Otu esi etinye Elasticsearch, Logstash, na Kibana (ELK Stack) na CentOS/RHEL 7
Ọ bụrụ na ị bụ onye na-ahụ maka nyocha na nyochaa ndekọ ndekọ usoro na Linux, ma ọ bụ onye na-elekọta ya, ị maara ihe nrọ ahụ nwere ike ịghọ ma ọ bụrụ na a na-enyocha ọtụtụ ọrụ n'otu oge.
N'ụbọchị gara aga, a ga-eji aka rụọ ọrụ ahụ, ebe a na-ejikwa ụdị osisi ọ bụla iche iche. Ọ dabara nke ọma, nchikota nke Elasticsearch, Logstash, na Kibana n'akụkụ ihe nkesa, yana Filebeat n'akụkụ ndị ahịa, na-eme ka ọrụ ahụ siri ike dị ka ịgagharị na ogige taa.
Akụkụ atọ nke mbụ na-etolite ihe a na-akpọ ELK stack, nke bụ isi ebumnuche ya bụ ịnakọta ndekọ site na ọtụtụ sava n'otu oge (nke a makwaara dị ka osisi etiti).
Ihe nrụnye webụ arụnyere na java na-enye gị ohere inyocha ndekọ ngwa ngwa na ilele maka ntụnyere na nchọpụta nsogbu dị mfe. A na-eziga ndekọ ndekọ ndị ahịa ndị a na nkesa etiti site na Filebeat, nke enwere ike ịkọwa dị ka onye na-ebufe ihe ndekọ.
Ka anyị hụ ka akụkụ ndị a niile si kwekọọ. Ebe ule anyị ga-enwe igwe ndị a:
Central Server: CentOS 7 (IP address: 192.168.0.29). 2 GB of RAM. Client #1: CentOS 7 (IP address: 192.168.0.100). 1 GB of RAM. Client #2: Debian 8 (IP address: 192.168.0.101). 1 GB of RAM.
Biko mara na ụkpụrụ RAM enyere ebe a abụghị ihe achọrọ siri ike, mana ụkpụrụ akwadoro maka mmejuputa ELK nke ọma na sava etiti. Obere RAM na ndị ahịa agaghị eme nnukwu ọdịiche, ọ bụrụ na ọ bụla, ma ọlị.
Ịwụnye ELK Stack na sava ahụ
Ka anyị bido site na ịwụnye ngwugwu ELK na ihe nkesa, yana nkọwa dị nkenke banyere ihe akụkụ nke ọ bụla na-eme:
- Elasticsearch na-echekwa ndekọ nke ndị ahịa na-eziga.
- Logstash na-ahazi ndekọ ndị ahụ.
- Kibana na-enye ihe ntanetị nke ga-enyere anyị aka inyocha na nyochaa ndekọ.
Wụnye ngwugwu ndị a na sava etiti. Nke mbụ, anyị ga-etinye Java JDK ụdị 8 (mmelite 102, nke kachasị ọhụrụ n'oge ederede), nke bụ ndabere nke ELK components.
Ị nwere ike ịchọrọ ịlele mbụ na ibe nbudata Java ebe a ka ịhụ ma ọ dị nwelite ọhụrụ dị.
# yum update # cd /opt # wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u102-b14/jre-8u102-linux-x64.rpm" # rpm -Uvh jre-8u102-linux-x64.rpm
Oge iji lelee ma nrụnye arụchara nke ọma:
# java -version
Iji wụnye ụdị Elasticsearch, Logstash na Kibana kachasị ọhụrụ, anyị ga-eji aka mepụta ebe nchekwa maka yum dị ka ndị a:
1. Bubata igodo Elasticsearch ọha GPG na njikwa ngwugwu rpm:
# rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
2. Tinye ahịrị ndị a na faịlụ nhazi nchekwa elasticsearch.repo:
[elasticsearch] name=Elasticsearch repository baseurl=http://packages.elastic.co/elasticsearch/2.x/centos gpgcheck=1 gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch enabled=1
3. Wụnye ngwugwu Elasticsearch.
# yum install elasticsearch
Mgbe echichi mechara, a ga-akpali gị ịmalite wee mee ka elasticsearch rụọ ọrụ:
4. Malite ma mee ka ọrụ ahụ rụọ ọrụ.
# systemctl daemon-reload # systemctl enable elasticsearch # systemctl start elasticsearch
5. Kwe ka okporo ụzọ site na ọdụ ụgbọ mmiri TCP 9200 na firewall gị:
# firewall-cmd --add-port=9200/tcp # firewall-cmd --add-port=9200/tcp --permanent
6. Lelee ma Elasticsearch zara arịrịọ dị mfe karịa HTTP:
# curl -X GET http://localhost:9200
Nsonaazụ nke iwu dị n'elu kwesịrị ịdị ka:
Jide n'aka na ịmechara usoro ndị a dị n'elu wee gaa n'ihu na Logstash. Ebe ma Logstash na Kibana na-ekekọrịta igodo Elasticsearch GPG, ọ dịghị mkpa ibubata ya tupu ịwụnye ngwugwu.
