EKF搭建

    最近在研究日誌處理，採用 EKF，E 是 Elasticsearch，K 是 Kibana，F 是 Filebeat。Filebeat 用於對每臺機器的日誌進行採集，然後發送到 Elasticsearch，使用 Kibana 進行展示分析。

     搭建一整套環境，整套 EKF 的版本一直是最佳的，所以搭建採用了版本爲 6.3.2，下面是詳細的搭建過程：

Elasticsearch 搭建

      1、下載 Elasticsearch（下載其他版本換掉後面版本號即可）    

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.tar.gz

tar -xzvf elasticsearch-6.3.2.tar.gz

      2、因爲 Elasticsearch 不能用 root 賬戶啓動，所以我們要創建一個新賬戶

useradd elasticsearch

passwd elasticsearch

chown elasticsearch:elasticsearch -R elasticsearch-6.3.2

      3、修改配置文件，Elasticsearch 主要配置文件有兩個 elasticsearch.yml 和 jvm.options，路徑是 elasticsearch-6.3.2/config/       

 vim  elasticsearch.yml

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: my-application
#集羣名稱
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /data/ELK/data
# data 索引數據存儲路徑
#
# Path to log files:
#
path.logs: /data/ELK/logs
# 日誌存儲路徑
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 0.0.0.0
# 配置hosts 地址 
#
# Set a custom port for HTTP:
#
http.port: 9200
# 配置端口
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.zen.ping.unicast.hosts: ["host1", "host2"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#
#discovery.zen.minimum_master_nodes: 
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
bootstrap.system_call_filter: false
xpack.security.enabled: false 
xpack.security.transport.ssl.enabled: false 
# 若暫時不用 x-pack 可增加以上參數配置暫時關閉 因爲es6.3之後默認配置了x-pack 插件

vim     jvm.options 根據服務器的配置修改 jvm 參數 -Xms  -Xmx 的大小

     4、啓動          

su elasticsearch
cd elasticsearch-6.3.2/bin
sh elasticsearch & 

      5、可能遇到的報錯

             1⃣️ max file descriptors [65535] for elasticsearch process is too low, increase to at least [65536]

             切換到 root 用戶

vim /etc/security/limits.conf

elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited

              2⃣️ memory locking requested for elasticsearch process but memory is not locked

vim /etc/security/limits.conf

elastic         -        memlock         unlimited

             3⃣️ max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

vim /etc/sysctl.conf

vm.max_map_count=655360

Filebeat 部署

     1、下載 filebeat 

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.2-linux-x86_64.tar.gz

tar  -xzvf  filebeat-6.3.2-linux-x86_64

      2、修改配置文件

filebeat 本身自帶了許多模板可以直接使用，6.3.2版本已經提供了 nginx、apache、redis、mysql等常用服務模板。

cd filebeat-6.3.2-linux-x86_64
# 查看已經啓動的模板
./filebeat modules list 
# 啓動 nginx 模板
./filebeat modules enable nginx
# 關閉 nginx 模板
./filebeat modules disable nginx

修改配置文件

vim filebeat.yml 
# 以下幾個地方需要修改

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /usr/local/mysql.log

setup.kibana:
  host: "0.0.0.0:8000"  # 根據自己的ip和端口進行調整

output.elasticsearch:  
  hosts: ["0.0.0.0:9200"]

啓動： 

# 設置初始環境
./filebeat setup -e
# 運行  
./filebeat -c filebeat.yml -e &

Kibana 部署

      1、下載 Kibana

wget https://artifacts.elastic.co/downloads/kibana/kibana-6.3.2-linux-x86_64.tar.gz
tar -xzvf kibana-6.3.2-linux-x86_64.tar.gz

      2、修改配置文件

# 修改配置文件
vim kibana-6.3.2-linux-x86_64/config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://localhost:9200"

      3、啓動

# 啓動
cd kibana-6.3.2-linux-x86_64/bin
sh kibana & 

# 查看進程
ps -ef | grep node