1、安裝配置java
[root@elk ~]# yum install java-1.8.0-openjdk.x86_64 -y
[root@elk ~]# java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode)
2、更新時間
yum install ntpdate -y
ntpdate time1.aliyun.com
3、安裝配置elasticsearch
[root@elk ~]# mkdir elk_package
[root@elk ~]# cd elk_package
[root@elk elk_package]# ll
-rw-r--r--. 1 root root 114059630 Dec 21 10:26 elasticsearch-6.6.0.rpm
-rw-r--r--. 1 root root 185123116 Dec 21 10:26 kibana-6.6.0-x86_64.rpm
[root@elk elk_package]# rpm -ivh elasticsearch-6.6.0.rpm
warning: elasticsearch-6.6.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing... ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
1:elasticsearch-0:6.6.0-1 ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch
4、相關配置目錄及配置文件
[root@elk elk_package]# rpm -qc elasticsearch
/etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/jvm.options
/etc/elasticsearch/log4j2.properties
/etc/elasticsearch/role_mapping.yml
/etc/elasticsearch/roles.yml
/etc/elasticsearch/users
/etc/elasticsearch/users_roles
/etc/init.d/elasticsearch
/etc/sysconfig/elasticsearch
/usr/lib/sysctl.d/elasticsearch.conf
/usr/lib/systemd/system/elasticsearch.service
5、ES配置文件(home目錄下空間較大,把data和log文件配置在home目錄下)
mkdir -p /home/elasticsearch/{data,log}
chown -R elasticsearch.elasticsearch elasticsearch
root@elk elk_package]# vim /etc/elasticsearch/elasticsearch.yml
root@elk elk_package]# grep ^[a-z] /etc/elasticsearch/elasticsearch.yml
node.name: node-1
path.data: /home/elasticsearch/data/elasticsearch
path.logs: /home/elasticsearch/log/elasticsearch
bootstrap.memory_lock: true
network.host: 192.168.67.8,127.0.0.1
http.port: 9200
[root@elk-175 soft]# systemctl daemon-reload
[root@elk-175 soft]# systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
6、修改啓動配置文件(注意解決鎖定內存失敗tail -f /var/log/elasticsearch/Linux.log)
vim /usr/lib/systemd/system/elasticsearch.service
#增加如下參數
[Service]
LimitMEMLOCK=infinity
#重新啓動
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch
systemctl status elasticsearch
7、檢查啓動是否成功
9200作爲Http協議,主要用於外部通訊
9300作爲Tcp協議,jar之間就是通過tcp協議通訊
ES集羣之間是通過9300進行通訊
[root@elk-175 ~]# netstat -lntup|grep 9200
tcp6 0 0 192.168.67.8:9200 :::* LISTEN 15824/java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 15824/java
[root@elk-175 ~]# curl localhost:9200
{
"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "As5ZlEQ2Syq0ktLL0hg5XA",
"version" : {
"number" : "6.6.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "a9861f4",
"build_date" : "2019-01-24T11:27:09.439740Z",
"build_snapshot" : false,
"lucene_version" : "7.6.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
8、安裝配置es-head插件
官方下載地址https://github.com/mobz/elasticsearch-head
9、安裝配置kibana
[root@elk elk_package]# mkdir -p /home/kibana/log
[root@elk elk_package]# chown -R kibana.kibana /home/kibana
[root@elk elk_package]# rpm -ivh kibana-6.6.0-x86_64.rpm
[root@elk elk_package]# grep "^[a-z]" /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.67.8"
elasticsearch.hosts: ["http://192.168.67.8:9200"]
kibana.index: ".kibana"
logging.dest: /home/kibana/log/kibana.log
[root@elk elk_package]# systemctl daemon-reload
[root@elk elk_package]# systemctl enable kibana.service
[root@elk elk_package]# systemctl start kibana
[root@elk elk_package]# systemctl status kibana
[root@elk elk_package] netstat -lntup|grep 5601
tcp 0 0 192.168.67.8:5601 0.0.0.0:* LISTEN 16442/node
10、客戶機安裝filebeat
rpm -ivh filebeat-6.6.0-x86_64.rpm
11、配置filebeat
cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.ori
> /etc/filebeat/filebeat.yml
vim /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /home/qiutanlogs/apiinfo/apiinfo.log
json.keys_under_root: true
json.overwrite_keys: true
tags: ["access"]
- type: log
enabled: true
paths:
- /home/qiutanlogs/apierror/apierror.log
tags: ["error"]
setup.kibana:
host: "192.168.67.8:5601"
output.elasticsearch:
hosts: ["192.168.67.8:9200"]
indices:
- index: "apiinfo-access-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
tags: "access"
- index: "apierror-error-%{[beat.version]}-%{+yyyy.MM.dd}"
when.contains:
tags: "error"
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true
11 啓動
systemctl daemon-reload
systemctl enable filebeat.service
systemctl start filebeat
12 Kibana 啓動不了故障
Kibana did not load properly. Check the server output for more information.
Kibana server is not ready yet
tail -f /home/kibana/log/kibana.log 查看日誌提示
刪除.kibana_1 and 重啓kibana
12.2 時間不同步故障:
tail -f /home/kibana/log/kibana.log 查看發現時間和現在的不同步。
12.3 file啓動不了
systemctl status filebeat
提示
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: failed (Result: start-limit) since Thu 2020-01-09 15:38:33 CST; 2s ago
Docs: https://www.elastic.co/products/beats/filebeat
Process: 44698 ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat (code=exited, status=1/FAILURE)
Main PID: 44698 (code=exited, status=1/FAILURE)
Jan 09 15:38:33 localhost.localdomain systemd[1]: Unit filebeat.service entered failed state.
Jan 09 15:38:33 localhost.localdomain systemd[1]: filebeat.service failed.
Jan 09 15:38:33 localhost.localdomain systemd[1]: filebeat.service holdoff time over, scheduling restart.
Jan 09 15:38:33 localhost.localdomain systemd[1]: start request repeated too quickly for filebeat.service
Jan 09 15:38:33 localhost.localdomain systemd[1]: Failed to start Filebeat sends log files to Logstash or direc...ch..
Jan 09 15:38:33 localhost.localdomain systemd[1]: Unit filebeat.service entered failed state.
Jan 09 15:38:33 localhost.localdomain systemd[1]: filebeat.service failed.
解決方法:
1 通過執行
/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
2 可以查看錯誤的提示行
Exiting: error loading config file: yaml: line 7: did not find expected key
3 重新查看
[root@localhost apiinfo]# systemctl stop filebeat
[root@localhost apiinfo]# systemctl start filebeat
[root@localhost apiinfo]# systemctl status filebeat
12.4 Elasticsearch監控
1 節點狀態 green
2 節點數量
curl -s -XGET 'http://localhost:9200/_cat/nodes?human&pretty' |wc -l
3 報警判斷: 狀態不是greep 或者 節點數(假設有3個節點)不是3
4 判斷返回值,即如果返回值節點正常,如果有一個不爲0,就不正常。
curl -s -XGET http://localhost:9200/
echo $?
如果正常結果爲0