1.系统环境设置
1.1 安装环境:
硬件环境:VMware虚拟机
操作系统:centos 7
ELK相关软件版本: 6.3.2
[bj1100@vm-es-01 Downloads]$ uname -a
Linux vm-es-01 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[bj1100@vm-es-01 Downloads]$ 1.2 关闭selinux、防火墙(包括开机启动)
systemctl stop firewalld
systemctl disable firewalld
sed -i '/^SELINUX=/s/enforcing/disabled/' /etc/selinux/config
grep '^SELINUX=' /etc/selinux/config
setenforce off1.3 设置主机名和tcp连接数
cat /etc/hostname
#如果想起个名字可以用下面命令永久生效
hostnamectl set-hostname vm-es-01Linux 服务器查看服务器默认的 tcp 连接数命令是 ulimit -n,阿里云默认的 tcp 连接数是 65535,超过
会有影响,我这里也采用阿里云的方式,如果物理机其实可以设置大 10 倍也没问题。
cat>>/etc/security/limits.conf<<EOF
#by hua
* soft nofile 655350
* hard nofile 655350
EOF
cat /etc/security/limits.conf
ulimit -n
sysctl -w vm.max_map_count=655360
sysctl -a |grep "vm.max_map_count"2.安装jdk
elasticsearch依赖于java。
注:centos7自带java8,但是如果要安装xpath和logstash,需要javac,建议手动重新安装java的rpm包。
参考: https://blog.csdn.net/bao19901210/article/details/52091867
2.1 卸载旧版本的JDK
rpm -qa | grep jdk
rpm -qa | grep gcj
yum -y remove ***2.2安装下载的新版本
rpm -ivh jdk-8u144-linux-x64.rpm --nodeps --force2.3 查看jdk版本
[bj1100@vm-es-01 Downloads]$ java -version
java version "1.8.0_144"
Java(TM) SE Runtime Environment (build 1.8.0_144-b01)
Java HotSpot(TM) 64-Bit Server VM (build 25.144-b01, mixed mode)
[bj1100@vm-es-01 Downloads]$ javac -version
javac 1.8.0_144
[bj1100@vm-es-01 Downloads]$ 3.epel 源安装
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm4. 安装 ELK6.x
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
cat>/etc/yum.repos.d/elasticsearch.repo<<EOF
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
yum install elasticsearch logstash kibana -y
4.elasticsearch 简单配置及启动
4.1 查看安装相关
rpm -ql elasticsearch-6.2.3-1.noarch
rpm -ql elasticsearch-6.2.3-1.noarch|grep 'elasticsearch/bin'
cd /etc/elasticsearch/
cp elasticsearch.yml elasticsearch.yml.orig4.2 修改配置
#建立数据目录和日志目录
mkdir -p /disk1/elkDate/elasticsearch
mkdir -p /disk1/logs/elasticsearch
chown elasticsearch.elasticsearch -R /disk1/elkDate/elasticsearch
chown elasticsearch.elasticsearch -R /disk1/logs/elasticsearch#修改数据目录和日志目录
sed -i '/path.data/s#/path/to/data#/disk1/elkDate/elasticsearch#' elasticsearch.yml
sed -i '/path.data/s/#//' elasticsearch.yml
sed -i '/path.logs/s#/path/to/logs#/disk1/logs/elasticsearch#' elasticsearch.yml
sed -i '/path.logs/s/#//' elasticsearch.yml
grep 'path.' elasticsearch.yml#修改 ip 地址为内网(或者为公网 0.0.0.0)
sed -i '/network.host/s/0.1/157.144/' elasticsearch.yml
sed -i '/network.host/s/#//' elasticsearch.yml
grep 'network.host' elasticsearch.yml#避免出现跨域问题
cat>>/etc/elasticsearch/elasticsearch.yml<<EOF
#by hua
http.cors.allow-origin: "*"
http.cors.enabled: true
#xpack.security.authc:
# anonymous:
# username: elastic
# roles: superuser
# authz_exception: true
EOF
tail -10 /etc/elasticsearch/elasticsearch.yml4.3 启动
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch
systemctl status elasticsearch
sleep 20
netstat -altnp|grep 92004.4 浏览器查看
http://192.168.157.144:9200
5 kibana 简单配置及启动
5.1 yum安装
yum -y install kibana安装完成后查看
rpm -ql kibana-6.3.2-1.x86_64|grep 'kibana/bin'5.2. 修改配置
cd /etc/kibana/
cp kibana.yml kibana.yml.orig#修改 ip 地址为内网网卡 IP
sed -i '/#server.host/s/"localhost"/192.168.33.160/' kibana.yml
sed -i '/#server.host/s/#//' kibana.yml
grep 'server.host' kibana.yml
sed -i '/elasticsearch.url/s/localhost/192.168.33.160/' kibana.yml
sed -i '/elasticsearch.url/s/#//' kibana.yml
grep 'elasticsearch.url' kibana.yml5.3 启动
systemctl start kibana
systemctl restart kibana
systemctl status kibana
sleep 30
netstat -altnp|grep 56016.logstash 简单配置及启动
logstash 对于初学者来说是最容易出问题的,所以一下要开 2 个 SSH,一个是命令操作,一个用
看查看日志,要保证不要报错。
6.1. 查看安装相关
yum -y install logstash
rpm -ql logstash-6.3.2-1.noarch|egrep -v "/usr/share"#查看命令
[root@vm1 logstash]#rpm -ql logstash-6.3.2-1.noarch |grep 'logstash/bin'
/usr/share/logstash/bin/cpdump
/usr/share/logstash/bin/ingest-convert.sh
/usr/share/logstash/bin/logstash
/usr/share/logstash/bin/logstash-plugin
/usr/share/logstash/bin/logstash-plugin.bat
/usr/share/logstash/bin/logstash.bat
/usr/share/logstash/bin/logstash.lib.sh
/usr/share/logstash/bin/ruby
/usr/share/logstash/bin/setup.bat
/usr/share/logstash/bin/system-install6.2 修改配置
cd /etc/logstash/
cp logstash.yml logstash.yml.orig#建立相关数据和日志目录
mkdir -p /disk1/elkDate/logstash
mkdir -p /disk1/logs/logstash
chown logstash.logstash -R /disk1/elkDate/logstash
chown logstash.logstash -R /disk1/logs/logstash#修改数据目录和日志目录
sed -i '/^path.data/s#/var/lib/logstash#/disk1/elkDate/logstash#' logstash.yml
sed -i '/^path.logs/s#/var/log/logstash#/disk1/logs/logstash#' logstash.yml
egrep '^path.' logstash.yml#下面的配置路径一般不需要修改
#sed -i '/path.config/s#/conf.d##' logstash.yml6.3 配置 pipeline 文件 ( 只是一个测试配置,获取 messages 信息 )
#配置文件也可暂时不建立也行,不影响,默认情况是没有任何配置的,没配置启动服务没意义!
#根据默认配置,pipeline 实例文件默认应放置于/etc/logstash/conf.d 目录,此时目录下无实例文件,
#可根据实际情况新建实例,以处理本机 messages 信息为例,如下
cd /etc/logstash/conf.d/
cat>messages.conf<<EOF
input {
file {
path => "/var/log/messages"
}
}
output {
elasticsearch {
#hosts => ["192.168.157.142:9200","192.168.157.142:9200"]
hosts => ["192.168.33.160:9200"]
index => "messages-%{+YYYY.MM.dd}"
}
stdout {
# codec => rubydebug
}
}
EOF
cat messages.conf#从上面知道建立的索引是“messages-年.月.日”的格式,安装后 kibana,web 登陆可以用到
6.4 测试
#输入下面命令就会自动启动 logstash,当退出就会停止,如果要长期运行就启动服务的方式。
logstash -e 'input { stdin { } } output { stdout {} }'发现报错:
解决:
ctrl+c 退出
ln -s /etc/logstash /usr/share/logstash/config
chown logstash.logstash -R /etc/logstash#再次运行,输入 hello world 测试一下
6.5 启动
#上面配置了一个 messages 日志,为了长期运行,所以启动服务,到后面可以查一下情况
systemctl daemon-reload
systemctl enable logstash
systemctl start logstash
systemctl status logstash如果只是安装虚拟机测试的话不建议安装logstash,内存资源消耗高,可用 metricbeat 测试。
metricbeat 安装参考链接:https://blog.csdn.net/tonghudan/article/details/81428936