脚本安装elk
1. 安装elasticsearch+filebeat+kibana(6.6.0)tar的安装包
架构图
elasticsearch不能使用root用户所以我们使用的elk用户启动
关闭pkill
#!/bin/bash
yum install -y java-1.8.0-openjdk.x86_64 &>/dev/null
yum -y install net-tools &>/dev/null
IP=`ifconfig eth0 |awk 'NR==2 {print $2}'`
echo "$IP"
mkdir /elk
cd /elk
wget https://artifacts.elastic.co/downloads/kibana/kibana-6.6.0-linux-x86_64.tar.gz &>/dev/null
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.6.0.tar.gz &>/dev/null
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.6.0-linux-x86_64.tar.gz &>/dev/null
echo "download is ok"
tar xf kibana-6.6.0-linux-x86_64.tar.gz &>/dev/null
tar xf elasticsearch-6.6.0.tar.gz &>/dev/null
tar xf filebeat-6.6.0-linux-x86_64.tar.gz &>/dev/null
mv kibana-6.6.0-linux-x86_64 kibana &>/dev/null
mv elasticsearch-6.6.0 elasticsearch &>/dev/null
mv filebeat-6.6.0-linux-x86_64 filebeat &>/dev/null
id elk
if [ $? -eq 1 ];then
useradd elk
fi
##ela的配置文件
mkdir -p /elk/data/elastic/data &>/dev/null
mkdir -p /elk/data/elastic/log &>/dev/null
cat > /elk/elasticsearch/config/elasticsearch.yml<<EOF
node.name: node-1
path.data: /elk/data/elastic/data
path.logs: /elk/data/elastic/log
bootstrap.memory_lock: true
network.host: localhost,${IP}
http.port: 9200
EOF
##系统优化
cat >>/etc/security/limits.conf <<EOF
elk soft nofile 65536
elk hard nofile 65536
elk soft nproc 65536
elk hard nproc 65536
elk hard memlock unlimited
elk soft memlock unlimited
EOF
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
cat >> /etc/systemd/system.conf<<EOF
DefaultLimitNOFILE=65536
DefaultLimitNPROC=32000
DefaultLimitMEMLOCK=infinity
EOF
##filebeat的配置文件
cat > /elk/filebeat/filebeat.yml<<EOF
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
setup.kibana:
host: "${IP}"
output.elasticsearch:
hosts: ["${IP}:9200"]
index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
EOF
##kibana的配置文件
cat > /elk/kibana/config/kibana.yml<<EOF
server.port: 5601
server.host: "${IP}"
elasticsearch.hosts: ["http://${IP}:9200"]
kibana.index: ".kibana"
EOF
chown -R elk. /elk
echo "配置完成"
menu(){
cat <<EOF
=========================================================
配置完成,启动请使用以下命令
1.reboot
2.用户切换 su - elk
3.elastaisearch的启动 /elk/elasticsearch/bin/elastaisearch &>/dev/null
4.filebeat的启动 /elk/filebat/filebeat -e -c /elk/filebat/filebeat.yml &>/dev/null &
5. kibana启动 /elk/kibana/bin/kibnan &>/dev/null &
=========================================================
EOF
}
menu
2. rpm的安装方式(elasticsearch+filebeat+kibana)7.0.0
与6.0的创建的自己的index区别
https://www.jianshu.com/p/a3941dfa205c
官网
https://www.elastic.co/guide/en/beats/filebeat/7.0/ilm.html
6.的索引
index: "nginx-%{[beat.version]}-%{+yyyy.MM}"
7 的还要注意ilm
index: "nginx-%{[agent.version]}-%{+yyyy.MM}"
脚本
#!/bin/bash
##rpm的安装方式7.0.0 elasticsearch+filebeat+kibana
mkdir /opt/soft
cd /opt/soft
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.0.0-x86_64.rpm &>/dev/null
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.0.0-x86_64.rpm &>/dev/null
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.0.0-x86_64.rpm &>/dev/null
echo "download os ok !!"
