ELK Stack aka Elastic Stack
The ELK Stack
Logstash agents running on remote hosts collect logs and forward them to a central server for further processing using Filters. Filters are used to convert unstructured log data to structured format. And the output is saved into Elasticsearch. Elasticsearch is a text indexer and search engine. Searches are very fast as they are performed on the index. Elastic search will index the data coming in from Logstash and later make it available for search using the powerful query language. Kibana is the web interface for Elastic stack. It enables data visualization, search and dash-boarding. Kibana supports add-on functionalities via plugin model. Kibana supports search using the Apache Lucene query syntax.
Download / Install latest Oracle jdk rpm
Install jdk
# yum -y localinstall jdk-8u111-linux-x64.rpm
Sample output
Loaded plugins: aliases, changelog, downloadonly, kabi, presto, refresh-packagekit, security, tmprepo, verify, versionlock
Loading support for kernel ABI
Setting up Local Package Process
Examining jdk-8u111-linux-x64.rpm: 2000:jdk1.8.0_111-1.8.0_111-fcs.x86_64
Marking jdk-8u111-linux-x64.rpm to be installed
oel6_addons | 1.2 kB 00:00
oel6_addons/primary | 128 kB 00:00
oel6_addons 410/410
ol6_UEK_latest | 1.2 kB 00:00
ol6_UEK_latest/primary | 28 MB 00:09
ol6_UEK_latest 603/603
ol6_latest | 1.4 kB 00:00
ol6_latest/primary | 60 MB 00:20
ol6_latest 36584/36584
Resolving Dependencies
--> Running transaction check
---> Package jdk1.8.0_111.x86_64 2000:1.8.0_111-fcs will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================
Installing:
jdk1.8.0_111 x86_64 2000:1.8.0_111-fcs /jdk-8u111-linux-x64 258 M
Transaction Summary
=============================================================================================================================================
Install 1 Package(s)
Total size: 258 M
Installed size: 258 M
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
openssl098e-0.9.8e-18.0.1.el6_5.2.x86_64 is a duplicate with openssl098e-0.9.8e-17.0.1.el6_2.2.i686
Installing : 2000:jdk1.8.0_111-1.8.0_111-fcs.x86_64 1/1
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
Verifying : 2000:jdk1.8.0_111-1.8.0_111-fcs.x86_64 1/1
Installed:
jdk1.8.0_111.x86_64 2000:1.8.0_111-fcs
Complete!
Check installation location:
By default jdk is installed under /usr/java/jdk1.8.0_111
We need this location to update Logstash config file.
Install ElasticSearch
Download latest version of elastic search from https://www.elastic.co/downloads/elasticsearch
I have downloaded version 5.0.0 (elasticsearch-5.0.0.rpm)
# yum -y localinstall elasticsearch-5.0.0.rpm
Loaded plugins: aliases, changelog, downloadonly, kabi, presto, refresh-packagekit, security, tmprepo, verify, versionlock
Loading support for kernel ABI
Setting up Local Package Process
Examining elasticsearch-5.0.0.rpm: elasticsearch-5.0.0-1.noarch
Marking elasticsearch-5.0.0.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package elasticsearch.noarch 0:5.0.0-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================
Installing:
elasticsearch noarch 5.0.0-1 /elasticsearch-5.0.0 35 M
Transaction Summary
=============================================================================================================================================
Install 1 Package(s)
Total size: 35 M
Installed size: 35 M
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : elasticsearch-5.0.0-1.noarch 1/1
Creating elasticsearch group... OK
Creating elasticsearch user... OK
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using chkconfig
sudo chkconfig --add elasticsearch
### You can start elasticsearch service by executing
sudo service elasticsearch start
Verifying : elasticsearch-5.0.0-1.noarch 1/1
Installed:
elasticsearch.noarch 0:5.0.0-1
Complete!
Start elastic search
Elasticsearch config file is at /etc/elasticsearch/elasticsearch.yml
cd /etc/init.d
[root@host init.d]# ./elasticsearch start
Starting elasticsearch: [ OK ]
[root@host init.d]# ./elasticsearch status
elasticsearch (pid 21985) is running...
Check status of elasticsearch
ElasticSearch runs on port 9200 by default.
Connect to http://localhost:9200/
Sample output:
{
"name" : "arB5Gic",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "zjTZpHcUTRqBFQj6ZpFR6g",
"version" : {
"number" : "5.0.0",
"build_hash" : "253032b",
"build_date" : "2016-10-26T04:37:51.531Z",
"build_snapshot" : false,
"lucene_version" : "6.2.0"
},
"tagline" : "You Know, for Search"
}
Install Kibana
# yum -y localinstall kibana-5.0.0-x86_64.rpm
Loaded plugins: aliases, changelog, downloadonly, kabi, presto, refresh-packagekit, security, tmprepo, verify, versionlock
Loading support for kernel ABI
Setting up Local Package Process
Examining kibana-5.0.0-x86_64.rpm: kibana-5.0.0-1.x86_64
Marking kibana-5.0.0-x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package kibana.x86_64 0:5.0.0-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================
Installing:
kibana x86_64 5.0.0-1 /kibana-5.0.0-x86_64 140 M
Transaction Summary
=============================================================================================================================================
Install 1 Package(s)
Total size: 140 M
Installed size: 140 M
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : kibana-5.0.0-1.x86_64 1/1
Verifying : kibana-5.0.0-1.x86_64 1/1
Installed:
kibana.x86_64 0:5.0.0-1
Complete!
Start Kibana
By default Kibana connects to the Elasticsearch instance running on same host.So we can just start Kibana.
Kibana configuration file is at /etc/kibana/kibana.yml
cd /etc/init.d
./kibana start
kibana started
[root@host init.d]# ./kibana status
kibana is running
Check status of Kibana
Access localhost:5601 from browser. You should see below screen.
Install Logstash
I have downloaded logstash-5.0.0.rpm and installed it using yum.
yum -y localinstall logstash-5.0.0.rpm
Loaded plugins: aliases, changelog, downloadonly, kabi, presto, refresh-packagekit, security, tmprepo, verify, versionlock
Loading support for kernel ABI
Setting up Local Package Process
Examining logstash-5.0.0.rpm: 1:logstash-5.0.0-1.noarch
Marking logstash-5.0.0.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package logstash.noarch 1:5.0.0-1 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================
Installing:
logstash noarch 1:5.0.0-1 /logstash-5.0.0 189 M
Transaction Summary
=============================================================================================================================================
Install 1 Package(s)
Total size: 189 M
Installed size: 189 M
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:logstash-5.0.0-1.noarch 1/1
Using provided startup.options file: /etc/logstash/startup.options
Successfully created system startup script for Logstash
Verifying : 1:logstash-5.0.0-1.noarch 1/1
Installed:
logstash.noarch 1:5.0.0-1
Complete!
Start logstash
Somehow the /etc/init.d/logstash was not present after install. Looks likesystem-install script didn't get executed at the end of the rpm
installation. So I ran it manually.Check /etc/logstash/startup.options to see where its installed.
In my host LS_HOME in /etc/logstash/startup.option points to /usr/share/logstash
Run system-install script manually
I have installed it manually using system-install script. Before that modified /etc/logstash/startup.options to set the correct path to JDK 1.8
I have changed jdk location to below
# Override Java location
#JAVACMD=/usr/bin/java
JAVACMD=/usr/java/jdk1.8.0_111/bin/java
/usr/share/logstash/bin/system-install /etc/logstash/startup.options
Using provided startup.options file: /etc/logstash/startup.options
Sending all logs to /tmp/tmp.ADeV3QdriK
Successfully created system startup script for Logstash
#cd /etc/init.d
# ./logstash start
logstash started
[root@host init.d]# ./logstash status
logstash is running
Stop all three
./logstash status./kibana stop
./elasticsearch stop
Install x-pack plugin
Refer https://www.elastic.co/start
Download x-pack-5.0.0.zip and use the offline installation option.
I have downloaded latest version from https://artifacts.elastic.co/downloads/packs/x-pack/x-pack-5.0.0.zip
This zip file contains Elasticsearch and Kibana plugin.
# cd /usr/share/elasticsearch/bin
# ./elasticsearch-plugin install file:///scratch/softwares/elk/x-pack-5.0.0.zip
-> Downloading file:///scratch/softwares/elk/x-pack-5.0.0.zip
[=================================================] 100%Â Â
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission setFactory
* java.security.SecurityPermission createPolicy.JavaPolicy
* java.security.SecurityPermission getPolicy
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setPolicy
* java.util.PropertyPermission * read,write
* java.util.PropertyPermission sun.nio.ch.bugLevel write
* javax.net.ssl.SSLPermission setHostnameVerifier
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Continue with installation? [y/N]y
-> Installed x-pack
Now install Kibana plugin
# cd /usr/share/kibana/bin
# ./kibana-plugin install file:///scratch/rkuriako/softwares/elk/x-pack-5.0.0.zip
Attempting to transfer from file:///scratch/rkuriako/softwares/elk/x-pack-5.0.0.zip
Transferring 72364732 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Optimizing and caching browser bundles...
Plugin installation complete
Refer xpack docs for more deails.
X-Pack security provides a built-in elastic superuser.
This elastic user has full access to the cluster, including all indices and data.
The default password for the elastic user is changeme.
Start Elasticsearch and Kibana
[root@host bin]# cd /etc/init.d/
[root@host init.d]# ./elasticsearch start
Starting elasticsearch: [ OK ]
[root@host init.d]# ./kibana start
kibana started
Navigate to http://localhost:5601/
Posts
1 comment:
ساندویچ پانل
Post a Comment