centos 安裝最新elk6.4.0搭建
1.安裝jdk8
linux下使用wget下載jdk8:
進到目錄/usr/local/software
wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u181-b13/96a7b8442fe848ef90c96a2fad6ed6d1/jdk-8u181-linux-x64.tar.gz"
解壓檔案:
tar zxvf jdk-8u181-linux-x64.tar.gz
mv jdk-8u181-linux-x64.tar.gz jdk8
增加環境變數,編輯對呀的檔案
vim /etc/profile #加入 export JAVA_HOME=/usr/local/software/jdk8 export JAVA_BIN=/usr/local/software/jdk8 export PATH=$PATH:$JAVA_HOME/bin export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar export JAVA_HOME JAVA_BIN PATH CLASSPATH #啟動檔案 source /etc/profile #驗證java是否安裝成功 java -version
2.安裝ELK
1.參考網站:https://www.elastic.co/downloads
2.通過wget命令下載 Elasticsearch/Logstash/Kibaber
1.下載elasticsearch wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.0.tar.gz 2.下載logstash wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.0.tar.gz 3.下載Kibana wget https://artifacts.elastic.co/downloads/kibana/kibana-6.4.0-linux-x86_64.tar.gz 解壓 tar -zxvf elasticsearch-6.4.0.tar.gz tar -zxvf logstash-6.4.0.tar.gz tar -zxvf kibana-6.4.0-linux-x86_64.tar.gz
3.配置並啟動Elasticsearch
配置es出現相關問題處理:
1、問題一
Java HotSpot(TM) 64-Bit Server VM warning: INFO: os::commit_memory(0x00000000c5330000, 986513408, 0) failed; error='Cannot allocate memory' (errno=12)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 986513408 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /usr/local/software/temp/elasticsearch-6.2.2/hs_err_pid1912.log
解決:記憶體不夠,購買阿里雲的機器可以動態增加記憶體
2、問題二
[[email protected] bin]# ./elasticsearch
解決:用非root使用者
新增使用者:useradd -m 使用者名稱 然後設定密碼 passwd 使用者名稱
3、問題三
./elasticsearch
Exception in thread "main" java.nio.file.AccessDeniedException: /usr/local/software/temp/elasticsearch-6.4.0/config/jvm.options
解決:許可權不夠 chmod 777 -R 當前es目錄
常見配置問題資料:https://www.jianshu.com/p/c5d6ec0f35e0
使用nohub啟動
nohup ./bin/elasticsearch &
在配置檔案中增加http外網訪問
bootstrap.memory_lock: false
:#增加centos 無法訪問
bootstrap.system_call_filter: false
http.host: 0.0.0.0
4.配置logstash
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => ["%{IPORHOST:[nginx][access][remote_ip]} - %{DATA:[nginx][access][user_name]} \[%{HTTPDATE:[nginx][access][time]}\] \"%{WORD:[nginx][access][method]} %{DATA:[nginx][access][url]} HTTP/%{NUMBER:[nginx][access][http_version]}\" %{NUMBER:[nginx][access][response_code]} %{NUMBER:[nginx][access][body_sent][bytes]} \"%{DATA:[nginx][access][referrer]}\" \"%{DATA:[nginx][access][agent]}\""] }
remove_field => "message"
}
mutate {
add_field => { "read_timestamp" => "%{@timestamp}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
remove_field => "[nginx][access][time]"
}
useragent {
source => "[nginx][access][agent]"
target => "[nginx][access][user_agent]"
remove_field => "[nginx][access][agent]"
}
geoip {
source => "[nginx][access][remote_ip]"
target => "[geoip]"
add_field => ["[geoip][coordinates]", "%{[geoip][longitude]}"]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "logstash-%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}
啟動logstart
./bin/logstash -f config/file-beats.conf
5.配置kibana
修改kibana.yml
server.host="0.0.0.0"
啟動kibana
6.下載filebeat-6.3.2
- 下載地址:https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.3.2-linux-x86_64.tar.gz
- 解壓檔案tar -zxvf filebeat-6.3.2-linux-x86_64.tar.gz
- 修改配置檔案
vi filebeat.yml 檔案內容如下: #------------input部分---------- filebeat.prospectors: - type: log paths: - /local/nas/docker/nginx/logs/access.log tags: ["nginx-accesslog"] document_type: nginx-access #注意:filebeat在6版本里面,document_type欄位好像不起作用 - type: log paths: - /local/nas/docker/nginx/logs/error.log tags: ["nginx-errorlog"] document_type: nginx-error #-------------output部分,將輸出到Elasticsearch註釋掉,開啟輸出到logstash---- output.logstash: hosts: ["172.17.227.15:5044"]
- 啟動filebeat
nohup ./filebeat &