Ubuntu安装ELK

安装Elasticsearch

1)下载

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.8.0-linux-x86_64.tar.gz

2)解压

cd /home/elasticsearch
tar -zxvf elasticsearch-7.8.0-linux-x86_64.tar.gz

3)创建data目录

cd /home/elasticsearch
mkdir data

4)修改config/elasticsearch.yml

cd /home/elasticsearch/elasticsearch-7.8.0/config
vi elasticsearch.yml

修改内容

#集群名称
cluster.name: es-rms 
#节点名称
node.name: node-1
#数据和日志的存储目录
path.data: /home/elasticsearch/data
path.logs: /home/elasticsearch/elasticsearch-7.8.0/logs
#设置绑定的ip，设置为0.0.0.0以后就可以让任何计算机节点访问到了
network.host: 0.0.0.0
#端口
http.port: 9200
#设置在集群中的所有节点名称，这个节点名称就是之前所修改的，当然你也可以采用默认的也行，目前是单机，放入一个节点即可
cluster.initial_master_nodes: ["node-1"]

5)启动

cd /home/elasticsearch/elasticsearch-7.8.0/bin
./elasticsearch
#后台启动
./elasticsearch -d

出现如下错误

Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00000000c5330000, 986513408, 0) failed; error='Cannot allocate memory' (errno=12)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 986513408 bytes for committing reserved memory.
# An error report file with more information is saved as:
# logs/hs_err_pid22863.log

1G内存太小，elasticsearch使用java的jvm默认是使用1G的内存，修改一下内存，直接把内存改到512m

cd /home/elasticsearch/elasticsearch-7.8.0/config
vi jvm.options
------修改内容
-Xms512m
#-Xms1g
-Xmx512m
#-Xmx1g

出现如下错误

[2019-06-21T16:20:03,039][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [node-1] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.RuntimeException: can not run elasticsearch as root
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-7.1.1.jar:7.1.1]
    at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-7.1.1.jar:7.1.1]
    at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.1.1.jar:7.1.1]
    at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) ~[elasticsearch-cli-7.1.1.jar:7.1.1]
    at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.1.1.jar:7.1.1]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) ~[elasticsearch-7.1.1.jar:7.1.1]
    at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.1.1.jar:7.1.1]
    Caused by: java.lang.RuntimeException: can not run elasticsearch as root
    at org.elasticsearch.bootstrap.Bootstrap.initializeNatives(Bootstrap.java:102) ~[elasticsearch-7.1.1.jar:7.1.1]
    at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:169) ~[elasticsearch-7.1.1.jar:7.1.1]
    at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) ~[elasticsearch-7.1.1.jar:7.1.1]
    at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.1.1.jar:7.1.1]
    ... 6 more

elasticsearch不能使用root用户操作，需要添加一个其他的用户

#创建用户组
groupadd elastic
#添加用户es
adduser es
#修改用户组
usermod -g elastic es
#修改用户密码
# passwd es
Changing password for user es.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

#添加文件权限，使es用户可操作文件
chown -R es:elastic /home/elasticsearch

修改/etc/security/limits.conf文件，在末尾加上

es soft nofile 65536
es hard nofile 65536
es soft nproc 4096
es hard nproc 4096

修改/etc/sysctl.conf文件，在末尾加上

vm.max_map_count = 262144
#注：使用在docker容器中安装时，启动容器需要添加--privileged参数，否则无法修改该值

使修改生效
sysctl -p

登录es用户后启动

su - es
/home/elasticsearch/elasticsearch-7.8.0/bin/elasticsearch

6）验证访问

curl 'http://localhost:9200/?pretty'
#返回结果
{
  "name" : "node-1",
  "cluster_name" : "es-rms",
  "cluster_uuid" : "EuXotObWRmWnrYcf3rWXfg",
  "version" : {
    "number" : "7.8.0",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "757314695644ea9a1dc2fecd26d1a43856725e65",
    "build_date" : "2020-06-14T19:35:50.234439Z",
    "build_snapshot" : false,
    "lucene_version" : "8.5.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

#安装curl命令
apt-get install curl

安装kibana

1）下载

wget https://artifacts.elastic.co/downloads/kibana/kibana-7.8.0-linux-x86_64.tar.gz

2. 解压

cd /home/kibana
tar -zvxf kibana-7.8.0-linux-x86_64.tar.gz

3. 修改配置

cd /home/kibana/kibana-7.8.0-linux-x86_64/config
vi kibana.yml
---------修改内容
#端口号
server.port: 5601
#服务地址
server.host: "110.10.0.14"
#代理路径
server.basePath: "/kibana"
#elasticsearch服务地址
elasticsearch.hosts: ["http://110.10.0.14:9200"]

4）启动

cd /home/kibana/kibana-7.8.0-linux-x86_64/bin
./kibana

出现如下错误

Kibana should not be run as root.  Use --allow-root to continue

需要在非root用户下启动，创建新用户

#创建用户组
groupadd elastic
#添加用户es
adduser es
#修改用户组
usermod -g elastic es
#修改用户密码
# passwd es
Changing password for user es.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

#添加文件权限，使es用户可操作文件
chown -R es:elastic /home/kibana

登录es用户后启动kibana

出现如下错误

  log   [09:50:02.302] [error][reporting] The Reporting plugin encountered issues launching Chromium in a self-test. You may have trouble generating reports.
  log   [09:50:02.302] [error][reporting] Error: Failed to launch chrome!

需要安装chromium

apt-get install chromium-browser

启动kibana
出现如下错误

[0623/100217.756157:WARNING:resource_bundle.cc(358)] locale_file_path.empty() for locale 
[0623/100217.771950:FATAL:zygote_host_impl_linux.cc(116)] No usable sandbox! Update your kernel or see https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the SUID sandbox. If you want to live dangerously and need an immediate workaround, you can try using --no-sandbox.

需要启动chromium沙盒模式

#修改kibana.yml文件
cd /home/kibana/kibana-7.8.0-linux-x86_64/config
vi kibana.yml
#在最后行添加，启动沙盒
xpack.reporting.capture.browser.chromium.disableSandbox: true

安装logstash

1. 下载

wget https://artifacts.elastic.co/downloads/logstash/logstash-7.8.0.tar.gz

2. 解压

cd /home/logstash
tar -zxvf logstash-7.8.0.tar.gz

3. 编写控制文件 **.conf

input {
  tcp {
    host => "110.10.0.14"
    port => 9501
    mode => "server"
    tags => ["tags"]
    codec => plain{charset=>"UTF-8"}
  }
}
output {
  elasticsearch {
    action => "index"
    index => "rms-log"
    hosts => ["110.10.0.14:9200"]
  }
}

4. 启动

/home/logstash/logstash-7.8.0/bin -f /home/logstash/rms.conf

后台启动

cd /home/logstash
#编写start-rms.sh
nohup logstash-7.8.0/bin/logstash -f rms.conf > /dev/null 2>&1 &