7. Tinye ahịrị ndị a na faịlụ nhazi nchekwa logstash.repo:
[logstash] name=Logstash baseurl=http://packages.elasticsearch.org/logstash/2.2/centos gpgcheck=1 gpgkey=http://packages.elasticsearch.org/GPG-KEY-elasticsearch enabled=1
8. Wụnye ngwugwu Logstash:
# yum install logstash
9. Tinye akwụkwọ SSL dabere na adreesị IP nke ihe nkesa ELK na ahịrị na-esonụ n'okpuru [ v3_ca ] ngalaba na /etc/pki/tls/openssl.cnf >:
[ v3_ca ] subjectAltName = IP: 192.168.0.29
10. Mepụta akwụkwọ aka aka aka nke dị irè maka ụbọchị 365:
# cd /etc/pki/tls # openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
11. Hazie ntinye, mmepụta na nzacha faịlụ Logstash:
Ntinye: Mepụta /etc/logstash/conf.d/input.conf wee tinye ahịrị ndị a n'ime ya. Nke a dị mkpa ka Logstash mụta \ịmụta ka esi ahazi iti na-abịa site n'aka ndị ahịa. Gbaa mbọ hụ na ụzọ nke asambodo na igodo dabara na ụzọ ziri ezi dị ka akọwara na nzọụkwụ gara aga:
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
Mpụta (/etc/logstash/conf.d/output.conf) faịlụ:
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
Filter (/etc/logstash/conf.d/filter.conf) faịlụ. Anyị ga-abanye ozi syslog maka ịdị mfe:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
12. Nyochaa faịlụ nhazi Logstash.
# service logstash configtest
13. Malite ma mee logstash:
# systemctl daemon-reload # systemctl start logstash # systemctl enable logstash
14. Hazie firewall ka Logstash nweta ndekọ n'aka ndị ahịa (TCP port 5044):
# firewall-cmd --add-port=5044/tcp # firewall-cmd --add-port=5044/tcp --permanent
14. Tinye ahịrị ndị a na faịlụ nhazi nchekwa kibana.repo:
[kibana] name=Kibana repository baseurl=http://packages.elastic.co/kibana/4.4/centos gpgcheck=1 gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch enabled=1
15. Wụnye ngwugwu Kibana:
# yum install kibana
16. Malite ma mee ka Kibana nwee ike.
# systemctl daemon-reload # systemctl start kibana # systemctl enable kibana
17. Jide n'aka na ị nwere ike ịnweta ntanetị weebụ Kibana site na kọmputa ọzọ (kwe ka okporo ụzọ na ọdụ ụgbọ mmiri TCP 5601):
# firewall-cmd --add-port=5601/tcp # firewall-cmd --add-port=5601/tcp --permanent
18. Ẹkedori Kibana (http://192.168.0.29:5601) iji nyochaa na ị nwere ike ịnweta interface weebụ:
Anyị ga-alaghachi ebe a mgbe anyị tinyechara ma hazie Filebeat na ndị ahịa.
Wụnye Filebeat na sava ndị ahịa
Anyị ga-egosi gị otu esi eme nke a maka Client #1 (megharịa maka Client #2 emesia, gbanwee ụzọ ma ọ bụrụ na ọdabara na nkesa gị).
