一、安装elasticsearch
1、下载安装包elasticsearch-7.5.2-linux-x86_64.tar.gz,下载地址:https://www.elastic.co/cn/downloads/elasticsearch
2、上传到服务器,我的目录是 /home/develop/server/elasticsearch
3、解压:tar -zxvf elasticsearch-7.5.2-linux-x86_64.tar.gz
4、添加虚拟内存:
(1)# vim /etc/sysctl.conf
(2)点击i键入编辑模式,在最后一行添加参数:vm.max_map_count = 655360
(3) :wq 退出编辑
(4)sysctl -p 让文件生效
5、创建elasticsearch账户
(1)# adduser elasticsearch
(2) # passwd elasticsearch
然后输入要设置的密码 比如elasticsearch123
(3)授权:chown -R elasticsearch elasticsearch-7.5.2
(4)切换到elasticsearch用户:su elasticsearch
6、修改elasticsearch.yml文件,以便于外网访问:
# cd /home/develop/server/elasticsearch/elasticsearch-7.5.2/config
# vim elasticsearch.yml
(1)找到文件中network.host,解开注释并将ip为0.0.0.0
network.host: 0.0.0.0
(2)找到文件中cluster.initial_master_nodes,解开注释并去掉node-2,如下:
cluster.initial_master_nodes: ["node-1"]
(3)在文件最后添加两行:
http.cors.enabled:true
http.cors.allow-origin:"*"
7、运行
(1)# cd ../bin
(2)# ./elasticsearch -d
-d 意思是后台运行,也可以不加
(3)# curl localhost:9200
结果返回一串json:
{
"name" : "iZbp11s852rj60uzty3mg7Z",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "ywbIRWtpRkWgu8HX3Ab91Q",
"version" : {
"number" : "7.5.2",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "8bec50e1e0ad29dad5653712cf3bb580cd1afcdf",
"build_date" : "2020-01-15T12:11:52.313576Z",
"build_snapshot" : false,
"lucene_version" : "8.3.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
8、安装kibana(数据可视化工具)
(1)下载 kibana-7.5.2-linux-x86_64.tar.gz
(2)解压kibana-7.5.2-linux-x86_64.tar.gz :
# tar -zxvf kibana-7.5.2-linux-x86_64.tar.gz
(3)配置文件kibana.yml在解压后目录的config目录下。
(4)进入解压目录的bin目录下,切换到elasticsearch用户,启动kibana。
# su elasticsearch
# ./kibana
(5)访问kibana,浏览器访问连接:http://localhost:5601
9、安装Logstash(数据传输管道)
(1)下载logstash-7.5.2.tar.gz:
# wget https://artifacts.elastic.co/downloads/logstash/logstash-7.5.2.tar.gz
(2)解压:
tar -zxvf logstash-7.5.2.tar.gz
(3)修改配置文件:
# cd logstash-7.5.2/config
# cp logstash-sample.conf syslog.conf
# vim syslog.conf
内容如下:
# 定义日志源
input {
syslog {
type => "system-syslog" # 定义类型
port => 10514 # 定义监听端口
}
}
# 定义日志输出
output {
stdout {
codec => rubydebug # 将日志输出到当前的终端上显示
}
}
(4)修改jvm配置文件:
# vim jvm.options
修改参数为:
-Xms200M
-Xmx200M
(5)验证配置文件:
# cd ../bin
# ./logstash --path.settings /home/develop/server/elasticsearch/logstash-7.5.2/config/ -f /home/develop/server/elasticsearch/logstash-7.5.2/config/syslog.conf --config.test_and_exit
如图可以看到Configuration OK。表示文件配置正确。
命令说明:
--path.settings
用于指定logstash的配置文件所在的目录-f
指定需要被检测的配置文件的路径--config.test_and_exit
指定检测完之后就退出,不然就会直接启动了
(6)配置服务器ip以及监听的端口:
# vim /etc/rsyslog.conf
增加服务器ip:
*.* @@127.0.0.1:10514
重启rsyslog,让配置生效:
# systemctl restart rsyslog
(7)启动Logstash
# ./logstash --path.settings /home/develop/server/elasticsearch/logstash-7.5.2/config/ -f /home/develop/server/elasticsearch/logstash-7.5.2/config/syslog.conf
(8)打开新终端,检查端口是否被监听:
# netstat -lntp |grep 10514
(9)输出日志到elasticsearch
修改配置文件
# cd /home/develop/server/elasticsearch/logstash-7.5.2/config
# vim syslog.conf
修改内容如下:
input {
syslog {
type => "system-syslog"
port => 10514
}
}
output {
elasticsearch {
hosts => ["127.0.0.1:9200"] # 定义es服务器的ip
index => "system-syslog-%{+YYYY.MM}" # 定义索引
}
}
(10)检查配置文件是否正确:
# cd ../bin
# ./logstash --path.settings /home/develop/server/elasticsearch/logstash-7.5.2/config/ -f /home/develop/server/elasticsearch/logstash-7.5.2/config/syslog.conf --config.test_and_exit
(11)重启Logstash:
# ./logstash --path.settings /home/develop/server/elasticsearch/logstash-7.5.2/config/ -f /home/develop/server/elasticsearch/logstash-7.5.2/config/syslog.conf
查看端口是否被监听,如图:
# netstat -lntp |grep 9600
# netstat -lntp |grep 10514
(11)查看接口:curl '127.0.0.1:9200/_cat/indices?v'
输出如图,表示在logstash配置文件中定义的system-syslog索引成功获取到了,证明配置没问题,logstash与es通信正常。
同时,在kibana界面能看到如图多了一条所以: