ELK 7.4.2 单机安装配置

Java环境准备

JDK下载 https://www.oracle.com/technetwork/java/javase/overview/index.html

[root@manager ~]# # wget https://download.oracle.com/otn/java/jdk/11.0.5+10/e51269e04165492b90fa15af5b4eb1a5/jdk-11.0.5_linux-x64_bin.rpm
[root@manager ~]# tail /etc/bashrc
...
export JAVA_HOME=/usr/java/jdk-11.0.5
[root@manager ~]# source /etc/bashrc

elk下载

https://www.elastic.co/cn/downloads/

Elasticsearch

es配置文件修改

[root@manager ~]# vim /etc/elasticsearch/jvm.options
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms2g
-Xmx2g

[root@manager ~]# grep '^[^#]' /etc/elasticsearch/elasticsearch.yml
cluster.name: test-es
node.name: manager
node.attr.rack: r1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true    #官方文档建议为true
network.host: 192.168.50.65
http.port: 9200
discovery.seed_hosts: ["127.0.0.1"]
action.destructive_requires_name: true

[root@manager ~]# systemctl edit elasticsearch
[Service]
LimitMEMLOCK=infinity

[root@manager ~]# systemctl daemon-reload

系统参数修改

[root@manager ~]# sysctl -p
vm.max_map_count=262144

[root@manager ~]# cat /etc/security/limits.d/20-nproc.conf
*          soft    nproc     4096
root       soft    nproc     unlimited

[root@manager ~]# cat /etc/security/limits.conf
* soft nofile 65536
* hard nofile 65536
* soft nproc 2048
* hard nproc 4096

启动ES

[root@manager ~]# systemctl start elasticsearch.service

[root@manager ~]# jps  # 专门查看Java程序的ps，比直接用ps去查PID要方便一点
3292 Jps
25756 Elasticsearch

浏览器访问 http://192.168.50.65:9200/
或者curl

[root@manager ~]# curl http://192.168.50.65:9200/
{
  "name" : "manager",
  "cluster_name" : "test-es",
  "cluster_uuid" : "S8pmWc10SfKXZZxmxbN2Qg",
  "version" : {
    "number" : "7.4.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "2f90bbf7b93631e52bafb59b3b049cb44ec25e96",
    "build_date" : "2019-10-28T20:40:44.881551Z",
    "build_snapshot" : false,
    "lucene_version" : "8.2.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Kibana

[root@manager ~]# grep ^[^#] /etc/kibana/kibana.yml 
server.port: 5601
server.host: "192.168.50.65"
elasticsearch.hosts: ["http://192.168.50.65:9200"]
kibana.index: ".kibana"
i18n.locale: "zh-CN"

[root@manager ~]# systemctl restart elasticsearch

Logstash

[root@manager ~]# cat /etc/logstash/conf.d/xxx.conf
input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://192.168.50.65:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
  }
}

FileBeat

[root@manager ~]# egrep -v '#|^$' /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
    - /var/log/messages
    - /var/log/secure
    - /var/log/lastlog
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
  host: "192.168.50.65:5601"
output.logstash:
  hosts: ["192.168.50.65:5044"]
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

官方文档
https://www.elastic.co/guide/en/elastic-stack/current/installing-elastic-stack.html