安装JDK
#wget http://172.18.71.12:83/2Q2W261090F59DD53D8C9740EB6430C46EB03192EE29_unknown_229A95874D39CC9F5FE38A6EA9A2A49C92CE7A07_9/download.oracle.com/otn-pub/java/jdk/8u162-b12/0da788060d494f5095bf8624735fa2f1/jdk-8u162-linux-x64.tar.gz -P /usr/local/src/
配置JAVA环境
#tar -zxf jdk-8u162-linux-x64.tar.gz
#mv jdk1.8.0_162/ /usr/local/
#vim /etc/profile
追加
#JAVA
JAVA_HOME=/usr/local/jdk1.8.0_162
CLASSPATH=.:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar
PATH=$JAVA_HOME/bin:$PATH
export JAVA_HOME CLASSPATH PATH
//生效
# source /etc/profile
//测试
# java -version
java version "1.8.0_162"
Java(TM) SE Runtime Environment (build 1.8.0_162-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)
Elasticsearch安装
系统环境配置
#useradd elk
# vim /etc/security/limits.conf
elk soft nproc 65536
elk hard nproc 65536
elk soft nofile 65536
elk hard nofile 6553
# vim /etc/security/limits.d/90-nproc.conf
elk soft nproc 4096
root soft nproc unlimited
#vim /etc/sysctl.conf
添加
vm.max_map_count = 262144
下载elasticsearch
#wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.2.tar.gz
# tar -zxf elasticsearch-6.2.2.tar.gz
# mv elasticsearch-6.2.2 /usr/local/ELK/
# mkdir /data/es-data
# mkdir /data/logs/es-logs
# chown elk.elk /data/es-data
# chown elk.elk /data/logs/es-logs
配置文件修改
# vim /usr/local/ELK/elasticsearch-6.2.2/config/elasticsearch.yml
//修改如下内容
cluster.name: test-elk
node.name: node-1
path.data: /data/es-data
path.logs: /data/logs/es-logs
network.host: 0.0.0.0
http.port: 9200
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
启动
先切换到elk用户,执行
# su - elk
//启动,根据输出信息排错
$ cd /usr/local/ELK/elasticsearch-6.2.2/bin/
$ ./elasticsearch
//如顺利启动,可执行demo方式启动
# su - elk
$ cd /usr/local/ELK/elasticsearch-6.2.2/bin/
$ ./elasticsearch -d
验证:
http://IP:9200
如输出如下内容,则elasticsearch运行正常
{
"name" : "node-1",
"cluster_name" : "test-elk",
"cluster_uuid" : "QbaVRtVZQ-OsrII1I9g61g",
"version" : {
"number" : "6.2.2",
"build_hash" : "10b1edd",
"build_date" : "2018-02-16T19:01:30.685723Z",
"build_snapshot" : false,
"lucene_version" : "7.2.1",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
Logstash安装
#wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.2.tar.gz
#tar -zxf logstash-6.2.2.tar.gz
#mv logstash-6.2.2 /usr/local/ELK/
配置logstash
这是最简单的配置,勉强能用,高难的正在研究中....
$ vim /usr/local/ELK/logstash-6.2.2/config/elk.conf
input {
file {
type => "elk-hc_access"
path => "/data/logs/www/hc.log"
start_position => "beginning"
}
file {
type => "elk-hc_error"
path => "/data/logs/www/hc_err.log"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => ["xxx.xxx.xxx.102:9200"]
index => "%{type}-%{+YYYY.MM.dd}"
}
}
启动logstash
#su - elk
$ cd cd /usr/local/ELK/kibana-6.2.2-linux-x86_64/bin/
$ ./logstash -f /usr/local/ELK/logstash-6.2.2/config/elk.conf &
kibana安装
#wget https://artifacts.elastic.co/downloads/kibana/kibana-6.2.2-linux-x86_64.tar.gz
#tar -zxf kibana-6.2.2-linux-x86_64.tar.gz
#mv kibana-6.2.2-linux-x86_64 /usr/local/ELK/
配置Kibana
$vim kibana.yml
//取消注释,修改
server.port: 5601
server.host: "xxx.xxx.xxx.102"
elasticsearch.url: "http://localhost:9200"
启动Kibana
$ ./kibana &
Kibana登陆地址
http://xxx.xxx.xxx.102:5601
PS:
页面上
Management=>这里填你定义的elk-hc_access*或者elk-hc_error*
配置里
index => "%{type}-%{+YYYY.MM.dd}" 对应的是搜索elk-hc_access*时候显示:如 elk-hc_access-2018.03.14
杀死kibana
#fuser -n tcp 5601
#kill -9 pid