1、kibana數(shù)據(jù)可視化——日志分析

[root@foundation50 network-scripts]# cd /mnt/pub/docs/elk/7.6/ [root@foundation50 7.6]# scp kibana-7.6.1-x86_64.rpm server4: 將安裝包拷貝到server4上 [root@server4 ~]# rpm -ivh kibana-7.6.1-x86_64.rpm 安裝 [root@server4 ~]# cd /etc/kibana/ [root@server4 kibana]# vim kibana.yml 編輯配置文件

[root@server4 kibana]# systemctl start kibana.service 啟動 [root@server4 kibana]# netstat -antlupe | grep :5601 端口為5601 tcp 0 0 172.25.50.4:5601 0.0.0.0:* LISTEN 997 53471 4112/node

創(chuàng)建可視化



需要導(dǎo)入數(shù)據(jù)



然后再次創(chuàng)建可視化


可以將可視化保存

將可視化放到圖形展示






示例2：用垂直條形圖訪問不同主機(jī)的訪問量
創(chuàng)建可視化，選則垂直條形圖

[root@server1 ~]# yum install -y httpd-tools 安裝 [root@server2 ~]# yum install -y httpd-tools 安裝 [root@server3 ~]# yum install -y httpd-tools 安裝 [root@server1 ~]# ab -c1 -n 200 http://172.25.50.4/index.html server1壓測訪問200條 [root@server2 ~]# ab -c1 -n 300 http://172.25.50.4/index.html server2壓測訪問300條 [root@server3 ~]# ab -c1 -n 400 http://172.25.50.4/index.html server3壓測訪問400條

2、kibana監(jiān)控

發(fā)現(xiàn)不可用，提示需要啟用xpack安全驗(yàn)證

[root@server1 ~]# cd /usr/share/elasticsearch/ [root@server1 elasticsearch]# bin/elasticsearch-certutil ca 輸出文件 Please enter the desired output file [elastic-stack-ca.p12]: 回車 Enter password for elastic-stack-ca.p12 : 回車 [root@server1 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 生成證書 Enter password for CA (elastic-stack-ca.p12) : 回車 Please enter the desired output file [elastic-certificates.p12]: 回車 Enter password for elastic-certificates.p12 : 回車 [root@server1 elasticsearch]# cp elastic-certificates.p12 /etc/elasticsearch/ 拷貝證書到elasticsearch目錄 [root@server1 elasticsearch]# chown elasticsearch elastic-certificates.p12 [root@server1 elasticsearch]# scp elastic-certificates.p12 server2:/etc/elasticsearch/ 將證書拷貝到server2 elastic-certificates.p12 100% 3451 4.5MB/s 00:00 [root@server2 elasticsearch]# chown elasticsearch elastic-certificates.p12 [root@server1 elasticsearch]# scp elastic-certificates.p12 server3:/etc/elasticsearch/ 將證書拷貝到server3 elastic-certificates.p12 100% 3451 4.5MB/s 00:00 [root@server3 elasticsearch]# chown elasticsearch elastic-certificates.p12 [root@server1 ~]# cd /etc/elasticsearch/ [root@server1 elasticsearch]# vim elasticsearch.yml 在文件最后添加如下參數(shù) ， server2和server3進(jìn)行同樣的操作 xpack.security.enabled: true 激活xpack認(rèn)證 xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12 [root@server1 elasticsearch]# systemctl restart elasticsearch.service 重啟 [root@server1 ~]# cd /usr/share/elasticsearch/bin/ 進(jìn)入bin目錄 [root@server1 bin]# ./elasticsearch-setup-passwords interactive 進(jìn)入交互式設(shè)置密碼 Please confirm that you would like to continue [y/N]y Enter password for [elastic]: 輸入密碼，每個(gè)密碼輸入兩次 Reenter password for [elastic]: elastic為kibana的管理員用戶，擁有所有權(quán)限 Enter password for [apm_system]: Reenter password for [apm_system]: Enter password for [kibana]: Reenter password for [kibana]: Enter password for [logstash_system]: Reenter password for [logstash_system]: Enter password for [beats_system]: Reenter password for [beats_system]: Enter password for [remote_monitoring_user]: Reenter password for [remote_monitoring_user]: [root@server4 ~]# cd /etc/kibana/ [root@server4 kibana]# vim kibana.yml 連接elaticsearch用戶和密碼設(shè)置

[root@server4 kibana]# systemctl restart kibana.service 重啟

訪問172.50.25.4:5601,需要用戶名和密碼

訪問172.25.50.4:9000


訪問172.25.50.4:9100,無法連接

解決方法如下：

[root@server1 ~]# cd /etc/elasticsearch/ [root@server1 elasticsearch]# vim elasticsearch.yml

