之前我们在Windows平台上安装过Elasticsearch+X-Pack+Kibana工具(具体参考:Windows 安装Elasticsearch&Kibana&X-Pack),这里我们在Linux系统中做一个日志分析平台。
一.安装Elasticsearch
#wget -c https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.0.tar.gz #tar -zxvf elasticsearch-5.4.0.tar.gz #mkdir /usr/elk #mv elasticsearch-5.4.0 /usr/elk/elasticsearch #cd /usr/elk/elasticsearch/bin
然后我们可以使用如下命令启动
./elasticsearch
启动过程中可能遇到如下问题
①.jvm内存不足
解决方法,修改如下配置文件,调整-Xms2g -Xmx2g为-Xms1g -Xmx1g
vim /usr/elk/elasticsearch/config/jvm.options
②.要求openjdk版本至少1.8,oracle jdk 1.7
这个时候需要升级openjdk或者使用oracle jdk替换
#rpm -qa | grep jdk java-1.6.0-openjdk-1.6.0.0-1.45.1.11.1.el6.x86_64 java-1.7.0-openjdk-1.7.0.0-1.32.1.11.1.el6.x86_64 #yum remove java-1.6.0-openjdk-1.6.0.0-1.45.1.11.1.el6.x86_64 #yum remove java-1.7.0-openjdk-1.7.0.0-1.32.1.11.1.el6.x86_64
#当然,如果你觉得上述操作麻烦,建议直接使用如下方式
#yum remove java-1.6.0-openjdk* #yum remove java-1.7.0-openjdk*
#然后通过如下方式检索java-1.8.0-openjdk
#yum search java-1.8.0-openjdk
============== N/S Matched: java-1.8.0-openjdk ============== java-1.8.0-openjdk.x86_64 : OpenJDK Runtime Environment java-1.8.0-openjdk-debug.x86_64 : OpenJDK Runtime Environment with full debug on java-1.8.0-openjdk-demo.x86_64 : OpenJDK Demos java-1.8.0-openjdk-demo-debug.x86_64 : OpenJDK Demos with full debug on java-1.8.0-openjdk-devel.x86_64 : OpenJDK Development Environment java-1.8.0-openjdk-devel-debug.x86_64 : OpenJDK Development Environment with full debug on java-1.8.0-openjdk-headless.x86_64 : OpenJDK Runtime Environment java-1.8.0-openjdk-headless-debug.x86_64 : OpenJDK Runtime Environment with full debug on java-1.8.0-openjdk-javadoc.noarch : OpenJDK API Documentation java-1.8.0-openjdk-javadoc-debug.noarch : OpenJDK API Documentation for packages with debug on java-1.8.0-openjdk-src.x86_64 : OpenJDK Source Bundle java-1.8.0-openjdk-src-debug.x86_64 : OpenJDK Source Bundle for packages with debug on
一般都能检索出来,如果检索不出来,建议去下载安装oracle jdk
#如果检索到java-1.8.0-openjdk,直接安装即可
#yum install java-1.8.0-openjdk java-1.8.0-openjdk-devel java-1.8.0-openjdk-headless
③.root用户不允许运行
#groupadd elkstack #创建组 #useradd elkstack -g elkstack -d /usr/elk -s /bin/bash #创建用户 #passwd elkstack #给用户创建密码 #chown -R elkstack:elkstack /usr/elk #目录的拥有者 ######################################################### #cd /etc/skel/ #进入用户登录状态管理目录,如果不执行此操作,则登录界面在sh中 #ls -a . .. .bash_logout .bash_profile .bashrc .mozilla #复制文件到新用户的创建目录 #cp .bash_logout /home/MysqL/ #cp .bash_profile /home/MysqL/ #cp .bashrc /home/MysqL #cd / ######################################################### #su -l elkstack #切换用户 #./elasticsearch/bin/elasticsearch #启动elasticsearch
max file descriptors [4096] for elasticsearch process is too low,increase to at least [65536] max number of threads [1024] for user [elkstack] is too low,increase to at least [2048] max virtual memory areas vm.max_map_count [65530] is too low,increase to at least [262144] system call filters Failed to install; check the logs and fix your configuration or disable system call filters at your own risk
Q:max file descriptors [4096] for elasticsearch process is too low,increase to at least [65536] #vi /etc/security/limits.conf 添加如下内容: * soft nofile 65536 * hard nofile 131072 * soft nproc 2048 * hard nproc 4096
Q:max number of threads [1024] for user [elkstack] is too low,increase to at least [2048] #vi /etc/security/limits.d/90-nproc.conf 修改如下内容: * soft nproc 1024 #修改为 * soft nproc 2048
Q:max virtual memory areas vm.max_map_count [65530] is too low,increase to at least [262144] #vi /etc/sysctl.conf 添加下面配置: vm.max_map_count=655360
system call filters Failed to install; check the logs and fix your configuration or disable system call filters at your own risk #vim config/elasticsearch.yml 添加 bootstrap.system_call_filter: false
