Elastic agent集群部署及注意事项

原本想用独立模式，最后没部署成功，后面替换成fleet模式，测试时与独立模式也混合测试了下

版本选择

Es8.5.3 kibana8.5.3 centos7.9

部署es8.5.3

#单机没有部署成功，所有换成集群

#修改es默认环境

#修改文件打开数，需要重新切换用户进入才生效

vim /etc/security/limits.conf

* soft nofile 655350

* hard nofile 655350

* soft nproc 4096

* hard nproc 4096

vim /etc/sysctl.conf

vm.max_map_count = 655350

#执行以下命令进行生效

sysctl -p

#关闭防火墙

systemctl stop firewall

systemctl disable firewall

#下载文件

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.5.3-linux-x86_64.tar.gz

#解压

tar zxvf elasticsearch-8.5.3-linux-x86_64.tar.gz

#证书部分，只需要在第一台服务器上操作即可，其他直接复制过去就可以使用

#生成ca证书

./bin/elasticsearch-certutil ca

默认回车，在elasticsearch-8.5.3生成elastic-stack-ca.p12

#用ca证书生成节点证书

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

默认回车，在elasticsearch-8.5.3生成elastic-certificates.p12

#生成http证书

./bin/elasticsearch-certutil http

默认回车，在elasticsearch-8.5.3生成elasticsearch-ssl-http.zip

#证书存放

cp *.p12 /opt/elasticsearch-8.5.3/config/certs

unzip elasticsearch-ssl-http.zip

cp cp elasticsearch/http.p12 config/

#修改文件归属

chown -R ezaccur:ezaccur /opt/elasticsearch-8.5.3

#需要切换用户执行，否则无法加入权限

bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

#修改配置文件

vim elasticsearch.yml

cluster.name: ezaccur

node.name: node-1

node.roles: [data, master]

network.host: 192.168.1.21

http.port: 9200

http.cors.allow-origin: "*"

http.cors.enabled: true

http.max_content_length: 200mb

discovery.seed_hosts: ["192.168.1.21", "192.168.1.22","192.168.1.23"]

cluster.initial_master_nodes: ["node-1", "node-2","node-3"]

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.keystore.path: "/opt/elasticsearch-8.5.3/config/http.p12"

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: none

xpack.security.transport.ssl.keystore.path: /opt/elasticsearch-8.5.3/config/certs/elastic-certificates.p12

xpack.security.transport.ssl.truststore.path: /opt/elasticsearch-8.5.3/config/certs/elastic-certificates.p12

ingest.geoip.downloader.enabled: false

#其他服务器同样的操作，只需要修改对应值就可以

重置elastic、kibana密码步骤

./elasticsearch-reset-password -u elastic -i

./elasticsearch-reset-password -u kibana -i

部署kibana8.5.3

下载：wget https://artifacts.elastic.co/downloads/kibana/kibana-8.5.3-linux-x86_64.tar.gz

解压：tar zxvf kibana-8.5.3-linux-x86_64.tar.gz

修改配置文件(PEM证书在安装es时，生成http时已生成，直接复用)

vim kibana.yml

server.port: 5601

server.host: "192.168.1.21"

elasticsearch.hosts: ["https://192.168.1.21:9200","https://192.168.1.22:9200","https://192.168.1.23:9200"]

elasticsearch.username: "kibana"

elasticsearch.password: "123456"

elasticsearch.ssl.verificationMode: full

elasticsearch.ssl.certificateAuthorities: [ "/opt/elasticsearch-8.5.3/kibana/elasticsearch-ca.pem" ]

然后登陆页面部署fleet、fleet server，elastic agent

默认elastic账号密码登录

所有安装步骤按照说明文档来即可

注意事项：

1、在Install Fleet Server to a centralized host这一步需要注意下，因为涉及到加密认证，可能会安装失败，如：

Error: fleet-server failed: context canceled

For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.5/fleet-troubleshooting.html

Error: enroll command failed with exit code: 1

For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.5/fleet-troubleshooting.html

该问题官网也有描述：https://www.elastic.co/guide/en/fleet/8.4/fleet-troubleshooting.html#agent-enrollment-certs

有两个处理方式，均可以尝试下：

1. 加入—insecure

2）加入指定证书--fleet-server-es-ca=/opt/elasticsearch-8.5.3/kibana/elasticsearch-ca.pem

2、filebeat或者其他beat，一定有两个进程，没有则需要重新安装或者修改配置

查看配置方式：

./elastic-agent inspect output --output default -p filebeat

./elastic-agent inspect output --output default -p metricbeat

如果未查到配置，则可能是未启动

3、fleet模式装好后，默认进程都正常，但是独立模式下，filebeat只有monitoring进程，原因暂未找到。可以通过修改fleet模式下发的filebeat配置文件，修改output输出到未加密的es集群，重启即可查看采集效果。

效果：