系统初始化
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| #防火墙开放端口
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --permanent --add-port=5044/tcp
firewall-cmd --permanent --add-port=5601/tcp
firewall-cmd --permanent --add-port=9300/tcp
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.30.133" port protocol="tcp" port="9200" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.30.134" port protocol="tcp" port="9200" accept'
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.30.135" port protocol="tcp" port="9200" accept'
firewall-cmd --reload
#关闭selinux
sed -i 's/enforcing/disabled/' /etc/selinux/config
#添加hosts
cat >> /etc/hosts << EOF
192.168.30.133 elk1
192.168.30.134 elk2
192.168.30.135 elk3
EOF
# 创建用户
groupadd elk
useradd elk -g elk
# 创建数据及⽇志⽂件并授权
mkdir -pv /data/elk/{data,logs}
chown -R elk:elk /data/elk/
# 调整进程最大打开文件数数量
#重启生效
vi /etc/security/limits.conf
* hard nofile 65535
* soft nofile 65535
#验证
ulimit -n
# 调整进程最大虚拟内存区域数量
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -p
|
1
2
3
4
5
6
7
| cd /opt/
#解压到当前⽬录
tar -xf elasticsearch-7.9.3-linux-x86_64.tar.gz -C .
mv elasticsearch-7.9.3-linux-x86_64 elasticsearch
#授权
chown -R elk:elk elasticsearch
|
集群配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| vim elasticsearch/config/elasticsearch.yml
#必改配置
node.name: elk1
#通用配置
path.data: /data/elk/data
path.logs: /data/elk/logs
bootstrap.memory_lock: false
http.port: 9200
cluster.name: elk-cluster
network.host: 0.0.0.0
discovery.seed_hosts: ["192.168.30.133", "192.168.31.62","192.30.134"]
cluster.initial_master_nodes: ["elk1"]
ingest.geoip.downloader.enabled: false
xpack.security.enabled: true
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/elastic-certificates.p12
truststore.path: certs/elastic-certificates.p12
|
生成认证文件
1
2
3
4
5
6
7
8
| cd elasticsearch
bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
mkdir config/certs
mv *.p12 config/certs
chmod -R +755 config/certs
#复制certs到每个节点
|
jvm.option的设置
1
2
3
4
| #机器内存的一半
vim /opt/elasticsearch/config/jvm.options
-Xms1g
-Xmx1g
|
启动elasticsearch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| su elk # 切换到用户
cd /opt/elasticsearch
#启动脚本
vim start.sh
su - elk -c "/opt/elasticsearch/bin/elasticsearch -d"
#启动
sh start.sh
#验证
curl -XGET 'http://127.0.0.1:9200/_cat/nodes?pretty' #查看集群节点
|
设置用户密码
1
| bin/elasticsearch-setup-passwords interactive
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| #安装
cd /opt
tar zxvf logstash-7.9.3-linux-x86_64.tar.gz
mv logstash-7.9.3-linux-x86_64 logstash
#修改配置
vim logstash/config/logstash-sample.conf
input {
beats {
port => 5044
}
file {
path => "/usr/local/nginx/logs/access.log"
start_position => "beginning"
}
}
filter {
if [path] =~ "access" {
mutate { replace => { "type" => "apache_access" } }
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
output {
elasticsearch {
hosts => ["10.0.0.11:9200","10.0.0.12:9200","10.0.0.13:9200"]
user => "elastic"
password => "xxx"
}
stdout { codec => rubydebug }
}
#启动脚本
vim /opt/logstash/start.sh
nohup /opt/logstash/bin/logstash -f /opt/logstash/config/logstash-sample.conf > /dev/null 2> /dev/null &
#启动
sh start.sh
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| #安装
cd /opt
tar zxvf kibana-7.9.3-linux-x86_64.tar.gz
mv kibana-7.9.3-linux-x86_64 kibana
#修改配置
vim kibana/config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://192.168.30.136:9200","http://192.168.30.137:9200","http://192.168.30.138:9200"]
i18n.locale: "zh-CN"
elasticsearch.username: "kibana_system"
elasticsearch.password: "xxx"
#启动脚本
cd /opt/kibana
vim start.sh
nohup /opt/kibana/bin/kibana --allow-root &
#启动,登录账号elastic
sh start.sh
|
创建用户
- 在kibana创建角色beats_write,集群权限:monitor,manage_index_templates,索引(*)权限:create_index、delete、monitor、write
- 创建用户beats_to_es
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| #安装
cd /opt
tar xzvf filebeat‐7.13.2‐linux‐x86_64.tar.gz
mv filebeat‐7.13.2‐linux‐x86_64 filebeat
#修改配置
vim filebeat/filebeat.yml
filebeat.inputs:
- input_type: log
paths:
- /var/log/nginx/*.log
tags: ["nginx"]
output.logstash:
#output.elasticsearch:
hosts: ["192.168.30.136:5044","192.168.30.137:5044"]
username: "beats_to_es"
password: "xxx"
#检查配置
filebeat/filebeat test config -c filebeat/filebeat.yml
#启动脚本
vim /opt/filebeat/start.sh
nohup /opt/filebeat/filebeat -e -c /opt/filebeat/filebeat.yml >/dev/null 2>&1 &
#启动
sh start.sh
|
常见问题
Limit of total fields [1000]
更新所有现有索引的设置
1
2
3
| curl -XPUT --user elastic:xxx 'http://localhost:9200/_all/_settings?preserve_existing=true' -d '{
"index.mapping.total_fields.limit" : "3000"
}'
|
创建索引模板以应用默认值到未来的索引
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| curl -XPUT 'http://localhost:9200/_template/default_template' -H 'Content-Type: application/json' -d '{
"index_patterns": ["*"],
"settings": {
"index.mapping.total_fields.limit": "3000"
},
"mappings": {
"properties": {
"data": {
"properties": {
"param": {
"type": "object"
}
}
}
}
}
}'
|
重命名索引
1
2
3
4
5
6
7
8
9
10
11
12
| curl -X POST "localhost:9200/_reindex" -H 'Content-Type: application/json' -d'
{
"source": {
"index": "index-name"
},
"dest": {
"index": "index-name-bak"
}
}
'
curl -X DELETE "localhost:9200/index-name"
|
文章作者
lim
上次更新
2024-11-21
(1dac9ff)
许可协议
CC BY-NC-ND 4.0