配置完成之后,执行命令
sysctl -p
以上是安装过程中遇到的比较多的问题
使用curl 检查是否成功启动
#curl -i http://127.0.0.1:9200
HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
content-length: 327
{
"name" : "rGlFyHB","cluster_name" : "elasticsearch","cluster_uuid" : "7sEFicrvQW-RPbJTjekbHg","version" : {
"number" : "5.4.0","build_hash" : "780f8c4","build_date" : "2017-04-28T17:43:27.229Z","build_snapshot" : false,"lucene_version" : "6.5.0"
},"tagline" : "You Know,for Search"
}
二.安装kibana
#wget -c https://artifacts.elastic.co/downloads/kibana/kibana-5.4.0-linux-x86_64.tar.gz #tar -zxvf kibana-5.4.0-linux-x86_64.tar.gz #mv kibana-5.4.0-linux-x86_64 /usr/elk/kibana #cd /usr/elk/ #chown -R elkstack:elkstack kibana #./kibana/bin/kibana
使用curl检测是否成功启动(注意:必须先启动elasticsearch)
#curl -i http://localhost:5601
HTTP/1.1 200 OK
kbn-name: kibana
kbn-version: 5.4.0
cache-control: no-cache
content-type: text/html; charset=utf-8
content-length: 217
accept-ranges: bytes
Date: Mon,22 May 2017 06:45:26 GMT
Connection: keep-alive
<script>var hashRoute = '/app/kibana';
var defaultRoute = '/app/kibana';
var hash = window.location.hash;
if (hash.length) {
window.location = hashRoute + hash;
} else {
window.location = defaultRoute;
}
此外,kibana中需要配置elasticsearch的信息,如果elasticsearch的访问信息更新了,同样也需要更新kibana中的配置信息
#vim kibana/config/kibana.yml
#elasticsearch默认配置信息如下 elasticsearch.url: "http://localhost:9200"
三.安装logstash
#wget -c https://artifacts.elastic.co/downloads/logstash/logstash-5.4.0.tar.gz #tar -zxvf logstash-5.4.0.tar.gz #mv logstash-5.4.0 /usr/elk/logstash #cd /usr/elk/ #chown -R elkstack:elkstack logstash #./logstash/bin/logstash
测试是否安装成功
注意:最好以root用户运行,或者在sudoers中添加用户的sudo命令权限,否则可能产生好多问题
#./logstash/bin/logstash -e 'input{stdin{}} output{stdout{}}'
#启动之后,执行如下操作,测试是否有回显,如果有回显,则表示正确
#Hello World
四.配置&插件安装
①.远程访问
kibana.yml:
server.port: 5601 server.host: "192.168.1.210" elasticsearch.url: "http://192.168.1.210:9200"
elasticsearch.yml:
network.host: "192.168.1.210" http.port: 9200 #加入新集群时使用的ip地址,默认是回环地址 #discovery.zen.ping.unicast.hosts: ["192.168.1.210"] #集群中最少的master数量 #discovery.zen.minimum_master_nodes: 3 #bootstrap.system_call_filter: false
logstash.yml
http.host: "172.20.11.62"
②.安装X-Pack
注意:安装前必须停止elasticsearch与kibana服务
#cd /usr/elk/elasticsearch/bin #./elasticsearch-plugin install x-pack #cd /usr/elk/kibana/bin #./kibana-plugin install x-pack
安装X-Pack完成之后,穷elasticsearch与kibana ,会进行用户登录校验,默认用户名和密码如下
username : elastic passowrd : changeme
但是,对于logstash来说,需要在配置文件中配置用户名才行,否则无法链接到elasticsearch
input {
file {
type =>"syslog"
path => ["/var/log/messages","/var/log/secure" ]
}
syslog {
type =>"syslog"
port =>"5544"
}
}
output {
stdout { codec=> rubydebug }
elasticsearch {
hosts => ["192.168.1.210:9200"]
user => elastic
password => changeme
index => "syslogstash-%{+YYYY.MM.dd}"
template_overwrite => true
}
}
③.Kibana创建索引
Kibana创建索引的前提是logstash的pipline配置文件中存索引,并且logstash已经向elasticsearch注册了索引
index => "syslogstash-%{+YYYY.MM.dd}"
input {
file {
type =>"syslog"
path => ["/var/log/messages","/var/log/secure" ]
}
syslog {
type =>"syslog"
port =>"5544"
}
}
output {
stdout { codec=> rubydebug }
elasticsearch {
hosts => ["192.168.1.210:9200"]
user => elastic
password => changeme
index => "logstash-%{+YYYY.MM.dd}"
template_overwrite => true
}
}
检测配置文件是否正确
#logstash/bin/logstash -f test_logstash.conf -t
启动logstash
#logstash/bin/logstash -f test_logstash.conf
触发Input Event,让logstash主动注册index到elasticsearch
#logger -p info "hello,remote rsyslog"
然后登录Kibana,点击Management->Index Patterns打开索引注册页面,点击左侧菜单栏中的【+】,新增索引。
如果你看不到Create按钮,那么很可能意味着索引没有注册成功,注册可能需要一个Input Event输入触发才行。
如果索引注册成功,那么点击Kibana菜单Discover,选择syslogstash-*索引,便能看到相应的事件。
参考:
记录Linux下安装elasticSearch时遇到的一些错误
centos7虚拟机安装elasticsearch5.0.x-安装篇
原文链接:https://www.f2er.com/centos/377511.html