ELK日志分析系统

1主节点10，2个数据节点20，30。3台机器全部安装jdk8（openjdk即可）
Yum install -y java-1.8.0-openjdk
192.168.16.10      elasticsearch+kibana            ELK-1
192.168.16.20        elasticsearch+logstash        ELK-2
192.168.16.30        elasticsearch                ELK-3
2.基础环境配置：
（1）修改主机名：
使用hostnamectl命令修改3个主机名，以做区分
elk-1节点
[root@localhost ~]# hostnamectl set-hostname elk-1
#修改完后ctrl+d退出后重新连接
[root@elk-1 ~]# 
elk-2节点
[root@localhost ~]# hostnamectl set-hostname elk-2
[root@elk-2 ~]# 
elk-3节点
[root@localhost ~]# hostnamectl set-hostname elk-3
[root@elk-3 ~]# 
（2）配置hosts文件
3个节点配置相同(以elk-1节点为例)，命令如下：
elk-1节点：
[root@elk-1 ~]# vi /etc/hosts
[root@elk-1 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.16.10 elk-1
192.168.16.20 elk-2
192.168.16.30 elk-3
（3）安装jdk
部署ELK环境需要jdk1.8以上的JDK版本软件环境，我们使用opnejdk1.8，3节点全部安装（以elk-1节点为例），命令如下：
elk-1节点：
[root@elk-1 ~]# yum install -y java-1.8.0-openjdk java-1.8.0-openjdk-devel
……
[root@elk-1 ~]# java -version
openjdk version "1.8.0_242"
OpenJDK Runtime Environment (build 1.8.0_242-b08)
OpenJDK 64-Bit Server VM (build 25.242-b08, mixed mode)
3.elasticserach安装
（1）安装es
将提供的rpm包上传至3台节点的/root/目录下，或者上传至一节点后使用scp进行copy，之后使用rpm语句进行安装，3节点全部安装：
Scp复制命令：
[root@elk-1 ~]# scp elasticsearch-6.0.0.rpm elk-3:/root/     
# scp 文件 复制到的主机名：目录
The authenticity of host 'elk-3 (192.168.16.30)' can't be established.
ECDSA key fingerprint is f3:72:41:05:79:cd:52:9b:a6:98:f0:5b:e8:5f:26:3d.
Are you sure you want to continue connecting (yes/no)? y  
#第一次连接会询问你确定连接？第二次连接就会只让你输入密码。
Please type 'yes' or 'no': yes
Warning: Permanently added 'elk-3,192.168.16.30' (ECDSA) to the list of known hosts.
root@elk-3's password:   #连接的机器的密码，就是elk-3这台机器root登入的密码
elasticsearch-6.0.0.rpm      100%  298     0.3KB/s   00:00  
elk-3节点查看是否复制过去：  
[root@elk-3 ~]# ls
anaconda-ks.cfg  elasticsearch-6.0.0.rpm
elk-1节点：
[root@elk-1 ~]# rpm -ivh elasticsearch-6.0.0.rpm 
                  #i表示安装，v表示显示安装过程，h表示显示进度
warning: elasticsearch-6.0.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
   1:elasticsearch-0:6.0.0-1          ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
elk-2节点：
[root@elk-2 ~]# rpm -ivh elasticsearch-6.0.0.rpm 
warning: elasticsearch-6.0.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
   1:elasticsearch-0:6.0.0-1          ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
elk-3节点：
[root@elk-3 ~]# rpm -ivh elasticsearch-6.0.0.rpm 
warning: elasticsearch-6.0.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
   1:elasticsearch-0:6.0.0-1          ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
（2）配置es
配置elasticsearch的配置文件，配置文件在/etc/elasticsearch/elasticsearch.yml
Elk-1节点：增加以下红色字样（//为解释，这里用不到的配置文件被删除），注意IP
[root@elk-1 ~]# vi /etc/elasticsearch/elasticsearch.yml 
[root@elk-1 ~]# cat /etc/elasticsearch/elasticsearch.yml 
# ======= Elasticsearch Configuration ===========
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ------------------Cluster --------------------
# Use a descriptive name for your cluster:
cluster.name: ELK  //配置es的集群名称，默认是elasticsearch，es会自动发现在同一网段下的es，如果在同一网段下有多个集群，就可以用这个属性来区分不同的集群。
# ------------------------Node -----------------
# Use a descriptive name for the node:
node.name: elk-1    //节点名，默认随机指定一个name列表中名字，该列表在es的jar包中config文件夹里name.txt文件中，其中有很多作者添加的有趣名字。
node.master: true    //指定该节点是否有资格被选举成为node，默认是true，es是默认集群中的第一台机器为master，如果这台机挂了就会重新选举master。 其他两节点为false
node.data: false    //指定该节点是否存储索引数据，默认为true。其他两节点为true
# ----------------- Paths ----------------
# Path to directory where to store the data (separate multiple locations by comma):
path.data: /var/lib/elasticsearch //索引数据存储位置(保持默认,不要开启注释)
# Path to log files:
path.logs: /var/log/elasticsearch //设置日志文件的存储路径，默认是es根目录下的logs文件夹
# --------------- Network ------------------
# Set the bind address to a specific IP (IPv4 or IPv6):
network.host: 192.168.16.10  //设置绑定的ip地址，可以是ipv4或ipv6的，默认为0.0.0.0。
# Set a custom port for HTTP:
http.port: 9200  //启动的es对外访问的http端口，默认9200
# For more information, consult the network module documentation.
# --------------------Discovery ----------------
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"] //设置集群中master节点的初始列表，可以通过这些节点来自动发现新加入集群的节点。
Elk-2节点：