##安装
rpm -ivh elasticsearch-7.0.0-x86_64.rpm &>/dev/null
rpm -ivh filebeat-7.0.0-x86_64.rpm &>/dev/null
rpm -ivh kibana-7.0.0-x86_64.rpm &>/dev/null
echo "rpm is ok"
IP=`hostname -I|awk '{print $1}'`
##配置文件
##elasticsearch的配置文件
cat > /etc/elasticsearch/elasticsearch.yml<<EOF
node.name: node-1
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: ${IP},127.0.0.1
http.port: 9200
EOF
mkdir -p /data/elasticsearch
chown -R elasticsearch. /data/elasticsearch
##系统的优化
cat >>/etc/security/limits.conf <<EOF
elasticsearch soft nofile 65536
elasticsearch hard nofile 65536
elasticsearch soft nproc 65536
elasticsearch hard nproc 65536
elasticsearch hard memlock unlimited
elasticsearch soft memlock unlimited
EOF
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
cat >> /etc/systemd/system.conf<<EOF
DefaultLimitNOFILE=65536
DefaultLimitNPROC=32000
DefaultLimitMEMLOCK=infinity
EOF
cat<<eof
===========================
手动的修改内存锁定
修改内存锁定
systemctl edit elasticsearch
添加
[Service]
LimitMEMLOCK=infinity
============================
eof
##filebeat的配置文件
cat > /etc/filebeat/filebeat.yml<<EOF
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
json.keys_under_root: true
json.overwrite_keys: true
setup.kibana:
host: "${IP}:5601"
output.elasticsearch:
hosts: ["${IP}:9200"]
index: "nginx-%{[agent.version]}-%{+yyyy.MM}"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
setup.ilm.enabled: false
EOF
##kibana的配置文件
cat > /etc/kibana/kibana.yml<<EOF
server.port: 5601
server.host: "${ip}"
elasticsearch.hosts: ["http://${IP}:9200"]
kibana.index: ".kibana"
EOF
echo "配置完成最好重启一下"
cat<<eof
1.ela的启动命令
systemctl daemon-reload
systemctl start elasticsearch
2.filebeat的启动命令
systemctl start filebeat
3.kibana的启动命令
systemctl start kibana
eof
3. rpm 安装 elasticsearch+filebeat+logstash+kibana
架构图
安装前:
java环境,7.0以后的版本需要jdk9以上的
解释
filebeat的配置文件
filebeat.inputs:
- type: log
enabled: true 启用输入
backoff: "1s" 每1秒就检查更新
tail_files: false 禁止从头开始读取数据
paths:
- /var/log/nginx/access.log
fields:
filetype: log_nginxjson 类似于定义一个标签,可以在logstash中进行识别
fields_under_root: true 定义了fields必须的设置
- type: log
enabled: true
backoff: "1s"
tail_files: false
paths:
- /var/log/messages
fields:
filetype: log_system
fields_under_root: true
output.logstash: 输出到logstash
enabled: true
hosts: ["${IP}:5044"] ip地址和算口号,与下方的logstash的保持一致
logstash的配置文件
https://www.elastic.co/guide/en/beats/filebeat/7.0/logstash-output.html
input {
从filebeat取数据,端口与filebeat配置文件一致
beats {
host => "0.0.0.0"
port => 5044
}
}
filter {
过滤作用
if [filetype] == "log_nginxjson"{
json {
source => "message"
移除不要的选项
remove_field => ["beat","offset","tags","prospector"]
}
date {
匹配timestamp字段
将匹配的字段写入到timesamp
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
target => "@timestamp"
}
}
}
output {
输出给elasticsearch
if [filetype] == "log_nginxjson" {
elasticsearch {
hosts => ["${IP}:9200"]
index => "nginx-%{+YYYY.MM.dd}"
}
} else if [filetype] == "log_system" {
elasticsearch {
hosts => ["${IP}:9200"]
index => "msg-%{+YYYY.MM.dd}"
}
}
}
#!/bin/bash
##rpm的安装方式7.0.0 elasticsearch+filebeat+kibana
mkdir /opt/soft
cd /opt/soft
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.0.0-x86_64.rpm &>/dev/null
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.0.0-x86_64.rpm &>/dev/null
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.0.0-x86_64.rpm &>/dev/null
echo "download os ok !!"