1. Detuo SSL akwụkwọ site na sava gaa na ndị ahịa:
# scp /etc/pki/tls/certs/logstash-forwarder.crt [email :/etc/pki/tls/certs/
2. Bubata igodo Elasticsearch ọha GPG na njikwa ngwugwu rpm:
# rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
3. Mepụta ebe nchekwa maka Filebeat (/etc/yum.repos.d/filebeat.repo) na nkesa dabere na CentOS:
[filebeat] name=Filebeat for ELK clients baseurl=https://packages.elastic.co/beats/yum/el/$basearch enabled=1 gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch gpgcheck=1
4. Hazie isi iyi iji wụnye Filebeat na Debian na usoro ya:
# aptitude install apt-transport-https # echo "deb https://packages.elastic.co/beats/apt stable main" > /etc/apt/sources.list.d/filebeat.list # aptitude update
5. Wụnye ngwugwu Filebeat:
# yum install filebeat [On CentOS and based Distros] # aptitude install filebeat [On Debian and its derivatives]
6. Malite ma mee Filebeat:
# systemctl start filebeat # systemctl enable filebeat
Okwu ịkpachara anya ebe a. A na-echekwa nhazi faịlụ n'ime faịlụ YAML, nke chọrọ ntinye siri ike. Kpachara anya na nke a ka ị na-edezi /etc/filebeat/filebeat.yml dị ka ndị a:
- N'okpuru ụzọ, gosi faịlụ ndekọ ekwesịrị ibuga na sava ELK.
- N'okpuru ndị na-eche nche:
input_type: log document_type: syslog
- N'okpuru mmepụta:
- Eweghachighị ahịrị na-amalite na logstash.
- Gosipụta adreesị IP nke ihe nkesa ELK gị na ọdụ ụgbọ mmiri ebe Logstash na-ege ntị na ndị ọbịa.
- Jide n'aka na ụzọ akwụkwọ ahụ na-arụtụ aka na faịlụ ahụ ị mepụtara na Nzọụkwụ I (ngalaba Logstash) n'elu.
E gosipụtara usoro ndị a dị n'elu na foto a:
Chekwaa mgbanwe, wee malitegharịa Filebeat na ndị ahịa:
# systemctl restart filebeat
Ozugbo anyị mechara usoro ndị a dị n'elu na ndị ahịa, nweere onwe gị ịga n'ihu.
Iji chọpụta na enwere ike izipu ndekọ sitere na ndị ahịa ma nata nke ọma, mee iwu a na sava ELK:
# curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'
Mmepụta kwesịrị ịdị ka (rịba ama ka esi enweta ozi sitere na /var/log/messages na /var/log/secure from client1 na client2):
Ma ọ bụghị ya, lelee faịlụ nhazi Filebeat maka mmejọ.
# journalctl -xe
mgbe ị nwara ịmalitegharịa Filebeat ga-atụ gị aka na ahịrị(s) na-emebi iwu.
Mgbe anyị kwuchara na ndị ahịa na-ebufe ndekọ ma nata nke ọma na sava ahụ. Ihe mbụ anyị ga-eme na Kibana bụ ịhazi ụkpụrụ index wee tọọ ya dị ka nke ndabara.
Ị nwere ike ịkọwa index dị ka nchekwa data zuru oke na ọnọdụ nchekwa data mmekọrịta. Anyị ga-eji
filebeat-*(ma ọ bụ ị nwere ike iji njirisi ọchụchọ ziri ezi dịka akọwara na akwụkwọ gọọmentị).Tinye
filebeat-*n'ime aha Index ma ọ bụ ụkpụrụ wee pịa Mepụta:
Biko mara na a ga-ahapụ gị ka ị banye n'usoro nchọta mara mma ma emechaa. Na-esote, pịa kpakpando dị n'ime rectangle akwụkwọ ndụ akwụkwọ ndụ ka ị hazie ya dị ka ụkpụrụ index nke ndabara:
N'ikpeazụ, na Discover menu ị ga-ahụ ọtụtụ ubi iji tinye na ndekọ visualization akụkọ. Naanị fegharịa n'elu ha wee pịa Tinye:
A ga-egosipụta nsonaazụ ya na etiti etiti ihuenyo dị ka egosiri n'elu. Nwere onwe gị igwu egwu gburugburu (tinye ma wepụ ubi na akụkọ ndekọ) ka ịmara Kibana mara nke ọma.
Site na ndabara, Kibana ga-egosipụta ndekọ ndị emeziri n'ime nkeji iri na ise gara aga (lee akuku aka nri elu) mana ị nwere ike ịgbanwe omume ahụ site na ịhọrọ oge ọzọ:
Nchịkọta
N'isiokwu a, anyị akọwala otu esi edozi nchịkọta ELK iji nakọta ndekọ usoro nke ndị ahịa abụọ zitere, igwe CentOS 7 na Debian 8.
Ugbu a ị nwere ike zoo aka na akwụkwọ Elasticsearch gọọmentị wee chọta nkọwa ndị ọzọ gbasara otu esi eji ntọala a nyochaa na nyochaa ndekọ gị nke ọma.
Ọ bụrụ na ị nwere ajụjụ ọ bụla, egbula ịjụ. Anyị na-atụ anya ịnụ gị.