elk安裝

1、安裝配置java

[root@elk ~]# yum install java-1.8.0-openjdk.x86_64 -y
[root@elk ~]# java -version 
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode)

2、更新時間

yum install ntpdate -y
ntpdate time1.aliyun.com

3、安裝配置elasticsearch

[root@elk ~]# mkdir elk_package
[root@elk ~]# cd elk_package
[root@elk elk_package]# ll
-rw-r--r--. 1 root root 114059630 Dec 21 10:26 elasticsearch-6.6.0.rpm
-rw-r--r--. 1 root root 185123116 Dec 21 10:26 kibana-6.6.0-x86_64.rpm

[root@elk elk_package]#  rpm -ivh elasticsearch-6.6.0.rpm
warning: elasticsearch-6.6.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
   1:elasticsearch-0:6.6.0-1          ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch

4、相關配置目錄及配置文件

[root@elk elk_package]#  rpm -qc elasticsearch 
/etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/jvm.options
/etc/elasticsearch/log4j2.properties
/etc/elasticsearch/role_mapping.yml
/etc/elasticsearch/roles.yml
/etc/elasticsearch/users
/etc/elasticsearch/users_roles
/etc/init.d/elasticsearch
/etc/sysconfig/elasticsearch
/usr/lib/sysctl.d/elasticsearch.conf
/usr/lib/systemd/system/elasticsearch.service

5、ES配置文件（home目錄下空間較大，把data和log文件配置在home目錄下）

mkdir -p /home/elasticsearch/{data,log}
chown -R elasticsearch.elasticsearch elasticsearch

root@elk elk_package]# vim /etc/elasticsearch/elasticsearch.yml
root@elk elk_package]# grep ^[a-z] /etc/elasticsearch/elasticsearch.yml 
node.name: node-1
path.data: /home/elasticsearch/data/elasticsearch
path.logs: /home/elasticsearch/log/elasticsearch
bootstrap.memory_lock: true
network.host: 192.168.67.8,127.0.0.1
http.port: 9200

[root@elk-175 soft]# systemctl daemon-reload
[root@elk-175 soft]# systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.

6、修改啓動配置文件（注意解決鎖定內存失敗tail -f /var/log/elasticsearch/Linux.log）

vim /usr/lib/systemd/system/elasticsearch.service
#增加如下參數
[Service]
LimitMEMLOCK=infinity
#重新啓動
systemctl daemon-reload
systemctl enable elasticsearch.service
systemctl start elasticsearch
systemctl status elasticsearch

7、檢查啓動是否成功

9200作爲Http協議，主要用於外部通訊
9300作爲Tcp協議，jar之間就是通過tcp協議通訊
ES集羣之間是通過9300進行通訊

[root@elk-175 ~]# netstat -lntup|grep 9200
tcp6       0      0 192.168.67.8:9200     :::*                    LISTEN      15824/java          
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      15824/java
[root@elk-175 ~]# curl localhost:9200     
{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "As5ZlEQ2Syq0ktLL0hg5XA",
  "version" : {
    "number" : "6.6.0",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "a9861f4",
    "build_date" : "2019-01-24T11:27:09.439740Z",
    "build_snapshot" : false,
    "lucene_version" : "7.6.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

8、安裝配置es-head插件
官方下載地址https://github.com/mobz/elasticsearch-head

9、安裝配置kibana

[root@elk elk_package]# mkdir -p /home/kibana/log
[root@elk elk_package]# chown -R  kibana.kibana  /home/kibana
[root@elk elk_package]# rpm -ivh kibana-6.6.0-x86_64.rpm
[root@elk elk_package]# grep "^[a-z]" /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.67.8"
elasticsearch.hosts: ["http://192.168.67.8:9200"]
kibana.index: ".kibana"
logging.dest: /home/kibana/log/kibana.log 

[root@elk elk_package]# systemctl daemon-reload
[root@elk elk_package]# systemctl enable kibana.service
[root@elk elk_package]# systemctl start kibana
[root@elk elk_package]# systemctl status kibana
[root@elk elk_package] netstat -lntup|grep 5601
tcp        0      0 192.168.67.8:5601     0.0.0.0:*               LISTEN      16442/node

10、客戶機安裝filebeat

rpm -ivh filebeat-6.6.0-x86_64.rpm

11、配置filebeat

cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.ori
> /etc/filebeat/filebeat.yml
vim /etc/filebeat/filebeat.yml

filebeat.inputs:
- type: log
  enabled: true 
  paths:
    - /home/qiutanlogs/apiinfo/apiinfo.log
  json.keys_under_root: true
  json.overwrite_keys: true
  tags: ["access"] 

- type: log
  enabled: true 
  paths:
    - /home/qiutanlogs/apierror/apierror.log
  tags: ["error"]

setup.kibana:
  host: "192.168.67.8:5601"

output.elasticsearch:
  hosts: ["192.168.67.8:9200"]
  indices:
    - index: "apiinfo-access-%{[beat.version]}-%{+yyyy.MM.dd}"
      when.contains:
        tags: "access"
    - index: "apierror-error-%{[beat.version]}-%{+yyyy.MM.dd}"
      when.contains:
        tags: "error"

setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.enabled: false
setup.template.overwrite: true

11 啓動

systemctl daemon-reload
systemctl enable filebeat.service
systemctl start filebeat

12 Kibana 啓動不了故障

Kibana did not load properly. Check the server output for more information.

Kibana server is not ready yet

tail -f /home/kibana/log/kibana.log 查看日誌提示

 刪除.kibana_1  and 重啓kibana

12.2 時間不同步故障：

tail -f /home/kibana/log/kibana.log 查看發現時間和現在的不同步。

12.3 file啓動不了

systemctl status filebeat

提示
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
   Active: failed (Result: start-limit) since Thu 2020-01-09 15:38:33 CST; 2s ago
     Docs: https://www.elastic.co/products/beats/filebeat
  Process: 44698 ExecStart=/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat (code=exited, status=1/FAILURE)
 Main PID: 44698 (code=exited, status=1/FAILURE)

Jan 09 15:38:33 localhost.localdomain systemd[1]: Unit filebeat.service entered failed state.
Jan 09 15:38:33 localhost.localdomain systemd[1]: filebeat.service failed.
Jan 09 15:38:33 localhost.localdomain systemd[1]: filebeat.service holdoff time over, scheduling restart.
Jan 09 15:38:33 localhost.localdomain systemd[1]: start request repeated too quickly for filebeat.service
Jan 09 15:38:33 localhost.localdomain systemd[1]: Failed to start Filebeat sends log files to Logstash or direc...ch..
Jan 09 15:38:33 localhost.localdomain systemd[1]: Unit filebeat.service entered failed state.
Jan 09 15:38:33 localhost.localdomain systemd[1]: filebeat.service failed.

解決方法：
1 通過執行
/usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
2 可以查看錯誤的提示行
Exiting: error loading config file: yaml: line 7: did not find expected key
3 重新查看
[root@localhost apiinfo]# systemctl stop filebeat
[root@localhost apiinfo]# systemctl start filebeat
[root@localhost apiinfo]# systemctl status filebeat

12.4 Elasticsearch監控

   1 節點狀態 green 

   2 節點數量

curl -s -XGET 'http://localhost:9200/_cat/nodes?human&pretty' |wc -l

  3 報警判斷： 狀態不是greep 或者 節點數（假設有3個節點）不是3

4  判斷返回值，即如果返回值節點正常，如果有一個不爲0，就不正常。

curl -s -XGET http://localhost:9200/  

echo $? 

如果正常結果爲0