ELKstack是Elasticsearch、Logstash、Kibana三个开源软件的组合。目前都在Elastic.co公司名下。
ELK是一套常用的开源日志监控和分析系统,包括一个分布式索引与搜索服务Elasticsearch,
一个管理日志和事件的工具logstash,和一个数据可视化服务Kibana.
elasticsearch-6.3.1.zip 负责日志检索和分析
logstash-6.3.1.zip 负责日志的收集,处理和储存
kibana-6.3.1-linux-x86_64.tar.gz 负责日志的可视化
redis DB以及日志传输的通道来处理
java version "1.8.0"
一张图描述他们关系:
此文以两个服务器为例来部署
服务器A:10.0.1.8(内网IP) java elasticsearch redis kibana logstash(agent indexer)
服务器B:192.168.0.2 java logstash(agent)
首先安装服务器A相关软件:
yum -y install curl wget lrzsz axel
A服务器 创建运行ELK的用户
groupadd elk
useradd -g elk elk
关闭防火墙:
service iptables stop
一:安装elasticsearch
以下由elk用户操作
以elk用户登录服务器
下载ELK安装包:https://www.elastic.co/downloads,服务器且解压.
配置Elasticsearch:
# 增加新的参数,这样head插件可以访问es
http.cors.enabled: true
http.cors.allow-origin: "*"
启动Elasticsearch:
日志,检查是否启动:
tail -f /data/path/to/logs/elk.log
用浏览器访问:http://10.0.1.8:9200
Elasticsearch安装完毕,其中报错:
java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
at org.elasticsearch.bootstrap.SystemCallFilter.linuxImpl(SystemCallFilter.java:363) ~[elasticsearch-5.5.2.jar:5.5.2]
at org.elasticsearch.bootstrap.SystemCallFilter.init(SystemCallFilter.java:638) ~[elasticsearch-5.5.2.jar:5.5.2]
at org.elasticsearch.bootstrap.JNANatives.tryInstallSystemCallFilter(JNANatives.java:245) [elasticsearch-5.5.2.jar:5.5.2]
at org.elasticsearch.bootstrap.Natives.tryInstallSystemCallFilter(Natives.java:113) [elasticsearch-5.5.2.jar:5.5.2]
bootstrap checks failed
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
[2]: max number of threads [1024] for user [elk] is too low, increase to at least [2048]
[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
[4]: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
这里有多个问题,需要逐一解决:
问题1:max_map_count不够大:
max virtual memory areas vm.max_map_count [65536] likely too low, increase to at least [262144]
解决:内核参数(max_map_count)
cat /proc/sys/vm/max_map_count 查看一下
echo 1000000 >> /proc/sys/vm/max_map_count 然后重定向修改文件的值
问题2:警告提示
WARN ][o.e.b.JNANatives ] unable to install syscall filter:
java.lang.UnsupportedOperationException: seccomp unavailable: requires kernel 3.5+ with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled in
at org.elasticsearch.bootstrap.Seccomp.linuxImpl(Seccomp.java:349) ~[elasticsearch-5.0.0.jar:5.0.0]
at org.elasticsearch.bootstrap.Seccomp.init(Seccomp.java:630) ~[elasticsearch-5.0.0.jar:5.0.0]
报了一大串错误,其实只是一个警告。
解决:使用心新linux版本,就不会出现此类问题了。
问题3:ERROR: bootstrap checks failed
max file descriptors [4096] for elasticsearch process likely too low, increase to at least [65536]
max number of threads [1024] for user [lishang] likely too low, increase to at least [2048]
解决:切换到root用户,编辑limits.conf 添加类似如下内容
vi /etc/security/limits.conf
添加如下内容:
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
问题4:进程数不够
max number of threads [1024] for user [elk] likely too low, increase to at least [2048]
解决: cat /proc/sys/kernel/threads-max 查看进程的总数
ulimit -a 查看所有用户的进程数
ulimit -u 2048 修改进程数为2048
解决5:切换到root用户,修改90-nproc.conf配置文件。
vi /etc/security/limits.d/90-nproc.conf
#修改如下内容:
* soft nproc 1024
#修改为
* soft nproc 2048
解决6:切换到root用户修改配置sysctl.conf
vi /etc/sysctl.conf
#添加下面配置:
vm.max_map_count=655360
#并执行命令:
sysctl -p
问题7 :解决:
[4]: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
#和以下异常是统一原因
java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
....
问题原因:因为Centos6不支持SecComp,而ES5.5.2默认bootstrap.system_call_filter为true进行检测
所以导致检测失败,失败后直接导致ES不能启动。
解决方法:
修改配置
vi ./config/elasticsearch.yml
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
切换elk 用户 ,重新启动elasticsearch
安装elasticsearch-head插件
安装docker镜像或者通过github下载elasticsearch-head项目都是可以的,1或者2两种方式选择一种安装使用即可
1. 使用docker的集成好的elasticsearch-head
# docker run -p 9100:9100 mobz/elasticsearch-head:5
docker容器下载成功并启动以后,运行浏览器打开http://localhost:9100/
2. 使用git安装elasticsearch-head
# yum install -y npm
# git clone git://github.com/mobz/elasticsearch-head.git
# cd elasticsearch-head
# npm install
# npm run start
检查端口是否起来
netstat -antp |grep 9100
浏览器访问测试是否正常
http://IP:9100/
安装报错 一:
npm ERR! Error: CERT_UNTRUSTED
npm ERR! at SecurePair.<anonymous> (tls.js:1370:32)
npm ERR! at SecurePair.EventEmitter.emit (events.js:92:17)
解决执行: npm config set strict-ssl false
安装报错 二:
重新 nohup npm run start &