ELK日志分析系统实战（一）安装和部署

http://www.iyunv.com/forum.php?mod=viewthread&tid=198268

1.系统概述

2、安装过程

安装java环境

3、获取最新版本

 wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.2.1.zip

解压缩

修改配置文件

cat  /usr/local/elasticsearch/config/elasticsearch .yml

# 换个集群的名字，免得跟别人的集群混在一起

cluster.name: wlt-es5.0-application   

# 换个节点名字

node.name: node-1

     


path.data:  /data/elasticsearch/data

path.logs:  /data/elasticsearch/logs




# 修改一下ES的监听地址，这样别的机器也可以访问

network.host: 0.0.0.0

# 默认的就好

http.port: 9200
# 增加新的参数，这样head插件可以访问es

#http.cors.enabled:  true

#http.cors.allow-origin:  “*"




 注意，设置参数的时候:后面要有空格！

注意安装的时候不要用root，他默认不允许用root执行，如果用root安装，运行的时候会各种没有权限访问

max number of threads [1024] for user [admin] is too low, increase to at least [2048]

原因：用户允许最大线程数首先
vi bin/elasticsearch
ulimit -u 2048 //仅供测试使用

Warning: Ignoring JAVA_OPTS=…….

Please pass JVM parameters via ES_JAVA_OPTS instead

vi bin/elasticsearch
添加如下配置项：
JAVA_HOME=”/export/servers/jdk1.8.0_60”
JAVA_OPTS=”“

JAVA_OPTS配置为空，是为了不受系统配置的环境变量的影响

can not run elasticsearch as root

不能以root用户启动ES服务器。非要以root用户运行？
配置 -Des.insecure.allow.root=true

对于5.X，在config/jvm.options配置文件中，添加-Des.insecure.allow.root=true

内存锁定:

解决方法1：配置 config/elasticsearch.yml ，注释掉以下内容
#bootstrap.memory_lock: true
解决方法2：配置：/etc/security/limits.conf,
admin soft memlock unlimited
admin hard memlock unlimited

system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk

Your kernel does not support seccomp.
Elasticsearch attempts to utilize seccomp by default (via the setting bootstrap.system_call_filter).

Starting in 5.2.0, if you’re in production mode, bootstrap.system_call_filter is enabled, and initializing seccomp fails, then Elasticsearch will refuse to bootstrap.
You either have to migrate to a kernel that supports seccomp, or disable bootstrap.system_call_filter.

Centos6不支持SecComp，而ES5.2.0默认bootstrap.system_call_filter为true

禁用：在elasticsearch.yml中配置bootstrap.system_call_filter为false，注意要在Memory下面:
bootstrap.memory_lock: false
bootstrap.system_call_filter: false

配置IP和http端口，TCP端口默认在HTTP端口上加100

network.host: 192.168.179.20
http.port: 9201

path.conf is not a recognized option

之前的配置： –path.conf= ESCONF修改为：−Epath.conf= {ES_CONF}

unknown setting [path.plugins]

https://www.elastic.co/guide/en/elasticsearch/reference/5.0/breaking_50_plugins.html#_custom_plugins_path
specify a custom plugins path via path.plugins has been removed.

node settings must not contain any index level settings

Since elasticsearch 5.x index level settings can NOT be set on the nodes
configuration like the elasticsearch.yaml, in system properties or command line
arguments.

curl -XPUT ‘http://localhost:9200/_all/_settings?preserve_existing=true’ -d ‘{
“index.number_of_shards” : “3”
}’

curl -XPUT ‘http://localhost:9200/_all/_settings?preserve_existing=true’ -d ‘{
“index.mapper.dynamic” : “false”,
“index.translog.durability” : “async”,
“index.translog.sync_interval” : “30s”
}’
即以index开头的配置删除。

unknown setting [bootstrap.mlockall]

修改为： bootstrap.memory_lock: true

unknown setting [action.disable_delete_all_indices]

新配置：action.destructive_requires_name: true