CentOS 8系统上搭建ELK日志审计的详细步骤
浏览量:549
点赞量:0
在CentOS 8系统上搭建ELK日志审计的详细步骤:
## 安装Java环境
1. 使用以下命令安装Java环境:
```
sudo dnf install java-11-openjdk-devel
```
2. 验证Java环境是否安装成功:
```
java -version
```
如果成功安装,您应该会看到类似以下的输出:
```
openjdk version "11.0.11" 2021-04-20 LTS
OpenJDK Runtime Environment 18.9 (build 11.0.11+9-LTS)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.11+9-LTS, mixed mode, sharing)
```
## 安装Elasticsearch
1. 添加Elasticsearch GPG密钥:
```
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
```
2. 添加Elasticsearch软件包源:
```
sudo tee /etc/yum.repos.d/elasticsearch.repo <<EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
```
3. 安装Elasticsearch:
```
sudo dnf install elasticsearch
```
4. 启动Elasticsearch并设置开机自启:
```
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch
```
5. 验证Elasticsearch是否运行正常:
```
curl -X GET "localhost:9200/"
```
如果成功启动,您应该会看到类似以下的输出:
```
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "abc123",
"version" : {
"number" : "7.13.3",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "5d21bea28db1e89ecc7256bf45d357089b301a89",
"build_date" : "2021-07-02T12:06:10.804015202Z",
"build_snapshot" : false,
"lucene_version" : "8.8.2",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
```
## 安装Logstash
1. 添加Logstash GPG密钥:
```
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
```
2. 添加Logstash软件包源:
```
sudo tee /etc/yum.repos.d/logstash.repo <<EOF
[logstash-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
```
3. 安装Logstash:
```
sudo dnf install logstash
```
4. 创建Logstash配置文件:
```
sudo nano /etc/logstash/conf.d/logstash.conf
```
5. 在打开的文件中输入以下内容:
```
input {
beats {
port => 5044
}
}
filter {
# 在这里添加您的日志过滤规则
# 示例:grok {
# match => { "message" => "%{COMBINEDAPACHELOG}" }
# }
# 更多过滤器规则请参考官方文档:https://www.elastic.co/guide/en/logstash/current/filter-plugins.html
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
```
6. 启动Logstash并设置开机自启:
```
sudo systemctl enable logstash
sudo systemctl start logstash
```
## 安装Kibana
1. 添加Kibana GPG密钥:
```
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
```
2. 添加Kibana软件包源:
```
sudo tee /etc/yum.repos.d/kibana.repo <<EOF
[kibana-7.x]
name=Kibana repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
```
3. 安装Kibana:
```
sudo dnf install kibana
```
4. 修改Kibana配置文件:
```
sudo nano /etc/kibana/kibana.yml
```
5. 找到以下行并取消注释(去掉前面的#):
```
server.host: "localhost"
```
6. 启动Kibana并设置开机自启:
```
sudo systemctl enable kibana
sudo systemctl start kibana
```
7. 访问Kibana Web界面:http://localhost:5601/
恭喜,您已经成功搭建了ELK日志审计!
说明:本站所有资源仅供学习与参考,如有侵犯您的版权,请及时联系liuqiang@zjkytwl.com,我们将尽快处理。
贡献者:
刘强@垣通
邮箱: 16129997@qq.com
捐赠:
贡献者其它内容
-
liunx 查看文件及文件夹大小du命令 239 0
-
如何使用golang开发GUI软件 231 0