ELK功能
    1. Kibana用来展现数据
    2. Elasticsearch用来存储数据
    3. Logstash用来收集数据

    Logstash的安装
    4. 依赖于Java环境
    5. 下载二进制安装文件
    6. 解压到对应目录完成安装/usr/local/

    Logstash的安装(192.168.10.12)
    记得装jdk
    tar xvf logstash-6.6.0.tar.gz -C /usr/local/
    Logstash的JVM配置文件更新/usr/local/logstash-6.6.0/config/jvm.options
    [root@server12 ~]# vim /usr/local/logstash-6.6.0/config/jvm.options
    -Xms200M
    -Xmx200M

    Logstash支持
    7. Logstash分为输入、输出
    8. 输入:标准输入、日志等
    9. 输出:标准输出、ES等

    Logstash最简单配置/usr/local/logstash-6.6.0/config/logstash.conf
    [root@server12 ~]# vim /usr/local/logstash-6.6.0/config/logstash.conf
    input{
    stdin{}
    }
    output{
    stdout{
    codec=>rubydebug
    }
    }

    Logstash的启动和测试
    haveged 项目的目的是提供一个易用、不可预测的随机数生成器,基于 HAVEGE 算法。
    10. yum install haveged -y; systemctl enable haveged; systemctl start haveged;systemctl status haveged
    11. 前台启动:/usr/local/logstash-6.6.0/bin/logstash -f /usr/local/logstash-6.6.0/config/logstash.conf
    12. 后台启动:nohup /usr/local/logstash-6.6.0/bin/logstash -f /usr/local/logstash-6.6.0/config/logstash.conf >/tmp/logstash.log 2>/tmp/logstash.log &
    13. 测试标准输入和输出
    前台启动可以看到以下信息
    [2022-03-12T09:33:54,070][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>”main”, “pipeline.workers”=>1, “pipeline.batch.size”=>125, “pipeline.batch.delay”=>50}
    [2022-03-12T09:33:54,595][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>”main”, :thread=>”#“}
    The stdin plugin is now waiting for input:
    [2022-03-12T09:33:54,737][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
    [2022-03-12T09:33:56,131][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
    {
    “message” => “”,
    “host” => “server12”,
    “@timestamp” => 2022-03-12T14:33:54.862Z,
    “@version” => “1”
    }
    {
    “message” => “”,
    “host” => “server12”,
    “@timestamp” => 2022-03-12T14:33:54.896Z,
    “@version” => “1”
    }

    jaking
    {
    “message” => “jaking”,
    “host” => “server12”,
    “@timestamp” => 2022-03-12T14:35:39.565Z,
    “@version” => “1”
    }
    jaking2022
    {
    “message” => “jaking2022”,
    “host” => “server12”,
    “@timestamp” => 2022-03-12T14:35:46.117Z,
    “@version” => “1”
    }

    Logstash读取日志/usr/local/logstash-6.6.0/config/logstash.conf
    [root@server12 ~]# vim /usr/local/logstash-6.6.0/config/logstash.conf
    input {
    file {
    path => “/var/log/secure”
    }
    }
    output{
    stdout{
    codec=>rubydebug
    }
    }

    重启logstash
    [root@server12 ~]# /usr/local/logstash-6.6.0/bin/logstash -f /usr/local/logstash-6.6.0/config/logstash.conf
    重启haveged
    [root@server12 ~]# systemctl restart haveged

    观察logstash运行状态和/var/log/secure日志

    [root@server12 ~]# /usr/local/logstash-6.6.0/bin/logstash -f /usr/local/logstash-6.6.0/config/logstash.conf
    Sending Logstash logs to /usr/local/logstash-6.6.0/logs which is now configured via log4j2.properties
    [2022-03-12T09:39:45,423][WARN ][logstash.config.source.multilocal] Ignoring the ‘pipelines.yml’ file because modules or command line options are specified
    [2022-03-12T09:39:45,452][INFO ][logstash.runner ] Starting Logstash {“logstash.version”=>”6.6.0”}
    [2022-03-12T09:40:01,300][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>”main”, “pipeline.workers”=>1, “pipeline.batch.size”=>125, “pipeline.batch.delay”=>50}
    [2022-03-12T09:40:02,027][INFO ][logstash.inputs.file ] No sincedb_path set, generating one based on the “path” setting {:sincedb_path=>”/usr/local/logstash-6.6.0/data/plugins/inputs/file/.sincedb_730aea1d074d4636ec2eacfacc10f882”, :path=>[“/var/log/secure”]}
    [2022-03-12T09:40:02,152][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>”main”, :thread=>”#“}
    [2022-03-12T09:40:02,271][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
    [2022-03-12T09:40:02,494][INFO ][filewatch.observingtail ] START, creating Discoverer, Watch with file and sincedb collections
    [2022-03-12T09:40:03,230][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
    {
    “message” => “Mar 12 09:40:32 jaking polkitd[728]: Registered Authentication Agent for unix-process:3489:2358070 (system bus name :1.81 [/usr/bin/pkttyagent —notify-fd 5 —fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)”,
    “path” => “/var/log/secure”,
    “@timestamp” => 2022-03-12T14:40:33.532Z,
    “host” => “server12”,
    “@version” => “1”
    }
    {
    “message” => “Mar 12 09:40:32 jaking polkitd[728]: Unregistered Authentication Agent for unix-process:3489:2358070 (system bus name :1.81, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)”,
    “path” => “/var/log/secure”,
    “@timestamp” => 2022-03-12T14:40:33.590Z,
    “host” => “server12”,
    “@version” => “1”
    }

    [root@server12 ~]# tail -f /var/log/secure
    Mar 12 09:22:43 jaking polkitd[728]: Registered Authentication Agent for unix-process:3298:2251180 (system bus name :1.77 [/usr/bin/pkttyagent —notify-fd 5 —fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
    Mar 12 09:22:43 jaking polkitd[728]: Unregistered Authentication Agent for unix-process:3298:2251180 (system bus name :1.77, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
    Mar 12 09:25:25 jaking polkitd[728]: Registered Authentication Agent for unix-process:3345:2267330 (system bus name :1.78 [/usr/bin/pkttyagent —notify-fd 5 —fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
    Mar 12 09:25:25 jaking polkitd[728]: Unregistered Authentication Agent for unix-process:3345:2267330 (system bus name :1.78, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
    Mar 12 09:25:25 jaking polkitd[728]: Registered Authentication Agent for unix-process:3363:2267336 (system bus name :1.79 [/usr/bin/pkttyagent —notify-fd 5 —fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
    Mar 12 09:25:25 jaking polkitd[728]: Unregistered Authentication Agent for unix-process:3363:2267336 (system bus name :1.79, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
    Mar 12 09:32:36 jaking sshd[3372]: Accepted password for root from 192.168.10.1 port 3261 ssh2
    Mar 12 09:32:37 jaking sshd[3372]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Mar 12 09:40:32 jaking polkitd[728]: Registered Authentication Agent for unix-process:3489:2358070 (system bus name :1.81 [/usr/bin/pkttyagent —notify-fd 5 —fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
    Mar 12 09:40:32 jaking polkitd[728]: Unregistered Authentication Agent for unix-process:3489:2358070 (system bus name :1.81, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)