ELK安装配置

[v5tech]

Elasticsearch安装

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

/etc/yum.repos.d/elasticsearch.repo

[elasticsearch-2.x]
name=Elasticsearch repository for 2.x packages
baseurl=https://packages.elastic.co/elasticsearch/2.x/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

yum install elasticsearch
chkconfig --add elasticsearch

centos 7

sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service

Shield 2.0安装

./bin/plugin install license
./bin/plugin install shield
./bin/elasticsearch

创建用户es_admin/es_admin 角色为admin

./bin/shield/esusers useradd es_admin -p es_admin -r admin
esusers useradd <username> [-p <password>] [-r <roles>]
-h,--help                    Shows this message

-p,--password <password>     The user password

-r,--roles <roles>           Comma-separated list of the roles of the user

curl -u es_admin -XGET 'http://115.28.163.63:9200/'

Logstash安装

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

/etc/yum.repos.d/logstash.repo

[logstash-2.3]
name=Logstash repository for 2.3.x packages
baseurl=https://packages.elastic.co/logstash/2.3/centos
gpgcheck=1
gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

Kibana安装

rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

/etc/yum.repos.d/kibana.repo

[kibana-4.5]
name=Kibana repository for 4.5.x packages
baseurl=http://packages.elastic.co/kibana/4.5/centos
gpgcheck=1
gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
enabled=1

yum install kibana
chkconfig --add kibana

Winlogbeat安装

https://download.elastic.co/beats/winlogbeat/winlogbeat-1.2.3-windows.zip

PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1

winlogbeat.yml

winlogbeat:
  registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

  event_logs:
    - name: Application
    - name: Security
    - name: System

output:
  elasticsearch:
    hosts:
      - 192.168.0.228:9200

logging:
  to_files: true
  files:
    path: C:/ProgramData/winlogbeat/Logs
  level: info

Test

  PS C:\Program Files\Winlogbeat> .\winlogbeat.exe -c .\winlogbeat.yml -configtest -e

curl -XPUT 'http://192.168.0.228:9200/_template/winlogbeat' -d@/etc/winlogbeat/winlogbeat.template.json
curl -XDELETE 'http://192.168.0.228:9200/winlogbeat-*'

Packetbeat安装

sudo yum install libpcap
curl -L -O https://download.elastic.co/beats/packetbeat/packetbeat-1.2.3-x86_64.rpm
sudo rpm -vi packetbeat-1.2.3-x86_64.rpm

/etc/packetbeat/packetbeat.yml

curl -XPUT 'http://115.28.163.63:9200/_template/packetbeat' -d@/etc/packetbeat/packetbeat.template.json
curl -XDELETE 'http://115.28.163.63:9200/packetbeat-*'

sudo /etc/init.d/packetbeat start
curl -XGET 'http://115.28.163.63:9200/packetbeat-*/_search?pretty'

Filebeat安装

curl -L -O https://download.elastic.co/beats/filebeat/filebeat-1.2.3-x86_64.rpm
sudo rpm -vi filebeat-1.2.3-x86_64.rpm

/etc/filebeat/filebeat.yml

curl -XPUT 'http://115.28.163.63:9200/_template/filebeat' -d@/etc/filebeat/filebeat.template.json
curl -XDELETE 'http://115.28.163.63:9200/filebeat-*'
sudo /etc/init.d/filebeat start

Topbeat安装

curl -L -O https://download.elastic.co/beats/topbeat/topbeat-1.2.3-x86_64.rpm
sudo rpm -vi topbeat-1.2.3-x86_64.rpm

/etc/topbeat/topbeat.yml

curl -XPUT 'http://115.28.163.63:9200/_template/topbeat' -d@/etc/topbeat/topbeat.template.json
curl -XDELETE 'http://115.28.163.63:9200/topbeat-*'
sudo /etc/init.d/topbeat start
curl -XGET 'http://115.28.163.63:9200/topbeat-*/_search?pretty'