安装Elasticsearch
- 首先安装jdk环境
- 安装elsearch
cd /usr/local/src tar –zxvf elasticsearch-7.0.0-linux-x86_64.tar.gz –C /usr/local/
- 创建用户组和用户
groupadd elsearch useradd elsearch -g elsearch cd /usr/local/elasticsearch-7.0.0/ chown -R elsearch:elsearch ./elasticsearch
- 修改配置文件
vim elasticsearch.yml
cluster.name: my-application
node.name: node-1
path.data: /data/els_data
path.logs: /var/log/ELK/elas
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
network.host: 192.168.174.8
http.port: 9200
cluster.initial_master_nodes: ["node-1"]
xpack.license.self_generated.type: basic - 创建目录并修改权限
mkdir /data/els_data -p mkdir /var/log/ELK/elas -p chown -R elsearch:elsearch /data/els_data chown -R elsearch:elsearch /var/log/ELK/elas
- 启动Elasticsearch
su – elsearch cd /usr/local/elasticsearch-7.0.0 ./ bin/elasticsearch &
安装Elasticsearch时遇到的问题
1.ERROR: [5] bootstrap checks failed
- 错误一:max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]
解决办法:
vim /etc/security/limits.conf
- soft nofile 65536
- hard nofile 131072
- 错误二:max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
解决办法:vim /etc/sysctl.conf
vm.max_map_count=2621441
sysctl –p
- 错误三:system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
解决办法:
vim elasticsearch.yml
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
2.启动kibana报错:[error][status][plugin:xpack_main@7.0.0] Status changed from yellow to red - [data] Elasticsearch cluster did not respond with license information.
解决办法:
vim elasticsearch.yml
cluster.initial_master_nodes: ["node-1"]
xpack.license.self_generated.type: basic
注:Elasticsearch默认的切片数为1000,当保存的日志比较多时,需要增加切片数,命令为:
curl -XPUT -H "Content-Type:application/json" -d '{"transient":{"cluster":{"max_shards_per_node":100000}}}' 'http://192.168.174.8:9200/_cluster/settings'
安装kibana
- 解压安装:
cd /usr/local/src tar –zxvf kibana-7.0.0-linux-x86_64.tar.gz -C /usr/local/
- 配置文件:
vim config/kibana.yml
server.host: "192.168.174.8" #填写自己的ip地址
elasticsearch.hosts: ["http://192.168.174.8:9200"] #填写自己elasticsearch的地址
i18n.locale: "zh-CN" #支持中文
- 启动kibana
cd /usr/local/kibana-7.0.0/bin ./kibana &
安装logstash
-
解压安装:
cd /usr/local/src tar –zxvf logstash-7.0.0.tar.gz -C /usr/local
- 配置文件:
cd /usr/local/logstash-7.0.0/config mkdir conf.d vim yuanxiao.conf
#beats指定logstash监听的端口
#file指定监听哪些文件(type:指定唯一标识,path:指定文件路径)
#filter自定义字段(split:指定日志中以什么为分隔符)
input {
file {
type => "yxaccess"
path => "/var/log/httpd/yuanxiao-access.log"
}
file {
type => "pgerror"
path => "/var/log/httpd/yuanxiao-error.log"
}
}
filter {
mutate {
split => {"message"=>"|"}
}
mutate {
add_field => {
"Source_IP" => "%{[message][0]}"
"IP" => "%{[message][1]}"
"Local_time" => "%{[message][2]}"
"Request_time" => "%{[message][3]}"
"Response_time" => "%{[message][4]}"
"URL" => "%{[message][5]}"
"Http" => "%{[message][6]}"
"UA" => "%{[message][7]}"
"Status" => "%{[message][8]}"
}
}
#将过滤出来的字段标准输出(比如字符串、数字)
# mutate {
# convert => {
# UA => "string"
# }
# }
}
#将结果输出到终端进行调试
# output {
# stdout { codec => rubydebug}
# }
#将结果输出到elstacsearch中
output {
if [type] == "yxaccess" {
elasticsearch {
action => "index"
hosts => "192.168.174.8:9200"
index => "yuanxiao-access-log"
}
}
if [type] == "yxerror" {
elasticsearch {
action => "index"
hosts => "192.168.174.8:9200"
index => "yuanxiao-error-log"
}
}
}
注意:为方便后期做elk保留日志时长,定义索引的时候尽量选择用当天时间进行定义,比如
index => "yuanxiao-access-log-%{+YYYY-MM-dd}" - 启动logstash
注意:启动时不能用conf.d/*,否则索引会乱
/usr/local/logstash-7.0.0/bin/logstash -f /usr/local/logstash-7.0.0/config/conf.d/
安装filbeat
- 下载安装:
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.0.0-x86_64.rpm rpm -ivh filebeat-7.0.0-x86_64.rpm
- 编辑配置文件:
vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/httpd/*.log
setup.kibana:
host: "192.168.174.8:5601"
output.logstash:
hosts: ["192.168.174.8:5044"]
- 启动filebeat
filebeat setup
service filebeat start
配置用户登录elk:
-
在生产环境中,日志往往是非常重要的数据,不是所有人都可以访问的,多以需要配置访问ELK时要求输入密码进行登录,配置方法如下:
1.安装htpasswd工具:
yum install httpd-tools -y
2.创建用户名和密码
htpasswd -c passwdfile elk #passwdfile是自己指定的密码存放的文件名称 #elk是创建的登录elk的用户名
3.配合nginx使用
vim nginx.conf
server {
listen 80;
server_name elk.bailitop.com;
location / {
proxy_pass http://192.168.174.8:5601;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
auth_basic "请输入您的登录密码"; #这里是验证时的提示信息
auth_basic_user_file /usr/local/openresty/nginx/passwd;
}
access_log /var/log/nginx/access_log main;
4. 启动nginx,访问域名测试结果如下: