ELK
一、ElasticSearch
1、安装
- 下载:
wget -c https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.2.2.tar.gz
- 解压:
tar -xzvf elasticsearch-5.2.2.tar.gz
- 修改配置文件:
vi elasticsearch.yml
cluster.name: my-application
node.name: node-1
path.data: /data/home/elas/data
path/logs: /data/home/elas/logs
network.host: ip(机器ip)
http.port: 9200
- 启动:
./bin/elasticsearch
2、常见报错
1、修改配置文件错误
- 错误信息:
Failed to load settings from ....,nested: MarkedYAMLException[while scanning a simple key
- 错误原因:配置文件中的”:”后面要有一个空格
- 解决办法:修改配置文件
2、max_map_count错误
- 错误信息:
max virtual memory areas vm.max_map_count [65530] likely too low, increase to at least [262144]
- 错误原因:
/etc/sysctl.conf
文件中的值过小 - 解决办法:在root用户下方可更改,在配置文件中加入
vm.max_map_count=655360
- 使其生效命令:
sysctl -p
3、系统最大打开文件数
- 错误信息:
max file descriptors [65535] for elasticsearch process likely too low, increase to at least [65536]
- 错误原因:系统打开文件数受限,
/etc/security/limits.conf
- 解决办法:在root用户下,
vi /etc/security/limits.conf
//*代表所有用户,可更换为只指定自己需要的用户
* soft nproc 65536
* hard nproc 65536
* soft nofile 65536
* hard nofile 65536
要使其生效还必须修改elasticsearch的配置文件.
vi ./elasticsearch.yml
discovery.zen.ping.unicast.hosts: ["ip"]
discovery.zen.minimum_master_nodes: 3
- 使其生效:退出当前用户:
logout
,重新登录就生效了.
4、系统版本问题
- 错误信息:
ERROR: bootstrap checks failed
system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk - 错误原因:这是在因为Centos6不支持SecComp,而ES5.2.0默认bootstrap.system_call_filter为true进行检测,所以导致检测失败,失败后直接导致ES不能启动。
- 解决办法:
vi ./elasticsearch.yml
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
5、访问elasticsearch的url报503错误
- 错误:请求URL报503错误
- 错误原因:elasticsearch中没有index,可以理解为没有数据库
- 解决办法:添加index
//创建一个名为customer的index
curl -XPUT 'localhost:9200/customer?pretty&pretty'
6、最大线程数
- 错误信息:
max number of threads [1024] for user [lish] likely too low, increase to at least [2048]
- 解决办法:要有root权限,
vi /etc/security/limits.d/90-nproc.conf
- 修改:
* soft nproc 2048
- 生效:用户退出,重连就生效了
参考:http://blog.csdn.net/cardinalzbk/article/details/54924511
二、LogStach
1、安装
- 下载:
wget -c https://artifacts.elastic.co/downloads/logstash/logstash-5.2.2.tar.gz
- 解压:
tar -xzvf logstash-5.2.2.tar.gz
- 修该配置文件:
//新建的配置文件:log4j_to_es.conf
input {
log4j{
mode => "server"
host => "ip" #when mode is server,listen this host,when mode is client ,client this host
port => "4567"
}
}
filter {
}
output{
elasticsearch{
action => "index"
hosts => ["ip:9200"] #eleasticsearch host,can be array,when model is cluster
index =>"applog"
}
}
- 启动:
./bin/logstash -f ./config/log4j_to_es.conf
三、Kibana
1、安装
- 下载:
wget -c https://artifacts.elastic.co/downloads/kibana/kibana-5.2.2-linux-x86_64.tar.gz
- 解压:
tar -xzvf kibana-5.2.2-linux-x86_64.tar.gz
- 配置文件:
server.port: 5601
server.host: "ip"
elasticsearch.url: "http://ip:9200"
kibana.index: ".kibana"
- 启动:
./bin/kibana
//启动成功信息
[listening] Server running at http://ip:5601
四、安装x-pakc插件
eleasticsearch版本必须是5.0以上
x-pack是elasticsearch的一个扩展包,将安全,警告,监视,图形和报告功能捆绑在一个易于安装的软件包中,也是官方推荐的。
1、elasticsearch
- 进入elasticsearch:
bin/elasticsearch-plugin install x-pack
- 配置elasticsearch.yml:
action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*
- 启动
2、kianda
- 下载:
bin/kibana-plugin install x-pack
比较耗时,请耐心等待 - 启动
运行:浏览器输入
http://ip:5601/
,此时需要输入用户名和密码,默认用户名是elastic
,密码changeme
卸载插件:
bin/elasticsearch-plugin install x-pack
bin/elasticsearch-plugin remove x-pack
bin/kibana-plugin install x-pack
bin/kibana-plugin remove x-pack