[root@elk-2 ~]# vi /etc/elasticsearch/elasticsearch.yml 
[root@elk-2 ~]# cat /etc/elasticsearch/elasticsearch.yml |grep -v ^# |grep -v ^$
cluster.name: ELK
node.name: elk-2
node.master: false
node.data: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.16.20
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"]
Elk-3节点：
[root@elk-2 ~]# vi /etc/elasticsearch/elasticsearch.yml 
[root@elk-2 ~]# cat /etc/elasticsearch/elasticsearch.yml |grep -v ^# |grep -v ^$
cluster.name: ELK
node.name: elk-3
node.master: false
node.data: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.16.30
http.port: 9200
discovery.zen.ping.unicast.hosts: ["elk-1","elk-2","elk-3"]
（3）启动服务
通过命令启动es服务，启动后使用ps命令查看进程是否存在或者使用netstat命令查看是否端口启动。命令如下：（3个节点命令相同）
[root@elk-1 ~]# systemctl start elasticsearch
[root@elk-1 ~]# ps -ef |grep elasticsearch
elastic+  19280      1  0 09:00 ?        00:00:54 /bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -server -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/elasticsearch -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -p /var/run/elasticsearch/elasticsearch.pid --quiet
root      19844  19230  0 10:54 pts/0    00:00:00 grep --color=auto elasticsearch
[root@elk-1 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1446/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1994/master         
tcp6       0      0 192.168.16.10:9200      :::*                    LISTEN      19280/java          
tcp6       0      0 192.168.16.10:9300      :::*                    LISTEN      19280/java          
tcp6       0      0 :::22                   :::*                    LISTEN      1446/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1994/master 
有以上端口或者进程存在，证明es服务启动成功。
（4）检测集群状态
通过curl 'IP:9200/_cluster/health?pretty'  来检查集群状态，命令如下
Elk-1节点：
[root@elk-1 ~]# curl '192.168.16.10:9200/_cluster/health?pretty'
{
  "cluster_name" : "ELK",
  "status" : "green",    //为green则代表健康没问题，yellow或者red    则是集群有问题
  "timed_out" : false,    //是否有超时
  "number_of_nodes" : 3, //集群中的节点数量
  "number_of_data_nodes" : 2,    //集群中data节点的数量
  "active_primary_shards" : 1,
  "active_shards" : 2,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}
4.部署kibana
（1）安装kibana
通过scrt把kibana的rpm包上传至elk-1节点的root的目录下。其他节点不需上传。
[root@elk-1 ~]# rpm -ivh kibana-6.0.0-x86_64.rpm 
warning: kibana-6.0.0-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:kibana-6.0.0-1                   ################################# [100%]
（2）配置kibana
配置kibana的配置文件，配置文件在/etc/kibana/kibana.yml，在配置文件增加或修改以下内容：
[root@elk-1 ~]# vi /etc/kibana/kibana.yml 
[root@elk-1 ~]# cat /etc/kibana/kibana.yml |grep -v ^#
server.port: 5601
server.host: 192.168.16.10
elasticsearch.url: "http://192.168.16.10:9200"
（3）启动kibana
[root@elk-1 ~]# systemctl start kibana
[root@elk-1 ~]# ps -ef |grep kibana
kibana    19958      1 41 11:26 ?        00:00:03 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
root      19970  19230  0 11:26 pts/0    00:00:00 grep --color=auto kibana
[root@elk-1 ~]# netstat -lntp |grep node
tcp        0      0 192.168.16.10:5601      0.0.0.0:*               LISTEN      19958/node     
启动成功后网页访问，可以访问到如下界面。
5.Logstash部署：
（1）安装logstash
通过scrt把kibana的rpm包上传至elk-2节点的root的目录下。其他节点不需上传。
[root@elk-2 ~]# rpm -ivh logstash-6.0.0.0.rpm 
warning: logstash-6.0.0.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:logstash-1:6.0.0-1               ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
（2）配置logstash
配置/etc/logstash/logstash.yml，修改增加如下：
[root@elk-2 ~]# vi /etc/logstash/logstash.yml
http.host: "192.168.16.20"
配置logstash收集syslog日志
[root@elk-2 ~]# vi /etc/logstash/conf.d/syslog.conf 
[root@elk-2 ~]# cat /etc/logstash/conf.d/syslog.conf 
input {   //定义日志源
    file {
        path => "/var/log/messages"  //定义日志来源路径  目录要给644权限，不然无法读取日志
        type => "systemlog"   //定义类型
        start_position => "beginning" 
        stat_interval => "3" 
    }
}
output {   //定义日志输出
    if [type] == "systemlog" {
        elasticsearch {
            hosts => ["192.168.16.10:9200"]
            index => "system-log-%{+YYYY.MM.dd}"
        }
    }
}
上边的忽略写下面的
input {
syslog {
type => “systemlog”
port => 10514
}
}
output {