##安装
rpm -ivh elasticsearch-7.0.0-x86_64.rpm &>/dev/null
rpm -ivh filebeat-7.0.0-x86_64.rpm &>/dev/null
rpm -ivh kibana-7.0.0-x86_64.rpm &>/dev/null
echo "rpm is ok"
IP=`hostname -I|awk '{print $1}'`
##配置文件
##elasticsearch的配置文件
cat > /etc/elasticsearch/elasticsearch.yml<<EOF
node.name: node-1
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: ${IP},127.0.0.1
http.port: 9200
EOF
mkdir -p /data/elasticsearch
chown -R elasticsearch. /data/elasticsearch
##系统的优化
cat >>/etc/security/limits.conf <<EOF
elasticsearch soft nofile 65536
elasticsearch hard nofile 65536
elasticsearch soft nproc 65536
elasticsearch hard nproc 65536
elasticsearch hard memlock unlimited
elasticsearch soft memlock unlimited
EOF
echo 'vm.max_map_count=262144' >> /etc/sysctl.conf
cat >> /etc/systemd/system.conf<<EOF
DefaultLimitNOFILE=65536
DefaultLimitNPROC=32000
DefaultLimitMEMLOCK=infinity
EOF
cat<<eof
===========================
手动的修改内存锁定
修改内存锁定
systemctl edit elasticsearch
添加
[Service]
LimitMEMLOCK=infinity
============================
eof
##filebeat的配置文件
cat > /etc/filebeat/filebeat.yml<<EOF
filebeat.inputs:
- type: log
enabled: true
backoff: "1s"
tail_files: false
paths:
- /var/log/nginx/access.log
fields:
filetype: log_nginxjson
fields_under_root: true
- type: log
enabled: true
backoff: "1s"
tail_files: false
paths:
- /var/log/messages
fields:
filetype: log_system
fields_under_root: true
output.logstash:
enabled: true
hosts: ["${IP}:5044"]
EOF
##kibana的配置文件
cat > /etc/kibana/kibana.yml<<EOF
server.port: 5601
server.host: "${IP}"
elasticsearch.hosts: ["http://${IP}:9200"]
kibana.index: ".kibana"
EOF
##logstash的安装
#!/bin/bash
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.0.0.rpm &>/dev/null
rpm -ivh logstash-7.15.2-x86_64.rpm &>/dev/null
cat > /etc/logstash/conf.d/filebeat.conf<<EOF
input {
beats {
host => "0.0.0.0"
port => 5044
}
}
filter {
if [filetype] == "log_nginxjson"{
json {
source => "message"
remove_field => ["beat","offset","tags","prospector"]
}
date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
target => "@timestamp"
}
}
}
output {
if [filetype] == "log_nginxjson" {
elasticsearch {
hosts => ["${IP}:9200"]
index => "nginx-%{+YYYY.MM.dd}"
}
} else if [filetype] == "log_system" {
elasticsearch {
hosts => ["${IP}:9200"]
index => "msg-%{+YYYY.MM.dd}"
}
}
}
EOF
echo "配置完成最好重启一下"
cat<<eof
1.ela的启动命令
systemctl daemon-reload
systemctl start elasticsearch
2.filebeat的启动命令
systemctl start filebeat
3.kibana的启动命令
systemctl start kibana
4.logstash的启动
systemctl start logstash
eof