ELK搭建可参考文档:http://www.ywnds.com/?p=9776
ELK环境搭建,因当前公司使用ES版本5.2.2,故本次以此版本记录。
ELK日志可视化,是集合Elasticsearch、Logstash、Kibana及其相关组件,组成实时日志处理系统。
日志的实时分析,有助于随时掌握服务的运行状况、统计PV/UV、发现异常流量、分析用户行为、查看站内热门关键词等。
官网下载 :https://www.elastic.co/downloads/past-releases/
下载内容 :
elasticsearch-5.2.2.tar.gz
一、安装elasticsearch
下载对应版本es elasticsearch-5.2.2.tar.gz
# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.2.2.tar.gz
解压tar文件
# tar -zxvf elasticsearch-5.2.2.tar.gz
移动至/usr/local/目录下
# mv elasticsearch-5.2.2 /usr/local/elasticsearch
因ES不能使用 root 权限启动,需新建立一个用户,便于管理启动ES
新增分组
# groupadd elsearch
新增用户及用户密码
# useradd elsearch -g elsearch -p elasticsearch
授权新用户访问目录
#cd /usr/local
#chown -R elsearch:elsearch elasticsearch
切换用户登录
# su elsearch
修改配置文件,方便外网访问
# cd /usr/local/elasticsearch/config
# vi elasticsearch.yml
network.host: 0.0.0.0 开放外网访问
http.port: 9200 指定端口9200
二、启动ES
# cd /usr/local/elasticsearch/bin
# ./elasticsearch (单纯使用./elasticsearch启动,ctrl+C 会导致ES直接关闭,可使用启动命令 ./elasticsearch -d ,表示后台运行)
2、验证ES启动,访问地址 http://ip:9200/ http://127.0.0.1:9200/
出现下面内容,表示成功
{
"name": "vzdOjz6",
"cluster_name": "elasticsearch",
"cluster_uuid": "KEroQHhPROObcpLGBv9nFg",
"version": {
"number": "5.2.2",
"build_hash": "f9d9b74",
"build_date": "2017-02-24T17:26:45.835Z",
"build_snapshot": false,
"lucene_version": "6.4.1"
},
"tagline": "You Know, for Search"
}
二、安装x-pack
X-Pack是一个Elastic Stack的扩展,将安全,警报,监视,报告和图形功能包含在一个易于安装的软件包中
# cd /usr/local/elasticsearch/bin
# ./elasticsearch-plugin install x-pack
ps:注意,安装x-pack重启后,访问http://ip:9200/ 需要账号、密码
默认账号:elastic 默认密码:changeme
root@test bin]# ./elasticsearch-plugin install x-pack
-> Downloading x-pack from elastic
[=================================================] 100%
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: plugin requires additional permissions @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
* java.lang.RuntimePermission accessClassInPackage.com.sun.activation.registries
* java.lang.RuntimePermission getClassLoader
* java.lang.RuntimePermission setContextClassLoader
* java.lang.RuntimePermission setFactory
* java.security.SecurityPermission createPolicy.JavaPolicy
* java.security.SecurityPermission getPolicy
* java.security.SecurityPermission putProviderProperty.BC
* java.security.SecurityPermission setPolicy
* java.util.PropertyPermission * read,write
* java.util.PropertyPermission sun.nio.ch.bugLevel write
* javax.net.ssl.SSLPermission setHostnameVerifier
See http://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
for descriptions of what these permissions allow and the associated risks.
Continue with installation? [y/N]y
-> Installed x-pack
[root@test bin]#
三、启动失败问题汇总:
参考地址 https://blog.csdn.net/qq_21387171/article/details/53577115
1) java.lang.RuntimeException: can not run elasticsearch as root
需单独创建ES用户,用ES用户启动ES
报错示例:
[root@test bin]# ./elasticsearch
[2018-07-25T14:20:46,394][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.RuntimeException: can not run elasticsearch as root
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:125) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.cli.SettingCommand.execute(SettingCommand.java:54) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.cli.Command.main(Command.java:88) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:89) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:82) ~[elasticsearch-5.2.2.jar:5.2.2]
Caused by: java.lang.RuntimeException: can not run elasticsearch as root
at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:105) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:203) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-5.2.2.jar:5.2.2]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-5.2.2.jar:5.2.2]
... 6 more
[root@test bin]#
2)max file descriptors 过小
max file descriptors [65535] for elasticsearch process is too low, increase to at least [65536]
maxfile descriptors为最大文件描述符,设置其大于65536即可。
解决方法是修改/etc/security/limits.conf文件,添加“* - nofile65536 * - memlock unlimited”,“*”表示给所有用户起作用,
# vi /etc/security/limits.conf
* - nofile 65536
* - memlock unlimited
3)max_map_count过小
max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
max_map_count文件包含限制一个进程可以拥有的VMA(虚拟内存区域)的数量,系统默认是65530,修改成262144。
解决方法是修改/etc/sysctl.conf配置文件,添加 vm.max_map_count=262144 ,记得需要重启机器才起作用,修改后配置如下图所示:
# vi /etc/sysctl.conf
末尾追加如下代码 vm.max_map_count=262144
# sysctl -p 从指定的文件加载系统参数,如不指定即从/etc/sysctl.conf中加载