ElasticSearch+kibana+logstash监控和分析系统

系统环境

[root@iZ ~]# uname -a

Linux iZ 3.10.0-514.6.2.el7.x86_64 #1 SMP Thu Feb 23 03:04:39 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

 

java版本事先安装了

[root@i /]# java -version

java version "1.8.0_111"

Java(TM) SE Runtime Environment (build 1.8.0_111-b14)

Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

[root@iZ /]# cd /tmp/

[root@iZ tmp]#

下载logstash-5.4.0

wget https://artifacts.elastic.co/downloads/logstash/logstash-5.4.0.zip

下载ElasticSearch-5.0.0

https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.0.0.tar.gz

下载 Kibana-5.0.0

wegt https://artifacts.elastic.co/downloads/kibana/kibana-5.0.0-linux-x86_64.tar.gz

 

 

tar –zxf logstash-1.5.2.tar.gz -C /usr/local/ 解压并复制(-C)到目录/usr/local

我采用的是先解压再复制到work目录的方式

[root@iZ work]# cp /tmp/logstash-5.4.0 /work/

cp: omitting directory ‘/tmp/logstash-5.4.0’

[root@iZ work]# cp -r /tmp/logstash-5.4.0 /work/

[root@iZ work]# ls

conf golang gopath logs logstash-5.4.0 lua_workspace shell_workspace tomcat-7 tomcat-7.0.76

[root@iZ work]#

启用logstash pipeline试试

 

bin/logstash -e 'input {stdin{}} output {stdout{}}'

 

Exit Logstash by issuing a CTRL-D command in the shell where Logstash is running .CTRL+D退出Logstash运行界面，Logstash还在后台运行。

使用logstash的-f参数来读取配置文件 ，执行如下开始进行测试：

1 2 3 4 5 6 7 8 9 10 11

# echo "`date` hello World" Thu Jul 16 04:06:48 CST 2015 hello World # /usr/local/logstash-1.5.2/bin/logstash agent -f logstash-simple.conf Logstash startup completed Tue Jul 14 18:07:07 EDT 2015 hello World #该行是执行echo “`date`hello World” 后输出的结果，直接粘贴到该位置 { "message" => "Tue Jul 14 18:07:07 EDT 2015 helloWorld", "@version" => "1", "@timestamp" => "2015-07-14T22:07:28.284Z", "host" => "noc.vfast.com" }

 

安装ElasticSearch

ElasticSearch官网安装和使用

https://www.elastic.co/guide/en/elasticsearch/reference/current/_installation.html

tar -zvxf elasticsearch-5.0.0.tar.gz -C /work/

如果使用远程连接的Linux的方式并想后台运行elasticsearch执行如下命令：

nohup /work/elasticsearch-5.0.0/bin/elasticsearch &

(用/work/elasticsearch-5.0.0/bin/elasticsearch -d 也可以 它本身就支持用这个最好)

tail -f nohup.out 查看运行情况

 

Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x000000008a660000, 1973026816, 0) failed; error='Cannot allocate memory' (errno=12)

错误内存不够用。

 

ElstaticSearch默认JVM空间大小为2G config/jvm.options文件

x

 

因为安全问题elasticsearch 不让用root用户直接运行，所以要创建新用户

 

• 建议创建一个单独的用户用来运行ElasticSearch
• 创建elsearch用户组及elsearch用户

groupadd elsearchuseradd elsearch -g elsearch

passwd

 

logs/elasticsearch.log (Permission denied) java 该elsearch用户对该没有权限

 

给用户elsearch赋予elasticsearch目录中文件的权限

[root@i~]# sudo chown -R elsearch /work/elasticsearch-5.0.0

[root@i~]# sudo chgrp -R elsearch /work/elasticsearch-5.0.0

成功

 

ctrl+C退出，再次启动时出错，删除 目录下的data/nodes/0/node.lock即可

[elsearch@iZ elasticsearch-5.0.0]$ rm -rf data/nodes/0/node.lock

org.elasticsearch.bootstrap.StartupException: java.lang.IllegalStateException: failed to obtain node locks, tried [[/work/elasticsearch-5.0.0/data/elasticsearch]] with lock id [0]; maybe these locations are not writable or multiple nodes were started without increasing [node.max_local_storage_nodes] (was [1])?

