ElastiFlow 5.X去掉了之前版本对logstash的依赖,独立开发了替代组件ElastiFlow™ Unified Flow Collector,解决了logstash启动、关闭、运行缓慢的问题,但许可方面进行了限制,社区版限制Unified Flow Collector使用一个CPU内核。
linux系统
禁用 selinux 。
* 需要重新启动才能使其成为永久设置。
# vi /etc/sysconfig/selinux
SELINUX=disabled
关闭防火墙
打开firewall-cmd需要的端口
systemctl stop firewalld.service #停止firewall
systemctl disable firewalld.service #禁止firewall开机启动OpenJDK 安装
安装 OpenJDK。
# yum install java-1.8.0-openjdk-devel
导入 GPG 密钥
参考原始手册安装 GPG KEY。
# rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
创建存储库文件
参考原始手册创建 ElasticSearch、Kibana 和 Logstash 存储库文件。
vi /etc/yum.repos.d/elastic-7.x.repo
[elastic-7.x]
name=elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
yum install --enablerepo=elastic-7.x elasticsearch
yum install --enablerepo=elastic-7.x kibana
各种设置更改
由于除非您更改集群设置,否则 ElasticSearch 不会启动,
因此请按如下方式修改/etc/elasticsearch/elasticsearch.yml。
vi /etc/elasticsearch/elasticsearch.yml
#discovery.seed_hosts: ["host1", "host2"]
discovery.type: single-node
从 Kibana 设置更改备用 IP 地址。
vi /etc/kibana/kibana.yml
#server.host: "localhost"
server.host: "0.0.0.0"
服务注册、自动启动和启动设置
注册 ElasticSearch、Kibana 和 Logstash 服务,并设置自动启动和启动。
# systemctl daemon-reload
# systemctl enable elasticsearch.service
# systemctl start elasticsearch.service
# systemctl status elasticsearch.service
# systemctl daemon-reload
# systemctl enable kibana.service
# systemctl start kibana.service
# systemctl status kibana.service
systemctl status 执行服务名时确认正常启动。
安装 ElastiFlow
参考Linux | ElastiFlow安装 ElastiFlow。
下载flow-collector-5.2.0-1.x86_64.rpm
wget https://elastiflow-packages.s3.amazonaws.com/flow-collector/flow-collector-5.2.0-1.x86_64.rpm
安装libpcap-devel
dnf install -y libpcap-devel
安装flow-collector-5.2.0-1.x86_64.rpm
dnf install -y flow-collector-5.2.0-1.x86_64.rpm
修改配置文件
vi /etc/systemd/system/flowcoll.service.d/flowcoll.conf
设置EF_FLOW_OUTPUT_ELASTICSEARCH_ENABLE=true
# Elasticsearch
Environment="EF_FLOW_OUTPUT_ELASTICSEARCH_ENABLE=true"实际使用时根据情况还需要修改监听端口
EF_FLOW_SERVER_UDP_PORT#
The UDP port(s) on which the collector will create a socket to receive incoming packets. Multiple ports may be specified, separated by a comma. For example 2055,6343,4739
- Valid Values
- Any valid port number. Common values include:
2055: the standard port for Netflow4739: the standard port for IPFIX6343: the standard port for sFlow9995-9998: commonly use port numbers
- Any valid port number. Common values include:
- Default
9995
Environment="EF_FLOW_SERVER_UDP_PORT=9995"
https://docs.elastiflow.com/docs/kibana
https://raw.githubusercontent.com/elastiflow/elastiflow_for_elasticsearch/master/kibana/kibana-7.12.x-codex-light.ndjson
Elastic Stack 7免费版支持设置用户密码登录,进行如下设置:
vi /etc/elasticsearch/elasticsearch.yml
新增以下配置:
xpack.security.enabled: true
xpack.license.self_generated.type: basic
xpack.security.transport.ssl.enabled: true修改完配置后重启elasticsearch服务
systemctl restart elasticsearch
初始化密码
执行:/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
修改kibana.yml配置信息
vi /etc/kibana/kibana.yml
elasticsearch.username: "kibana"
elasticsearch.password: "your_password"然后重启kibana服务
systemctl restart kibana
编辑ElastiFlow设置
vi /etc/systemd/system/flowcoll.service.d/flowcoll.conf
设置EF_FLOW_OUTPUT_ELASTICSEARCH_PASSWORD=your_password
# A comma separated list of Elasticsearch nodes to use. DO NOT include "http://" or "https://"
Environment="EF_FLOW_OUTPUT_ELASTICSEARCH_ADDRESSES=127.0.0.1:9200"
Environment="EF_FLOW_OUTPUT_ELASTICSEARCH_USERNAME=elastic"
Environment="EF_FLOW_OUTPUT_ELASTICSEARCH_PASSWORD=your_password"重启ElastiFlow
systemctl restart flowcoll.service
访问kibana登录页面,登录账号为elastic 
扫一扫
729
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