[root@server1 elasticsearch]# systemctl restart elasticsearch.service 重啟

訪問：http://172.25.50.4:9100/?auth_user=elastic&auth_password=westos

logstash認(rèn)證連接

[root@server4 ~]# cd /etc/logstash/conf.d/ [root@server4 conf.d]# vim apache.conf 編輯

[root@server4 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/apache.conf 運(yùn)行

[root@foundation50 network-scripts]# ab -c1 -n 100 http://172.25.50.4/index.html 壓測100

kibana監(jiān)控配置

在指定的es集群的節(jié)點(diǎn)上安裝metricbeat

[root@foundation50 network-scripts]# cd /mnt/pub/docs/elk/7.6/ [root@foundation50 7.6]# scp metricbeat-7.6.1-x86_64.rpm server1: [root@server1 ~]# rpm -ivh metricbeat-7.6.1-x86_64.rpm 安裝

在 Metricbeat 中啟用并配置 Elasticsearch x-pack 模塊

[root@server1 ~]# cd /etc/metricbeat/ [root@server1 metricbeat]# cd modules.d/ 模塊目錄 couchdb.yml.disabled php_fpm.yml.disabled docker.yml.disabled postgresql.yml.disabled dropwizard.yml.disabled prometheus.yml.disabled elasticsearch-xpack.yml.disabled rabbitmq.yml.disabled elasticsearch.yml.disabled redis.yml.disabled envoyproxy.yml.disabled sql.yml.disabled etcd.yml.disabled stan.yml.disabled golang.yml.disabled statsd.yml.disabled googlecloud.yml.disabled system.yml [root@server1 modules.d]# metricbeat modules enable elasticsearch-xpack 激活elasticsearch-xpack 模塊 Enabled elasticsearch-xpack [root@server1 modules.d]# vim elasticsearch-xpack.yml 編輯模塊文件

配置 Metricbeat 以發(fā)送至監(jiān)測集群
換句話說就是Metricbeat將監(jiān)控本機(jī)的數(shù)據(jù)發(fā)送到那去

[root@server1 ~]# cd /etc/metricbeat [root@server1 metricbeat]# vim metricbeat.yml 編輯metricbeat主配置文件

[root@server1 metricbeat]# systemctl enable --now metricbeat.service 啟動

查看es平臺，可以發(fā)現(xiàn)server1已經(jīng)配置好，server2、server3用同樣的方法配置

kibans節(jié)點(diǎn)日志采集插件——filebeat

官網(wǎng)
進(jìn)入官網(wǎng)選擇所需模塊，按照官網(wǎng)配置

[root@foundation50 isos]# cd /mnt/pub/docs/elk/7.6/ [root@foundation50 7.6]# scp filebeat-7.6.1-x86_64.rpm server1: 拷貝filebeat到server1 [root@server1 ~]# rpm -ivh filebeat-7.6.1-x86_64.rpm 安裝 [root@server1 ~]# cd /etc/filebeat/ [root@server1 filebeat]# cd modules.d/ 模塊 ，這里面有很多服務(wù)的日志模塊 activemq.yml.disabled ibmmq.yml.disabled netflow.yml.disabled apache.yml.disabled icinga.yml.disabled nginx.yml.disabled auditd.yml.disabled iis.yml.disabled osquery.yml.disabled aws.yml.disabled iptables.yml.disabled panw.yml.disabled azure.yml.disabled kafka.yml.disabled postgresql.yml.disabled cef.yml.disabled kibana.yml.disabled rabbitmq.yml.disabled cisco.yml.disabled logstash.yml.disabled redis.yml.disabled coredns.yml.disabled misp.yml.disabled santa.yml.disabled elasticsearch.yml.disabled mongodb.yml.disabled suricata.yml.disabled envoyproxy.yml.disabled mssql.yml.disabled system.yml.disabled googlecloud.yml.disabled mysql.yml.disabled traefik.yml.disabled haproxy.yml.disabled nats.yml.disabled zeek.yml.disabled現(xiàn)在我們監(jiān)控整個(gè)es集群的日志 [root@server1 modules.d]# filebeat modules enable elasticsearch 激活elasticsearch模塊 Enabled elasticsearch [root@server1 modules.d]# vim elasticsearch.yml 編輯

[root@server1 ~]# cd /etc/filebeat [root@server1 filebeat]# vim filebeat.yml

[root@server1 filebeat]# systemctl enable --now filebeat.service 啟動

ES集群檢索存入大量的數(shù)據(jù)會有問題，需要進(jìn)行索引生命周期配置管理

![在這里插入圖片描述](https://img-blog.csdnimg.cn/f2061ea95a104be5835f20a485f5a3a7.png#pic_center

總結(jié)

以上是生活随笔為你收集整理的ELK日志分析平台（三）— kibana数据可视化、kibana监控、采集日志插件filebeat的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。