstash-oss 輸出最後結果： ``` Successfully created system startup script for Logstash ``` Logstash配置包含三個插件，即輸入，過濾器和輸出。您可以將所有插件的詳細信息放在每個部分的單個文件或單獨文件中，以.conf結尾。 在這裡，將使用一個文件來放置所有三個插件。 在/etc/logstash/conf.d/目錄下創建一個配置文件。 >$ sudo nano /etc/logstash/conf.d/logstash.conf ```bash= #在輸入插件中，我們將配置Logstash以在端口5044上偵聽來自客戶端計算機上運行的代理（Beats）的傳入日誌。 input { beats { port => 5044 } } #對於過濾器插件，我們將使用Grok解析syslog消息，然後再將其發送到Elasticsearch進行存儲。 filter { if [type] == "syslog" { grok { match => { "message" => "%{SYSLOGLINE}" } } date { match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } } } #在輸出插件中，我們將定義日誌的存儲位置，顯然是Elasticsearch實例。 output { elasticsearch { hosts => ["localhost:9200"] index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" } } ``` 現在啟動並啟用Logstash服務。 >$ sudo systemctl start logstash >$ sudo systemctl enable logstash 輸出： ``` Created symlink /etc/systemd/system/multi-user.target.wants/logstash.service → /etc/systemd/system/logstash.service. ``` Logstash日誌： >$ sudo cat /var/log/logstash/logstash-plain.log 輸出最後五行： ``` [2021-03-04T10:31:57,231][INFO ][logstash.inputs.beats ][main] Starting input listener {:address=>"0.0.0.0:5044"} [2021-03-04T10:31:57,261][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"} [2021-03-04T10:31:57,302][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} [2021-03-04T10:31:57,381][INFO ][org.logstash.beats.Server][main][a59bc5e47a97c72a3abf5098fbd1b343c12942704b3a66ac12c1303934a2ae73] Starting server on port: 5044 [2021-03-04T10:31:57,523][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600} ``` --- ## 安裝和配置Kibana Kibana提供了對Elasticsearch實例上存儲的數據的可視化。使用apt命令安裝Kibana。 >$ sudo apt install -y kibana-oss 輸出最後結果： ``` Selecting previously unselected package kibana-oss. (Reading database ... 253771 files and directories currently installed.) Preparing to unpack .../kibana-oss_7.10.2_amd64.deb ... Unpacking kibana-oss (7.10.2) ... Setting up kibana-oss (7.10.2) ... Processing triggers for systemd (245.4-4ubuntu3.4) ... ``` 默認情況下，Kibana偵聽localhost，這意味著您無法從外部計算機訪問Kibana Web界面。要從外部計算機訪問Kibana，您需要將server.host設置為/etc/kibana/kibana.yml文件中的系統IP地址。 >$ sudo nano /etc/kibana/kibana.yml 進行如下更改。 > server.host: "192.168.1.149" 同樣，在某些情況下，Elasticsearch和Kibana可能在不同的機器上運行。在這種情況下，請使用Elasticsearch服務器的IP地址更新以下行。 > `elasticsearch.hosts: ["http://localhost:9200"]` 在機器啟動時啟動並啟用Kibana。 >$ sudo systemctl start kibana >$ sudo systemctl enable kibana 輸出： ``` Synchronizing state of kibana.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable kibana Created symlink /etc/systemd/system/multi-user.target.wants/kibana.service → /etc/systemd/system/kibana.service. ``` --- ## 安裝Filebeat Filebeat是在客戶端計算機上運行的軟件客戶端，用於將日誌發送到Logstash服務器進行解析（在我們的示例中）或直接發送到Elasticsearch進行存儲。 我們將在配置文件中使用Logstash服務器的主機名。因此，在客戶端計算機上為Logstash服務器添加DNS記錄或主機條目。 >$ sudo nano /etc/hosts >192.168.1.149 server.itzgeek.local 為apt安裝HTTPS支持。 >$ sudo apt update 輸出： ``` Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date. ``` >$ sudo apt install -y apt-transport-https 輸出： ``` Selecting previously unselected package apt-transport-https. (Reading database ... 197426 files and directories currently installed.) Preparing to unpack .../apt-transport-https_2.0.4_all.deb ... Unpacking apt-transport-https (2.0.4) ... Setting up apt-transport-https (2.0.4) ... ``` 在系統上設置彈性存儲庫以進行Filebeat安裝。 >$ `wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -` 輸出： ``` OK ``` >$ `echo "deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list` 輸出： ``` deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main ``` 使用以下命令安裝Filebeat。 >$ sudo apt update >$ sudo apt install -y filebeat 輸出： ``` Selecting previously unselected package filebeat. (Reading database ... 287680 files and directories currently installed.) Preparing to unpack .../filebeat_7.11.1_amd64.deb ... Unpacking filebeat (7.11.1) ... Setting up filebeat (7.11.1) ... Processing triggers for systemd (245.4-4ubuntu3.4) ... ``` 編輯filebeat配置文件/etc/filebeat/filebeat.yml，以將日誌發送到Logstash服務器。 >$ sudo nano /etc/filebeat/filebeat.yml 輸入部分中的以下配置用於將系統日誌（/ var / log / syslog）發送到Logstash服務器。 對於此演示，我已註釋掉/var/log/*.log以避免將所有日誌發送到Logstash服務器。 ```yaml= ... # ============================== Filebeat inputs =============================== filebeat.inputs: # Each - is an input. Most options can be set at the input level, so # you can use different inputs for various configurations. # Below are the input specific configurations. - type: log # Change to true to enable this input configuration. # enabled: false enabled: ture # Paths that should be crawled and fetched. Glob based paths. paths: # - /var/log/*.log - /var/log/syslog #- c:\programdata\elasticsearch\logs\* ... ``` 由於我們將日誌發送到Logstash進行解析，因此請在輸出部分註釋掉output.elasticsearch：部分，並取消註釋output.logstash：部分。 ```yaml= ... #----------------------------- Logstash output --------------- ----------------- output.logstash: # The Logstash hosts hosts: ["server.itzgeek.local:5044"] ... ``` 啟動Filebeat服務。 >$ sudo systemctl start filebeat Filebeat的日誌： >$ sudo cat /var/log/syslog 輸出最後五行： ``` Mar 4 10:44:29 ub20042s PackageKit: daemon quit Mar 4 10:49:51 ub20042s PackageKit: daemon start Mar 4 10:54:56 ub20042s PackageKit: daemon quit Mar 4 10:59:04 ub20042s PackageKit: daemon start Mar 4 11:04:45 ub20042s PackageKit: daemon quit ``` 訪問ELK儀表板 通過轉到以下URL訪問Kibana Web界面。 > `http://您的IP地址:5601/` OR > `http://您的服務名稱:5601` 將獲得Kibana的主頁。