stdout {
codec => rubydebug
}
}
检测配置文件是否错误：
[root@elk-2 ~]# ln -s /usr/share/logstash/bin/logstash /usr/bin #创建软连接，方便使用logstash命令
[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK #为ok则代表没问题
--path.settings 用于指定logstash的配置文件所在的目录
-f 指定需要被检测的配置文件的路径
--config.test_and_exit 指定检测完之后就退出，不然就会直接启动了
（3）启动logstash
检查配置文件没有问题后启动logstash服务，
[root@elk-2 ~]# vi /etc/rsyslog.conf
在#### RULES ####增加一行 
*.* @@192.168.16.20:10514
[root@elk-2 ~]# systemctl start logstash
查看进程ps
[root@elk-2 ~]# yum  install policycoreutils-python -y
[root@elk-2 ~]# semanage port -l | grep syslog
[root@elk-2 ~]#ps -ef |grep logstash
logstash  21835      1 12 16:45 ?        00:03:01 /bin/java -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+DisableExplicitGC -Djava.awt.headless=true -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -Xmx1g -Xms256m -Xss2048k -Djffi.boot.library.path=/usr/share/logstash/vendor/jruby/lib/jni -Xbootclasspath/a:/usr/share/logstash/vendor/jruby/lib/jruby.jar -classpath : -Djruby.home=/usr/share/logstash/vendor/jruby -Djruby.lib=/usr/share/logstash/vendor/jruby/lib -Djruby.script=jruby -Djruby.shell=/bin/sh org.jruby.Main /usr/share/logstash/lib/bootstrap/environment.rb logstash/runner.rb --path.settings /etc/logstash
root      21957  20367  0 17:10 pts/2    00:00:00 grep --color=auto logstash
查看端口netstat -lntp
[root@elk-2 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1443/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2009/master         
tcp6       0      0 192.168.16.20:9200      :::*                    LISTEN      19365/java          
tcp6       0      0 :::10514                :::*                    LISTEN      21835/java          
tcp6       0      0 192.168.16.20:9300      :::*                    LISTEN      19365/java          
tcp6       0      0 :::22                   :::*                    LISTEN      1443/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2009/master         
tcp6       0      0 192.168.16.20:9600      :::*                    LISTEN      21835/java   
启动服务后，有进程但是没有端口的问题解决：
[root@elk-2 ~]# cat /var/log/logstash/logstash-plain.log
权限问题，因为之前我们以root的身份在终端启动过logstash，所以产生的相关文件的属组属主都是root
[root@elk-2 ~]# ll /var/lib/logstash/  
total 4
drwxr-xr-x. 2 root root      6 Dec  6 15:45 dead_letter_queue
drwxr-xr-x. 2 root root      6 Dec  6 15:45 queue
-rw-r--r--. 1 root root     36 Dec  6 15:45 uuid
[root@elk-2 ~]# chown -R logstash /var/lib/logstash/
[root@elk-2 ~]# systemctl restart logstash #重启服务后即可
启动完毕后，让syslog产生日志，用第三台主机登录elk-2机器，登录后退出。
6.完善
（1）kibana上查看日志
之前部署kibana完成后，还没有检索日志。现在logstash部署完成，我们回到kibana服务器上查看日志索引，执行命令如下：
[root@elk-1 ~]# curl '192.168.16.10:9200/_cat/indices?v'
health status index                 uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   system-log-2019.12.06 UeKk3IY6TiebNu_OD04YZA   5   1        938            0      816kb        412.2kb
green  open   .kibana               KL7WlNw_T7K36_HSbchBcw   1   1          1            0      7.3kb          3.6kb
获取/删除指定索引详细信息
[root@elk-1 ~]# curl -XGET/DELETE '192.168.16.10:9200/system-log-2019.12.06?pretty'
{
  "system-log-2019.12.06" : {
    "aliases" : { },
    "mappings" : {
      "systemlog" : {
        "properties" : {
          "@timestamp" : {
            "type" : "date"
          },
          "@version" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "host" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "message" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "path" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          },
          "type" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          }
        }
      }
    },
    "settings" : {
      "index" : {
        "creation_date" : "1575609559879",
        "number_of_shards" : "5",
        "number_of_replicas" : "1",
        "uuid" : "UeKk3IY6TiebNu_OD04YZA",
        "version" : {
          "created" : "6000099"
        },
        "provided_name" : "system-log-2019.12.06"
      }
    }
  }
}
（2）web界面配置
浏览器访问192.168.16.10:5601,到kibana上配置 索引：
配置完成后，点击Discover,进入 “Discover” 页面后如果出现以下提示，则是代表无法查找到日志信息：
这种情况一般是时间的问题，点击右上角切换成查看当天的日志信息,由于我虚拟机的时间是19-12-06.所以我要把时间调整到那一天。
现在就正常了：

