ELK日志分析平台搭建全程
环境:
OS:Centos 6.6
elasticsearch-5.6.3.tar.gz
jdk-8u151-linux-x64.tar.gz
kibana-5.6.3-linux-x86_64.tar.gz
logstash-5.6.3.tar.gz
node-v6.11.4-linux-x64.tar.xz
一、准备环境:
1、创建用户,并给安装目录设置权限
# groupadd elk
# useradd -g elk elk
# mkdir /elk
# chown -R elk:elk /elk 修改系统某些参数值:【如不修改启动时会报错】
# vim /etc/security/limits.conf//添加一下内容
---------------------------
* soft nofile 65536
* hard nofile 65536
* soft nproc 2048
* hard nproc 4096
----------------------------
# vim /etc/security/limits.d/90-nproc.conf//添加如下内容
* soft nproc 2048
# vim /etc/sysctl.conf // 添加以下内容
------------------
fs.file-max=65536
vm.max_map_count=655360
----------------------
# sysctl -p // 查看vm.max_map_count 值是否修改成功
修改进程数:
# ulimit -u 2048
安装Java
# mkdir /usr/local/Java
# tar -zxvf jdk-8u151-linux-x64.tar.gz -C /usr/local/Java
添加环境变量:
# vim /etc/profile
添加如下:
export JAVA_HOME=/usr/local/Java/jdk1.8.0_151
export PATH=$PATH:$JAVA_HOME/bin
exportCLASSPATH=.:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar:$CLASSPAT 重新加载
# source /etc/profile
查看是否安装成功:
# java -version
java version "1.8.0_151"
Java(TM) SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode) 二:安装ELK
1、安装elasticsearch
# tar -zxvf elasticsearch-5.6.3.tar.gz
修改配置文件:
vim ./elasticsearch-5.6.3/config/elasticsearch.yml
//设置监听IP及监听端口:
network.host: 0.0.0.0 // 设置监听IP
http.port: 9200 //设置监听端口 注:elasticsearch不能使用root用户启动
启动elasticsearch //第一次启动有点慢:
$ cd /elk/elasticsearch-5.6.3/bin
$ ./elasticsearch
然后查看端口:
# ss -tnl | grep 9200
LISTEN 0 128 ::ffff:192.168.159.130:9200 :::*
#
1.1安装部署head
编辑elasticsearch配置文件做如下修改:
# vim /elk/elasticsearch-5.6.3/config/elasticsearch.yml
node.name: node-1inux //修改集群名字
cluster.name: my-1inux //修改节点名字
//增加新的参数,这样head插件可以访问es
http.cors.enabled: true
http.cors.allow-origin: "*" 1)安装git
# yum -y install git 下载代码:
# git clone git://github.com/mobz/elasticsearch-head.git 修改head目录权限:
# chown -R elk:elk elasticsearch-head 2)下载安装node
https://nodejs.org/en/download/
然后下载xz进行解压
# yum -y install xz
# xz -d node-v6.11.4-linux-x64.tar.xz
# tar -xvf node-v6.11.4-linux-x64.tar 添加node的环境变量
# vim /etc/profile
添加如下:
export NODE_HOME=/elk/node-v6.11.4-linux-x64
export PATH=$PATH:$NODE_HOME/bin
重新加载
# source /etc/profile 查看是否生效:
# echo $NODE_HOME
/elk/node-v6.11.4-linux-x64
# node -v
v6.11.4
# npm -v
3.10.10切换国内镜像源:
npm config set registry https://registry.npm.taobao.org
npm config set disturl https://npm.taobao.org/dist
3)安装grunt
# npm install -g grunt
# npm install grunt-cli -g 查看是否安装成功:
# grunt -version
grunt-cli v1.2.0 修改服务器监听地址
# vim /elk/elasticsearch-head/Gruntfile.js
hostname: '*',https://s4.运维网.com/oss/201710/26/b6856438dccecb866b7961551b3b77da.png-wh_500x0-wm_3-wmp_4-s_2069812016.png
修改链接地址:
# vim /elk/elasticsearch-head/_site/app.js
this.base_uri = this.config.base_uri || this.prefs.get("app-base_uri") || "
修改为:
this.base_uri = this.config.base_uri || this.prefs.get("app-base_uri") || "http://192.168.159.130:9200"; 运行head
在head目录中执行
# npm install
启动:
# grunt server
2、安装kibana
# tar -zxvf kibana-5.6.3-linux-x86_64.tar.gz
解压后编辑配置文件;
# vim ../config/kibana.yml //修改为 elasticsearch 的访问地址及端口如下
#server.host: "localhost"
server.host: "192.168.159.130"
#elasticsearch.url: "http://localhost:9200"
elasticsearch.url: " 然后保存启动如下;
# ./kibana
log Status changed from uninitialized to green - Ready
log Status changed from uninitialized to yellow - Waiting for Elasticsearch
log Status changed from uninitialized to green - Ready
log Status changed from uninitialized to green - Ready
log Status changed from uninitialized to green - Ready
log Server running at http://localhost:5601
log Status changed from uninitialized to yellow - Elasticsearch plugin is yellow 3、安装 logstash-5.6.3.tar.gz
# tar -zxvf logstash-5.6.3.tar.gz
解压后编辑配置文件,然后就可以使用了 编写文件
编辑文件 # vim /config/test.conf
input {
file {
type => "nginx_log"
path => "/var/log/nginx/access.log"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => "192.168.159.130"
index => "1inux"
}
stdout{codec => rubydebug}
}
启动:
root@1inux bin]# ./logstash -f ../config/test.conf
https://s4.运维网.com/oss/201710/26/9b7593a9fc94bf83b79322db8284d2d2.png-wh_500x0-wm_3-wmp_4-s_4003986616.png
https://s1.运维网.com/oss/201710/26/2766b0401eb7b47255df7dab59c75c04.png-wh_500x0-wm_3-wmp_4-s_2486083621.png
报错:
1、
# ./elasticsearch-5.6.3/bin/elasticsearch
[] uncaught exception in thread
org.elasticsearch.bootstrap.StartupException: java.lang.RuntimeException: can not run elasticsearch as root
解决方案:使用elk用户启动
问题二、
ERROR: bootstrap checks failed
: max file descriptors for elasticsearch process is too low, increase to at least
: max number of threads for user is too low, increase to at least
: max virtual memory areas vm.max_map_count is too low, increase to at least
参考上面系统修改 问题三、
编辑elasticsearch配置文件
: system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk
在bootstrap.memory_lock 下面 添加:
bootstrap.system_call_filter: false
页:
[1]