Aqui falaremos sobre os procedimentos de instalação do ELK 5 em CentOS. Deixaremos um exemplo um pouco longo do Logstash apenas para que você entenda e compreenda algumas possibilidades (no site é possível consultar mais tipos de entradas, filtros e saídas)
Antes de mais nada, será necessário o Java, para instalar execute:
yum install java-1.8.0-openjdk policycoreutils-python -yPara instalar o Elasticsearch, execute os comandos abaixo:
rpm -ivh http://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.3.0.rpm
sed -i "s/#network.host: 192.168.0.1/network.host: localhost/g" /etc/elasticsearch/elasticsearch.yml
ln -s /usr/share/elasticsearch/bin/elasticsearch-plugin /usr/bin/elasticsearch-plugin
elasticsearch-plugin install x-pack
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearchPara instalar o logstash, execute os comandos abaixo:
rpm -ivh http://artifacts.elastic.co/downloads/logstash/logstash-5.3.0.rpm
vi /etc/logstash/conf.d/logstash.confAperte a tecla INSERT do teclado para entrar em modo de edição e deixa-lo da seguinte forma:
| input { beats { port => 5044 type => “ex_msg_trk” congestion_threshold => “40” } udp { port => 514 } udp { type => “Exchange” port => 5141 } } filter { if [type] == “ex_msg_trk” { grok { match => { “message” => “(%{TIMESTAMP_ISO8601:date-time})?,(%{IPORHOST:client-ip})?,(%{IPORHOST:client-hostname})?,(%{IPORHOST:server-ip})?,(%{IPORHOST:server-hostname})?,(%{GREEDYDATA:source-context})?,(%{GREEDYDATA:connector-id})?,(%{WORD:source})?,(%{WORD:event-id})?,(%{NUMBER:internal-message-id})?,(%{GREEDYDATA:message-id})?,(%{GREEDYDATA:recipient-address})?,(%{GREEDYDATA:recipient-status})?,(%{NUMBER:total-bytes})?,(%{NUMBER:recipient-count})?,(%{GREEDYDATA:related-recipient-address})?,(%{GREEDYDATA:reference})?,(%{GREEDYDATA:message-subject})?,(%{GREEDYDATA:sender-address})?,(%{GREEDYDATA:return-path})?,(%{GREEDYDATA:message-info})?,(%{WORD:directionality})?,(%{GREEDYDATA:tenant-id})?,(%{IPORHOST:original-client-ip})?,(%{IPORHOST:original-server-ip})?,(%{GREEDYDATA:custom-data})?” } } mutate { convert => [ “total-bytes”, “integer” ] convert => [ “recipient-count”, “integer” ] split => [“recipient-address”, “;”] split => [ “source-context”, “;” ] split => [ “custom_data”, “;” ] } } if [type] == “Exchange” { csv { add_tag => [ ‘exh_msg_trk’ ] columns => [‘logdate’, ‘client_ip’, ‘client_hostname’, ‘server_ip’, ‘server_hostname’, ‘source_context’, ‘connector_id’, ‘source’, ‘event_id’, ‘internal_message_id’, ‘message_id’, ‘network_message_id’, ‘recipient_address’, ‘recipient_status’, ‘total_bytes’, ‘recipient_count’, ‘related_recipient_address’, ‘reference’, ‘message_subject’, ‘sender_address’, ‘return_path’, ‘message_info’, ‘directionality’, ‘tenant_id’, ‘original_client_ip’, ‘original_server_ip’, ‘custom_data’] remove_field => [ “logdate” ] } grok { match => [ “message”, “%{TIMESTAMP_ISO8601:timestamp}” ] } mutate { convert => [ “total_bytes”, “integer” ] convert => [ “recipient_count”, “integer” ] split => [“recipient_address”, “;”] split => [ “source_context”, “;” ] split => [ “custom_data”, “;” ] } date { match => [ “timestamp”, “ISO8601” ] timezone => “Europe/London” remove_field => [ “timestamp” ] } if “_grokparsefailure” in [tags] { drop { } } } if [type] == “syslog” { grok { match => { “message” => “%{SYSLOGLINE}” } } date { match => [ “timestamp”, “MMM d HH:mm:ss”, “MMM dd HH:mm:ss” ] } } } output { elasticsearch { hosts => localhost } stdout { codec => rubydebug } } |
Ao final, pressionar a tecla ESC para sair do modo de edição, digitar :wq! e pressionar ENTER para sair e salvar. Agora execute:
ln -s /usr/share/logstash/bin/logstash /usr/bin/logstash
/usr/share/logstash/bin/logstash-plugin install logstash-input-beats
/usr/share/logstash/bin/logstash-plugin install logstash-input-udp
/usr/share/logstash/bin/logstash-plugin install logstash-output-elasticsearch
systemctl daemon-reload
systemctl enable logstash
systemctl start logstashPara instalar o Kibana, execute os comandos abaixo:
rpm -ivh http://artifacts.elastic.co/downloads/kibana/kibana-5.3.0-x86_64.rpm
sed -i "s/server.port: 5601/server.port: 80/g" /etc/kibana/kibana.yml
sed -i "s/#server.port: 5601/server.port: 5601/g" /etc/kibana/kibana.yml
sed -i "s/#server.host: \"localhost\"/server.host: \"SEU_IP\"/g" /etc/kibana/kibana.yml
sed -i "s/#elasticsearch.url: \"http:\/\/localhost:9200\"/elasticsearch.url: \"http:\/\/localhost:9200\"/g" /etc/kibana/kibana.yml
systemctl enable kibana
systemctl start kibana
ln -s /usr/share/kibana/bin/kibana-plugin /usr/bin/kibana-plugin
kibana-plugin install x-packPara acessar, abra o endereço http://IP_SEU_SERVIDOR:5061 (usuário elastic e senha changeme).
Fontes/Referências
https://www.elastic.co/guide/en/elasticsearch/reference/current/rpm.html
https://www.elastic.co/guide/en/x-pack/current/installing-xpack.html
http://www.tecmint.com/install-elasticsearch-logstash-and-kibana-elk-stack-on-centos-rhel-7/
Mais Informações
Esperamos ter ajudado da melhor forma possível e estaremos sempre a disposição para mais informações.
Entre em contato conosco pelo e-mail equipe@nvlan.com.br.
