目录
一、环境
1、安装jdk
tar -zxvf jdk-8u161-linux-x64.tar.gz
配置环境变量
vi /etc/profile
在末尾加上
export JAVA_HOME=/usr/local/java/jdk1.8.0_171
export JRE_HOME=${JAVA_HOME}/jre
export CLASSPATH=.:${JAVA_HOME}/lib:${JRE_HOME}/lib
export PATH=${JAVA_HOME}/bin:$PATH
生效:source /etc/profile
测试是否安装成功java -version
2、关闭防火墙
systemctl stop firewalld
注:ELK组件版本需保持一致,本文elasticsearch7+logstash7+kibana7+filebeat7
二、安装elasticsearch
1、解压
tar -zxvf elasticsearch-7.1.1-linux-x86_64.tar.gz
cd elasticsearch/config/
# 备份配置文件
cp elasticsearch.yml elasticsearch.yml.bak
2、修改配置文件
vi elasticsearch.yml
node.name: node-1
network.host: 10.221.100.126
cluster.initial_master_nodes: ["node-1"]
# 末尾加上,允许外部访问
http.cors.enabled: true
http.cors.allow-origin: "*"
3、创建用户
添加elasticsearch用户,不能使用root启动
groupadd -g 1008 elasticsearch
useradd -g 1008 -u 1008 elasticsearch
chown -R elasticsearch:elasticsearch /opt/elk/elasticsearch-7.1.1
4、启动
切换至之前创建的用户
nohup ./bin/elasticearch &
报错一:
ERROR:max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
vi /etc/sysctl.conf
vm.max_map_count = 655360
sysctl -p
报错二:
ERROR: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
vi /etc/security/limits.conf
* hard nofile 65536
* soft nofile 65536
检查:
ulimit -Hn
ulimit –Sn
报错三:
ERROR: max number of threads [3895] for user [elk] is too low, increase to at least [4096]
* soft nproc 4096
* hard nproc 4096
检查:
ulimit -Hu
ulimit -Su
5、测试
curl http://10.221.100.126:9200
浏览器访问:http://10.221.100.126:9200
三、安装logstash
1、解压
tar -zxvf logstash-7.1.1.tar.gz
2、新建配置文件test.conf
cd /opt/elk/logstash-7.1.1/config
vi test.conf
input {
file {
type => "log"
path => "/opt/elk/test/logs/*.log"
start_position => "beginning"
}
}
output {
stdout {
codec => rubydebug { }
}
elasticsearch {
hosts => "10.221.100.126"
index => "log-%{+YYYY.MM.dd}"
}
}
测试配置文件是否有问题:
./bin/logstash --path.settings ./ -f ./config/test.conf --config.test_and_exit
Configuration OK # 为ok则代表配置文件没有问题
命令说明:
--path.settings 用于指定logstash的配置文件所在的目录
-f 指定需要被检测的配置文件的路径
--config.test_and_exit 指定检测完之后就退出,不然就会直接启动了
3、启动
cd /opt/elk/logstash-7.1.1
nohup ./bin/logstash -f ../config/test.conf &
或者简单测试:
./bin/logstash -e 'input { stdin {} } output {stdout {} }'
四、安装kibana
1、解压
cd /opt/elk
tar -zxvf kibana-7.1.1-linux-x86_64.tar.gz
cd /opt/elk/kibana-7.1.1-linux-x86_64/config
cp kibana.yml kibana.yml.bak
2、修改配置文件kibana.yml
vi kibana.yml
server.port: 5601
server.host: "10.221.100.126"
elasticsearch.hosts: ["http://10.221.100.126:9200"]
3、启动
cd /opt/elk/kibana-7.1.1-linux-x86_64
nohup ./bin/kibana &
4、浏览器查看
http://10.221.100.126:5601
五、安装fileBeat
下载:https://www.elastic.co/cn/downloads/
1、解压
tar –zxvf filebeat-7.1.1-linux-x86_64.tar.gz
cp filebeat.yml filebeat.yml.bak
2、修改filebeat.yml
input_type: log
paths:
- /var/log/message-log # 测试本机的一个log文件
output.logstash:
hosts: ["172.16.220.248:5044"]
3、启动
cd /opt/elk/filebeat-7.1.1-linux-x86_64
nohup ./filebeat &
4、查看
filebeat没有监听端口,主要看日志和进程
tail -f logs/filebeat
ps -ef | grep filebeat
logstash配置文件可修改为:
input {
beats {
port => "5044"
}
}
output {
elasticsearch {
hosts => "172.16.220.248:9200"
}
stdout { codec => rubydebug } # 这是将输出打印在屏幕上,可以注释掉
}
|