目录
一、安装es
二、安装Logstash
三、安装Kibana
四、安装Filebeat
五、集群模式
搭建日志分析系统ELK(elasticsearch+logstash+kibana+filebeat)
这里先介绍ELK的安装
首先下载ELK 在官网下载:https://www.elastic.co/cn/downloads/
如果下载比较慢的同学可以加我Q.我这有下载好的文件。能够分享给你。
这里咱们的环境使用ubuntu 16.04。我这是在虚拟加搭建的。
es日志存储
logstash 采集转换输入 输出
filebeat 日志实时洞察 相关具体介绍可以观看 : https://www.elastic.co/cn/beats/filebeat
kibana 展示控制面板 让你的使用更加方便
软件版本:
一、安装es
解压 ES
tar -zxvf elasticsearch-7.7.1.tar.gz
进入文件夹config 修改 /elk/elasticsearch-7.7.1/config$ vim elasticsearch.yml
修改如下:
配置data目录时别忘了建文件夹data
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: elk-test
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /home/hcy/elk/elasticsearch-7.7.1/data
#
# Path to log files:
#
path.logs: /home/hcy/elk/elasticsearch-7.7.1/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 192.168.1.129
#
# Set a custom port for HTTP:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
cluster.initial_master_nodes: ["node-1"]
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
启动bin 文件下的
hcy@ubuntu:~/elk/elasticsearch-7.7.1/bin$ ./elasticsearch &
页面访问 http://192.168.1.129:9200
看看能不能访问到就行了。
至此安装es完成
常见问题解决:
1. 报错:
ERROR: bootstrap checks failed max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
首先切换到root 下
root@ubuntu:/home/hcy# vim /etc/sysctl.conf
添加这一句:
m.max_map_count=655360
root@ubuntu:/home/hcy# sysctl -p
vm.max_map_count = 655360
切换回去用户。。。。。
2. 报错:
ERROR: [1] bootstrap checks failed [1]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured
解决办法:配置文件这句放开,改成如下:
cluster.initial_master_nodes: ["node-1"]
二、 安装Logstash
1.解压logstash tar包
tar -zxvf logstash-7.7.1.tar.gz
2.运行logstash最基础的pipeline
bin/logstash -e 'input { stdin { } } output { stdout {} }'
-e:可以直接用命令行配置,无需使用文件配置。当前pipeline从标准输入获取数据stdin,并把结构化数据输出到标准输出stdout。
Pipeline启动之后,控制台输入hello world,可看到对应输出。
3. 安装logstash-input-beats插件
hcy@ubuntu:~/elk/logstash-7.7.1$ ./bin/logstash-plugin install logstash-input-beats
Validating logstash-input-beats
Installing logstash-input-beats
Installation successful
4.创建pipeline配置文件logstash.conf,配置端口5044监听beats的连接,并创建elasticsearch索引。
如图:下面代码
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => "192.168.1.129:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
5.启动logstash服务
./bin/logstash -f config/logstash.conf &
输出:
三、安装Kibana
3.1解压kibana tar包
tar -zxvf kibana-7.7.1-linux-x86_64.tar.gz
3.2. 修改kibana配置
进入config文件夹 修改
hcy@ubuntu:~/elk/kibana-7.7.1-linux-x86_64/config$ vim kibana.yml
# kibana地址
server.host: "192.168.1.129"
# elasticsearch地址
# elasticsearch.url: "http://192.168.1.129:9200"
elasticsearch.hosts: ["http://192.168.1.129:9200"]
3.3.启动kibana服务
./bin/kibana &
输出
访问 192.168.1.129:5601
能看到界面
你也可以使用一下 example 数据看一眼
很多的哦
四、 安装Filebeat
1.解压filebeat tar包
tar -zxvf filebeat-7.7.1-linux-x86_64.tar.gz
2.配置filebeat
我们这里输出到logstash,需要添加logstash信息,注释elasticsearch信息
hcy@ubuntu:~/elk/filebeat-7.7.1-linux-x86_64$ vim filebeat.yml
filebeat.prospectors:
- type: log
enabled: true
paths:
- /opt/apps/elk/*.log
#output.elasticsearch:
#hosts: ["localhost:9200"]
output.logstash:
hosts: ["192.168.1.129:5044"]
3.启动filebeat
./filebeat -e -c filebeat.yml -d "publish" &
输出:跑起来就可以。
至此咱们这套ELK系统搭建完毕!!
五、集群模式
如果是安装logstash集群的话。在node filebeat中. 这里要用node的IP
我这里是配置了多个logstash集群这里。使用了两个节点
其中我的192.168.1.129 作为我的一个展示机
192.168.1.131做一个node节点
output.logstash:
hosts: ["192.168.1.131:5044"]
看下效果:
六、ELK常见问题解决办法
1. Logstash A plugin had an unrecoverable error. Will restart this plugin.
使用命令查找 ps aux | grep logstash
kill -9 掉对应的PID
标签:node,ELK,filebeat,##,kibana,elasticsearch,192.168,logstash From: https://blog.51cto.com/51souta/5807334