Logstash收集Nginx日志

    [root@elk-2 ~]# vi /etc/logstash/conf.d/nginx.conf，
input {
  file {
   path => "/tmp/elk_access.log"
start_position => "beginning"
type => "nginx"
  }
}
filter {
    grok {
        match => { "message" => "%{IPORHOST:http_host} %{IPORHOST:clientip} - %    {USERNAME:remote_user} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_verb} %{NOTSPACE:http_request}(?: HTTP/%{NUMBER:http_version})?|%{DATA:raw_http_request})\" %{NUMBER:response} (?:%{NUMBER:bytes_read}|-) %{QS:referrer} %{QS:agent} %{QS:xforwardedfor} %{NUMBER:request_time:float}"}
}
geoip {
    source => "clientip"
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
    hosts => ["192.168.200.11:9200"]
index => "nginx-test-%{+YYYY.MM.dd}"
  }
}

使用logstash命令检查文件是否错误：

[root@elk-2 ~]# logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/nginx.conf --config.test_and_exit

Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Configuration OK

编辑监听Nginx日志配置文件，加入如下内容：

[root@elk-2 ~]# vi /etc/nginx/conf.d/elk.conf 
 server {
        listen 80;
        server_name elk.com;

        location / {
            proxy_pass      http://192.168.40.11:5601;
            proxy_set_header Host   $host;
            proxy_set_header X-Real-IP      $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
        access_log  /tmp/elk_access.log main2;
    }

修改Nginx日志配置文件，增加如下内容（需注意Nginx配置文件格式，在accesslog上方添加以下内容）：

[root@elk-2 ~]#vim /etc/nginx/nginx.conf 
log_format main2 '$http_host $remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$upstream_addr" $request_time';
[root@elk-2 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@elk-2 ~]# 
[root@elk-2 ~]# systemctl start nginx
[root@elk-2 ~]# systemctl restart logstash

在/etc/hosts文件和编辑C:\Windows\System32\drivers\etc\hosts文件中添加下面信息：
192.168.200.12 elk.com
浏览器访问192.168.150.159:5601，到Kibana上配置索引

使用Beats采集日志

在elk-3主机上下载和安装Beats：
[root@elk-3 ~]# wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.0.0-x86_64.rpm

[root@elk-3 ~]# rpm -ivh filebeat-6.0.0-x86_64.rpm
2. 配置Beats
编辑配置文件：

 [root@elk-3 ~]#  vim /etc/filebeat/filebeat.yml 
filebeat.prospectors:
  #enabled: false //注释掉该参数
  paths:
- /var/log/elasticsearch/elk.log    //此处可自行改为想要监听的日志文件
output.elasticsearch:
  hosts: ["192.168.200.11:9200"]
  [root@elk-3 ~]#  systemctl start  filebeat

在elk-1主机上使用curl ‘192.168.200.11:9200/_cat/indices?v’命令查看是否监听到elk-3主机上的日志