环境:
CentOS7.3虚拟机
IP:192.168.3.114
安装包下载
jdk-8u144-linux-x64.tar.gz
elasticsearch-5.5.2.tar.gz
kibana-5.5.2-linux-x86_64.tar.gz
logstash-5.5.2.tar.gz
百度即可搜到
1、配置相关环境
’[root@elk local]# pwd
/usr/local
[root@elk local]# ls -lh jdk-8u144-linux-x64.tar.gz
-rw-r--r--. 1 root root 177M Aug 25 20:47 jdk-8u144-linux-x64.tar.gz
[root@elk local]# tar -zxvf jdk-8u144-linux-x64.tar.gz
[root@localhost local]# vim /etc/profile
将下面的内容添加至文件末尾(假如服务器需要多个JDK版本,为了ELK不影响其它系统,也可以将环境变量的内容稍后添加到ELK的启动脚本中)
JAVA_HOME=/usr/local/jdk1.8.0_144
JRE_HOME=/usr/local/jdk1.8.0_144/jre
CLASSPATH=.:$JAVA_HOME/lib:/dt.jar:$JAVA_HOME/lib/tools.jar
PATH=$PATH:$JAVA_HOME/bin
export JAVA_HOME
export JRE_HOME
ulimit -u 4096
[root@localhost local]# source /etc/profile
配置limit相关参数
[root@localhost local]# vim /etc/security/limits.conf
添加以下内容
* soft nproc 65536
* hard nproc 65536
* soft nofile 65536
* hard nofile 65536
创建运行ELK的用户
[root@localhost local]# groupadd elk
[root@localhost local]# useradd -g elk elk
创建ELK运行目录
[root@localhost local]# mkdir /elk
[root@localhost local]# chown -R elk:elk /elk
关闭防火墙,关闭SELINUX
2、ELK安装
切换至elk用户,将安装包移至/elk下
[elk@elk ~]$ cd /elk/
[elk@elk elk]$ ls
elasticsearch-5.5.2 kibana-5.5.2-linux-x86_64 logstash-5.5.2
elasticsearch-5.5.2.tar.gz kibana-5.5.2-linux-x86_64.tar.gz logstash-5.5.2.tar.gz
A)配置elasticsearch文件
[elk@elk elk]$ vim /elk/elasticsearch-5.5.2/config/elasticsearch.yml
cluster.name: frank-test
node.name: node-1
network.host: 0.0.0.0
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
启动elasticsearch
[elk@elk ~]$ /elk/elasticsearch-5.5.2/bin/elasticsearch &
如遇到如下错误
[1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
解决方法:
[root@elk ~]# vim /etc/sysctl.conf
vm.max_map_count=262144
[root@elk ~]# sysctl -p
安装elasticsearch-head插件
[root@elk ~]# yum install docker
[root@elk ~]# systemctl start docker
[root@elk ~]# systemctl enable docker
Created symlink from /etc/systemd/system/multi-user.target.wants/docker.service to /usr/lib/systemd/system/docker.service.
[root@elk ~]# docker run -p 9100:9100 mobz/elasticsearch-head:5
B)
配置logstash
[elk@elk elk]$ vim /elk/logstash-5.5.2/config/logstash.conf
input {
file {
type => "secure"
path => "/log/secure"
start_position => "beginning"
}
file {
type => "message"
path => "/log/message"
start_position => "beginning"
}
}
output {
if [type] == "secure" {
elasticsearch {
hosts => ["192.168.3.114:9200"]
index => "secure-%{+YYYY.MM.dd}"
}
}
if [type] == "message" {
elasticsearch {
hosts => ["192.168.3.114:9200"]
index => "message-%{+YYYY.MM.dd}"
}
}
}
/log下已有相应log文件
[elk@elk log]$ pwd
/log
[elk@elk log]$ ls -l
total 252
-rw-r----- 1 elk elk 245769 Aug 26 11:20 message
-rw------- 1 elk elk 5572 Aug 31 21:02 secure
C)
配置kibana
[elk@elk config]$ vim /elk/kibana-5.5.2-linux-x86_64/config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://192.168.3.114:9200"
[elk@elk ~]$ /elk/kibana-5.5.2-linux-x86_64/bin/kibana &
至此ELK初步搭建完成
参考博主:
http://www.cnblogs.com/yuhuLin/p/7018858.html
http://www.cnblogs.com/onetwo/p/6059231.html