官方页面:https://www.elastic.co/cn/downloads/x-pack

按照官方文档:

Install X-Pack into elasticsearch

安装:

[root@elastic-elk-stack logstash]# /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack
-> Downloading x-pack from elastic
[=================================================] 100%   
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@     WARNING: plugin requires additional permissions     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.io.FilePermission \\.\pipe\* read,write
* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission setFactory
* java.net.SocketPermission * connect,accept,resolve
* java.security.SecurityPermission createPolicy.JavaPolicy
* java.security.SecurityPermission getPolicy
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setPolicy
* java.util.PropertyPermission * read,write
* java.util.PropertyPermission sun.nio.ch.bugLevel write
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.

Continue with installation? [y/N]y
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@        WARNING: plugin forks a native controller        @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
This plugin launches a native controller that is not subject to the Java
security manager nor to system call filters.

Continue with installation? [y/N]y
Elasticsearch keystore is required by plugin [x-pack], creating...
-> Installed x-pack
[root@elastic-elk-stack logstash]# 

重启ElasticSearch:

[root@elastic-elk-stack logstash]# service elasticsearch restart
Restarting elasticsearch (via systemctl):                  [  OK  ]
[root@elastic-elk-stack logstash]# 
[root@elastic-elk-stack logstash]# 

生成口令:

[root@elastic-elk-stack logstash]# /usr/share/elasticsearch/bin/x-pack/setup-passwords auto
Initiating the setup of passwords for reserved users elastic,kibana,logstash_system.
The passwords will be randomly generated and printed to the console.
Please confirm that you would like to continue [y/N]y


Changed password for user kibana
PASSWORD kibana = _onI_Y~Q6skD@mrWM0r^

Changed password for user logstash_system
PASSWORD logstash_system = wPK*Ni8BC#3Syso*v=8C

Changed password for user elastic
PASSWORD elastic = !QCIfasZEL#-mZw_ay#G

[root@elastic-elk-stack logstash]# 

Install X-Pack into kibana

安装:

[root@elastic-elk-stack logstash]# /usr/share/kibana/bin/kibana-plugin install x-pack
Attempting to transfer from x-pack
Attempting to transfer from https://artifacts.elastic.co/downloads/kibana-plugins/x-pack/x-pack-6.0.1.zip
Transferring 120300101 bytes....................
Transfer complete
Retrieving metadata from plugin archive
Extracting plugin archive
Extraction complete
Optimizing and caching browser bundles...
Plugin installation complete
[root@elastic-elk-stack logstash]# 

修改Kibana的配置文件:

[root@elastic-elk-stack ~]# cat /etc/kibana/kibana.yml | grep -v "#" | strings
server.port: 5601
server.host: "**.***.*.***"
server.name: "elastic-elk-stack"
elasticsearch.url: "http://**.***.*.***:9200"
kibana.index: ".kibana"
elasticsearch.username: "kibana"
elasticsearch.password: "******"
elasticsearch.pingTimeout: 1500
logging.dest: stdout
[root@elastic-elk-stack ~]# 

注意上面:
elasticsearch.username: “kibana”
elasticsearch.password: “******”

为之前在X-Pack生成密钥的时候看到的口令。

重启kibana服务:

[root@elastic-elk-stack ~]# service kibana restart
kibana stopped.
kibana started
[root@elastic-elk-stack ~]# 

登录Kibana:http://ip:5601

前面的口令是随机生成的,如果希望设成自定义的口令,可以在下面的画面中设置:

以上部分是官方的X-PACK下载页面关于该工具的说明。

————————————————————————
其实,可以想得到,在增加了口令验证之后,很多的配置也是要跟着修改的。
以下是还需要修改的部分(增加口令验证),以及在口令不正确的时候会出现的日志形态。

logstash的配置文件:

[root@elastic-elk-stack ~]# cat /etc/logstash/conf.d/rsyslog.conf 
input {
  tcp{
    port => 5514
    type => syslog
  }
  udp{
    port => 5514
    type => syslog
  }
  file {
    path => ["/home/data/rsyslog/log/*/*.log"]
    #path => ["/var/log/*"]
    type => "rsyslog"
    start_position => "beginning"
  }
}
output {
  stdout {
    codec=> rubydebug
  }
  elasticsearch {
    hosts => ["**.***.*.***:9200"]
    user => ["elastic"]
    password => ["***"]
    index => "rsyslog_**.***.*.***-%{+YYYY.MM.dd}"
  }
}
[root@elastic-elk-stack ~]# 

因为增加了口令,所以logstash要写入数据到elasticsearch的时候,需要加上用户名与密码。

否则,你会在日志里看到这样的报错:
文件:/var/log/logstash/logstash-plain.log

[2017-12-14T23:08:39,624][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://elastic:xxxxxx@**.***.*.***:9200/, :path=>"/"}
[2017-12-14T23:08:39,750][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://elastic:xxxxxx@**.***.*.***:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://**.***.*.***:9200/'"}
[2017-12-14T23:08:40,244][INFO ][logstash.pipeline        ] Pipeline terminated {"pipeline.id"=>"main"}
[2017-12-14T23:08:40,246][WARN ][logstash.shutdownwatcher ] {"inflight_count"=>0, "stalling_thread_info"=>{}}
[2017-12-14T23:08:40,249][ERROR][logstash.shutdownwatcher ] The shutdown process appears to be stalled due to busy or blocked plugins. Check the logs for more information.

还可能遇到这个问题:No results found

有时候,logstash配置的有问题,也会出现这样的情况(之前遇到过,当然也可能有别的原因造成的,以后遇到了再记录)
在我这里发生这个问题的原因是,在当前的时间范围【过去十五分钟】内,确实没有一条日志。

选择【time picker】调整检索的时间区间,就可以看到日志了。

还可能遇到的问题:Elasticsearch cluster status is yellow. Allocate missing replica shards.

如果访问elasticsearch的WEB,你会看到:http://ip:9200/_cluster/health?pretty=true

因为当前集群中只有一个成员,所以当然无法做复制,因此,便出现了ElasticSearch黄色的告警。

关于集群健康状态,更多的可以参考:
http://nocf-www.elastic.co/guide/en/elasticsearch/reference/current/cluster-health.html

——————
最后,X-PACK可不是免费的,而是收费的。

启用了X-PACK后,你可以在KIBANA的日志中看到关于付费有关的日志条目:

[root@elastic-elk-stack ~]# cat /var/log/kibana/kibana.stdout | grep --color trial
{"type":"log","@timestamp":"2017-12-14T10:51:57Z","tags":["license","info","xpack"],"pid":12041,"message":"Imported license information from Elasticsearch for [data] cluster: mode: trial | status: active | expiry date: 2018-01-13T18:23:41+08:00"}
{"type":"log","@timestamp":"2017-12-14T10:52:27Z","tags":["license","info","xpack"],"pid":12041,"message":"Imported license information from Elasticsearch for [monitoring] cluster: mode: trial | status: active | expiry date: 2018-01-13T18:23:41+08:00"}
{"type":"log","@timestamp":"2017-12-14T11:01:27Z","tags":["license","info","xpack"],"pid":12527,"message":"Imported license information from Elasticsearch for [data] cluster: mode: trial | status: active | expiry date: 2018-01-13T18:23:41+08:00"}
{"type":"log","@timestamp":"2017-12-14T11:01:57Z","tags":["license","info","xpack"],"pid":12527,"message":"Imported license information from Elasticsearch for [monitoring] cluster: mode: trial | status: active | expiry date: 2018-01-13T18:23:41+08:00"}
{"type":"log","@timestamp":"2017-12-14T15:24:31Z","tags":["license","info","xpack"],"pid":12527,"message":"Imported license information from Elasticsearch for [data] cluster: mode: trial | status: active | expiry date: 2018-01-13T18:23:41+08:00"}
{"type":"log","@timestamp":"2017-12-14T15:33:12Z","tags":["license","info","xpack"],"pid":22417,"message":"Imported license information from Elasticsearch for [data] cluster: mode: trial | status: active | expiry date: 2018-01-13T18:23:41+08:00"}
{"type":"log","@timestamp":"2017-12-14T15:33:42Z","tags":["license","info","xpack"],"pid":22417,"message":"Imported license information from Elasticsearch for [monitoring] cluster: mode: trial | status: active | expiry date: 2018-01-13T18:23:41+08:00"}
[root@elastic-elk-stack ~]# 

————————————
Done。

说点什么

avatar

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

  Subscribe  
提醒