安装环境：

操作系统：centos7.0

elasticsearch：5.5.1

kibana：5.5.1

logstash：5.5.1

JDK：jdk1.8.0_101

下载地址：https://www.elastic.co/downloads

JDK的安装此处就不做说明，自行百度。

首先文件下载存放至/data/ELK，目录看个人习惯存放。

文件列表：

elasticsearch-5.5.1.tar.gz

kibana-5.5.1-linux-x86_64.tar.gz

logstash-5.5.1.tar.gz

安装elasticsearch

创建elasticsearch组与用户及设置密码：

修改配置文件

[elsearchuser@bigdata2 ELK]$vi /data/ELK/elasticsearch/conf/elasticsearch.yml

将network.host 改为本机地址或者0.0.0.0即可。

启动服务器

[elsearchuser@bigdata2 ELK]$/data/ELK/elasticsearch/bin/elasticsearch -d #-d 为后台运行

安装logstash

[root@bigdata2 ELK]# tar -zxvf logstash-5.5.1.tar.gz
[root@bigdata2 ELK]# mv logstash-5.5.1 logstash
[root@bigdata2 ELK]# cd logstash/bin
[root@bigdata2 ELK]# touchlogstash.sh
插入以下shell脚本内容：

#!/bin/sh  
# -*- coding: utf-8 -*-  
#  
#  
# Authors:huwj  
# Purpose: control ./logstash.sh start|stop|force-stop|status|restart   
#  
#  
# customer env  
name=logstash  
pidfile="/var/run/${name}.pid"  
LS_HOME=/data/ELK/logstash  
export PATH=/sbin:/usr/sbin:/bin:/usr/bin:${LS_HOME}/bin  
# must use root   
if [ `id -u` -ne 0 ]; then  
   echo "You need root privileges to run this script"  
   exit 1  
fi  
# optimizations  
LS_HEAP_SIZE="1024m"  
LS_OPEN_FILES=102400  
# logstash comm  
# LS_OPTS="--debug"  
LS_OPTS="--quiet"  
LS_LOG_DIR=${LS_HOME}/logs  
LS_CONF_DIR="${LS_HOME}/etc/logstash.d"  
[ ! -d ${LS_HOME} ] && mkdir -p ${LS_HOME}  
[ ! -d ${LS_LOG_DIR} ] && mkdir -p ${LS_LOG_DIR}  
[ ! -d ${LS_CONF_DIR} ] && mkdir -p ${LS_CONF_DIR}  
program=${LS_HOME}/bin/${name}  
args="-f ${LS_CONF_DIR} -l ${LS_LOG_DIR} ${LS_OPTS}"  
start() {  
  LS_JAVA_OPTS="${LS_JAVA_OPTS} -Djava.io.tmpdir=${LS_HOME}"  
  HOME=${LS_HOME}  
  export PATH HOME LS_HEAP_SIZE LS_JAVA_OPTS LS_USE_GC_LOGGING  
  ulimit -n ${LS_OPEN_FILES}  
  # Run the program!  
  bash -c "  
    cd $LS_HOME  
    ulimit -n ${LS_OPEN_FILES}  
    exec \"$program\" $args  
  " 2> "${LS_LOG_DIR}/${name}-error.log" &>/dev/null &  
  echo $! > $pidfile  
  echo "${name} started."  
  return 0  
}  
stop() {  
  if status ; then  
    pid=`cat "$pidfile"`  
    echo "Killing ${name} (pid $pid) with SIGTERM"  
    kill -TERM $pid  
    for i in 1 2 3 4 5 ; do  
      echo "Waiting ${name} (pid $pid) to die..."  
      status || break  
      sleep 1  
    done  
    if status ; then  
      echo "${name} stop Failed; still running."  
    else  
      echo "${name} stopped."  
    fi  
  fi  
}  
status() {  
  if [ -f "$pidfile" ] ; then  
    pid=`cat "$pidfile"`  
    if kill -0 $pid > /dev/null 2> /dev/null ; then  
      return 0  
    else  
      return 2  
    fi  
  else  
    return 3  
  fi  
}  
force_stop() {  
  if status ; then  
    stop  
    status && kill -KILL `cat "$pidfile"`  
  fi  
}  
case "$1" in  
  start)  
    status  
    code=$?  
    if [ $code -eq 0 ]; then  
      echo "${name} is already running"  
    else  
      start  
      code=$?  
    fi  
    exit $code  
    ;;  
  stop) stop ;;  
  force-stop) force_stop ;;  
  status)   
    status  
    code=$?  
    if [ $code -eq 0 ] ; then  
      echo "${name} is running"  
    else  
      echo "${name} is not running"  
    fi  
    exit $code  
    ;;  
  restart)   
       
    stop && start   
    ;;  
  *)  
    echo "Usage: ${SCRIPTNAME} {start|stop|force-stop|status|restart}" >&2  
    exit 3  
  ;;  
esac  
exit $?

安装kibana

[root@bigdata2 ELK]# tar -zxvf kibana-5.5.1.tar.gz
[root@bigdata2 ELK]# mv kibana-5.5.1 kibana
[root@bigdata2 ELK]# cd kibana/config
[root@bigdata2 kibana]# vi kibana.yml
修改以下配置
server.host 为0.0.0.0
elasticsearch.url: "http://192.168.40.249:9200" //本机可以直接填写localhost
[root@bigdata2 kibana]# cd ../bin
[root@bigdata2 bin]#nohup kibana & //后台运行

服务启动完成后，在浏览器中访问地址： http://192.168.40.249:5601

添加索引的正则，如上图，我的日志索引是lymtest，我就输入正则为 lymtest*，保存，添加成功

然后选择Discover模块，就可以查询采集的日志信息

到此，ELK 5.5.1就完成了搭建。