CentOS 7.x install ELK
The first time I heard about ELK, it was Sina's @ ARGV that introduced the internal use of ELK and the scenario. At that time, it was very touched. It was so convenient to collect logs and display them, with such a tool, you have no effect after doing bad things and deleting logs.
Many companies have shown that they are very concerned about security, but they have never read or followed the logs of their own servers. This is a bit ironic. Manage the logs first, and then let's discuss security in depth.
Mirantis's Fuel has introduced ELK as an OpenStack monitoring tool, so we also need to focus on learning ELK.
I just saw a video from a foreigner about how to install ELK in CentOS 7. At least I like it.
The video address is http://yunpan.cn/cd5febr4difdn?019a. I basically copied the video content completely.
Verify it by yourself and familiarize yourself with CentOS 7 for the first time. There are still problems with this document. Being improved. The latest software version is used. Kibana, it is estimated that a lot of effort is required to configure to achieve a good presentation.
Contents [hide]
- 1. Basic Introduction
- 2 Installation Process
- 2.1 preparation
- 2.2 install java
- 2.3 Elasticsearch
- 2.4 kibana
- 2.5 Logstash
- 2.6 Logstash Forwarder
- 3. Add nodes
- 4 references
Basic Introduction
The latest Elasticsearch version is 1.7.1,
The latest version of Logstash is 1.5.3.
The latest version of kibana is 4.1.1.
Logstash Forwarder. The latest version is 0.4.0.
Installation Process
Create a virtual machine CentOS7.1 and assign a public IP address for testing.
Preparation
View the operating system version
cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core)
View Selinux status
sestatusSELinux status: disabled
FQDN
There are two methods to set FQDN: http://www.opsers.org/base/linux-fqdn-set.html.
Remember: This is required when creating an SSL certificate.
cat /etc/hostname#i-2053f7hjelk
# cat /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4::1 localhost localhost.localdomain localhost6 localhost6.localdomain6# hostname loopback address127.0.1.1 i-2053f7hj10.70.26.187 elk.chenshake.com elk
Then run
hostname -F /etc/hostname
At this time, you can view your own FQDN name
# hostname -felk.chenshake.com# hostnameelk
Install Firewall
CentOS7 has a major change, replacing iptables with firewalld. Everyone is used to iptables. Therefore, the default image of qingcloud is iptables and firewalld is not installed.
yum install firewalld firewall-configsystemctl start firewalld.servicesystemctl enable firewalld.servicesystemctl status firewalld
Check whether it takes effect
firewall-cmd --state
Install java
yum install java-1.7.0-openjdk
Elasticsearch
wget https://download.elastic.co/elasticsearch/elasticsearch/elasticsearch-1.7.1.noarch.rpm
Install
yum localinstall elasticsearch-1.7.1.noarch.rpm
Start Related Services
Follow the prompts.
systemctl daemon-reloadsystemctl enable elasticsearch.servicesystemctl start elasticsearchsystemctl status elasticsearch
View the Elasticsearch configuration file
# rpm -qc elasticsearch/etc/elasticsearch/elasticsearch.yml/etc/elasticsearch/logging.yml/etc/init.d/elasticsearch/etc/sysconfig/elasticsearch/usr/lib/sysctl.d/elasticsearch.conf/usr/lib/systemd/system/elasticsearch.service/usr/lib/tmpfiles.d/elasticsearch.conf
View port usage
# netstat -nltpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 606/sshd tcp6 0 0 :::9200 :::* LISTEN 3051/java tcp6 0 0 :::9300 :::* LISTEN 3051/java tcp6 0 0 :::22 :::* LISTEN 606/sshd
When ports 9200 and 9300 are used, the Firewall opens the ports
firewall-cmd --permanent --add-port={9200/tcp,9300/tcp}firewall-cmd --reload
View firewall ports
# firewall-cmd --list-allpublic (default, active) interfaces: eth0 sources: services: dhcpv6-client ssh ports: 9200/tcp 9300/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
Kibana
Download the tar package
wget https://download.elastic.co/kibana/kibana/kibana-4.1.1-linux-x64.tar.gz
Extract
tar zxf kibana-4.1.1-linux-x64.tar.gz -C /usr/local/cd /usr/local/mv kibana-4.1.1-linux-x64 kibana
Create a Startup File
Create a kibana. service file.
cat > /etc/systemd/system/kibana.service <<EOF[Service]ExecStart=/usr/local/kibana/bin/kibana[Install]WantedBy=multi-user.targetEOF
Start the kibana Service
systemctl enable kibanasystemctl start kibanasystemctl status kibana
View port
# netstat -nltpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 3830/node tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 977/sshd tcp6 0 0 :::9200 :::* LISTEN 978/java tcp6 0 0 :::9300 :::* LISTEN 978/java tcp6 0 0 :::22 :::* LISTEN 977/sshd
The procedure is basically the same. Open Port 5601.
