ELK快速入门部署
ElasticSearch
下载
curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.14-linux-x86_64.tar.gz
解压
[gzga@localhost elasticsearch]$ tar -zxvf elasticsearch-7.17.14-linux-x86_64.tar.gz
环境配置
#设置文件数
[root@localhost ~]# vim /etc/security/limits.conf
gzga hard nofile 65536
gzga soft nofile 65536
#设置最大虚拟内存
[root@localhost ~]# vim /etc/sysctl.conf
vm.max_map_count = 262144
[root@localhost ~]# sysctl -p
vm.max_map_count = 262144
#修改启动内存
[gzga@localhost config]$ vim jvm.options
-Xms1g
-Xmx1g
配置参数
#修改elasticsearch.yml
node.name: node-1
network.host: 192.168.1.206
#设置集群节点,多个用逗号隔开
cluster.initial_master_nodes: ["node-1"]
#开启密码验证
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
#
#禁用连接geoip.elastic.co数据库,不然启动报错
ingest.geoip.downloader.enabled: false
启动
#临时启动
[gzga@localhost elasticsearch]$ ./elasticsearch-7.17.14/bin/elasticsearch
#后台启动
[gzga@localhost elasticsearch]$ nohup ./elasticsearch-7.17.14/bin/elasticsearch &
生成密码
[elastic@68-32-160-123 elasticsearch-7.17.14]$ ./elasticsearch-7.17.14/bin/elasticsearch-setup-passwords auto
Kibana
下载
curl -L -O https://artifacts.elastic.co/downloads/kibana/kibana-7.17.14-linux-x86_64.tar.gz
解压
[gzga@localhost kibana]$ tar -zxvf kibana-7.17.14-linux-x86_64.tar.gz
配置参数
#修改kibana.yml
server.host: "192.168.1.206"
elasticsearch.hosts: ["http://192.168.1.206:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "xxx"
i18n.locale: "zh_CN"
启动
#临时启动
[gzga@localhost kibana]$ ./kibana-7.17.14-linux-x86_64/bin/kibana
#后台启动
[gzga@localhost kibana]$ nohup ./kibana-7.17.14-linux-x86_64/bin/kibana &
Logstash
下载
curl -L -O https://artifacts.elastic.co/downloads/logstash/logstash-7.17.14-linux-x86_64.tar.gz
解压
[gzga@localhost logstash]$ tar -zxvf logstash-7.17.14-linux-x86_64.tar.gz
配置参数
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: xxxx
#xpack.monitoring.elasticsearch.proxy: ["http://proxy:port"]
#多个IP,用逗号隔开处理
xpack.monitoring.elasticsearch.hosts: ["http://192.168.1.206:9200"]
配置管道
# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.
input {
tcp {
mode => "server"
host => "0.0.0.0"
port => 5044
codec => json_lines
}
}
# 增加以下配置,解决elk系统使用utc时区带来的八小时问题
filter {
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
ruby {
code => "event.set('@timestamp',event.get('timestamp'))"
}
mutate {
remove_field => ["timestamp"]
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["http://192.168.1.206:9200"] # ElasticSearch 的地址和端口
index => "%{[serviceName]}-%{+YYYY.MM.dd}" # 指定索引名
#codec => "json"
#设置连接elastic的账号密码,增加下面两行,账号要有索引写入权限
user => "elastic"
password => "xxx"
}
}
启动
#测试配置文件
[gzga@localhost logstash]$ ./logstash-7.17.14/bin/logstash -t -f logstash-cloud.conf
#临时启动
[gzga@localhost logstash]$ ./logstash-7.17.14/bin/logstash -f logstash-cloud.conf
#后台启动
[gzga@localhost logstash]$ nohup ./logstash-7.17.14/bin/logstash -f logstash-cloud.conf &