at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:116) ~[elasticsearch-5.0.

tail -100f logs/elasticsearch.log 查看日志

 

 

http://www.cnblogs.com/moxiaoan/p/5683743.html Centos7开启防火墙

systemctl status firewalld 查看防火墙状态

但是防火墙没有开启

 

今天在虚拟机上安装了一个ES 5.2.2

结果curl "http://127.0.0.1:9200" 能够正常访问，可是使用外网ip就提示拒绝链接

解决办法：vim config/elasticsearch.yml

增加：network.host: 0.0.0.0

重启问题解决

 

另外，个别虚拟机无法启动ES，查看日志如果有：

[2017-03-28T15:35:19,948][ERROR][o.e.b.Bootstrap          ] [kSH2rCN] node validation exception bootstrap checks failed

max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

解决办法：切换root账户 vim /etc/sysctl.conf

增加一行  vm.max_map_count=655360

接着执行 sysctl -p

切回ES账户重新启动问题解决

Exception in thread "main" ElasticsearchParseException[malformed, expected settings to start with 'object', instead was [VALUE_STRING]]

 

ps -ef |grep elastic 找到它 kill -9 pid关闭它

su - elsearch 切换到该用用户启动它

elasticsearch.yml更改才有效。

[2017-05-12T17:12:10,946][ERROR][o.e.b.Bootstrap ] [lT7j70Y] node validation exception

bootstrap checks failed

max file descriptors [65535] for elasticsearch process likely too low, increase to at least [65536]

max virtual memory areas vm.max_map_count [65530] likely too low, increase to at least [262144]

http://blog.csdn.net/u014535678/article/details/71194548

max file descriptors （linux能够打开的最大文件句柄数）

vi /etc/security/limits.conf

 

 

设置vm.max_map_count （限制一个进程可以拥有的VMA(虚拟内存区域)的数量）

vi /etc/sysctl.conf 添加两行

vm.max_map_count=655360

fs.file-max=65536 

sysctl -p 重启

 

设置 max number of threads （linux允许每个用户的最大线程数）已经可以满足

vi /etc/security/limits.d/20-nproc.conf

 

 

上面该设置都设置，但还是不行，sync;sync;sync;reboot重启了系统，可以了

外网访问成功！

 

但是页面怎么就只是返回JSON,如果要页面管理端，得事先安装 安装Head插件（Optional）：

./bin/plugin  install  mobz/elasticsearch- head

https://github.com/mobz/elasticsearch-head#running-with-built-in-server

• for Elasticsearch 5.x: site plugins are not supported. Run as a standalone server

5.x版本 该head插件已经作为独立服务了。

https://github.com/mobz/elasticsearch-head.git

安装NodeJs

wget https://npm.taobao.org/mirrors/node/latest-v6.x/node-v6.10.0-linux-x64.tar.gz

tar -zxvf node-v6.10.0-linux-x64.tar.gz -C /work/

export PATH=$PATH:/work/node-v6.10.0-linux-x64/bin #临时改变

永久改变 vi /etc/profile 添加划线部分

 

[root@iZm work]# netstat -nap |grep 9100

tcp 0 0 127.0.0.1:9100 0.0.0.0:* LISTEN 509/node_exporter (PID/应用名)

配置文件Gruntfile.js

 

npm install 初始化安装

nohup npm run start & 后台运行

 

成功

 

页面上显示集群健康值：未连接

解决方法：修改elasticsearch.yml文件

 

vi elasticsearch-5.0.0/config/elasticsearch.yml

#---------------------------CORS--------------------------

http.cors.enabled: true

http.cors.allow.origin: "*"

 

 

 

成功

 

 

安装Kibana

tar -zxvf kibana-5.0.0-linux-x86_64.tar.gz -C /work/

cd kibana-5.0.0-linux-x86_64/

vi config/kibana.yml 修改配置文件

添加

server.host: "221.14.73.47" #假设的IP

elasticsearch.url: "http://22.14.73.47:9200"

./bin/kibana 启动

成功