Firewall-cmd -- permanent -- add-port = 5601/tcp firewall-cmd -- reload firewall-cmd -- list-all
In this case, you can access the VM through http: // ip: 5601. For qingcloud systems, you need to open port 5601 on the firewall.
Firewalld is still very powerful, you can set forwarding
firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=5601firewall-cmd --reloadfirewall-cmd --list-all
Logstash
Download rpm package
wget https://download.elastic.co/logstash/logstash/packages/centos/logstash-1.5.3-1.noarch.rpm
Install
yum localinstall logstash-1.5.3-1.noarch.rpm
Set ssl
This is the most error-prone place. You can create an SSL Certificate by using FQDN or IP address. I cannot create an SSL Certificate by IP address. The FQDN used here is named elk.chenshake.com,
cd /etc/pki/tlsopenssl req -subj '/CN=elk.chenshake.com/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
Create a file 01-logstash-initial.conf
cat > /etc/logstash/conf.d/01-logstash-initial.conf << EOFinput { lumberjack { port => 5000 type => "logs" ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" }}filter { if [type] == "syslog" { grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" } add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] } syslog_pri { } date { match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } }}output { elasticsearch { host => localhost } stdout { codec => rubydebug }}EOF
Start the logstash Service
systemctl start logstashsystemctl status logstash
Check the port. It takes 2 minutes to see that port 5000 is enabled.
# netstat -nltpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 3830/node tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 977/sshd tcp6 0 0 :::5000 :::* LISTEN 20017/java tcp6 0 0 :::9200 :::* LISTEN 978/java tcp6 0 0 :::9300 :::* LISTEN 978/java tcp6 0 0 :::9301 :::* LISTEN 20017/java tcp6 0 0 :::22 :::* LISTEN 977/sshd
Logstash listens on port 5000
firewall-cmd --permanent --add-port=5000/tcpfirewall-cmd --reloadfirewall-cmd --list-all
If there is a problem with startup, you can check the logstash log/var/log/logstash
Logstash Forwarder
ELK machines are also used as a client to collect logs.
wget https://download.elastic.co/logstash-forwarder/binaries/logstash-forwarder-0.4.0-1.x86_64.rpm
Log on to the client through ssh and install Logstash Forwarder
yum localinstall logstash-forwarder-0.4.0-1.x86_64.rpm
View the location of the logstash-forwarder configuration file
# rpm -qc logstash-forwarder/etc/logstash-forwarder.conf
Backup configuration file
cp /etc/logstash-forwarder.conf /etc/logstash-forwarder.conf.save
Edit/etc/logstash-forwarder.conf, servers, and you need to modify according to your situation.
cat > /etc/logstash-forwarder.conf << EOF{ "network": { "servers": [ "elk.chenshake.com:5000" ], "ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt", "timeout": 15 }, "files": [ { "paths": [ "/var/log/messages", "/var/log/secure" ], "fields": { "type": "syslog" } } ]}EOF
Start the service
systemctl enable logstash-forwardersystemctl start logstash-forwardersystemctl status logstash-forwarder
Check the log and confirm that the service is normal.
Kibana settings
Access the IP address to display the Kibana page.
Select create and click Discover
You can try to log out through ssh, and then log in through ssh to view your ssh logon events in the log.
Add Node
To install the client, you only need to install and configure Logstash Forwarder in the same way. What you need to do is
Copy the/etc/pki/tls/certs/logstash-forwarder.crt on the server to the same directory of the target node.
References
Https://www.digitalocean.com/community/tutorials/how-to-use-logstash-and-kibana-to-centralize-logs-on-centos-7
Https://media-glass.es/2015/04/19/installing-an-elk-stack-on-centos-7/
Https://gist.github.com/ashrithr/c5c03950ef631ac63c43