elastic stack(一)软件安装启动

版本：elasticsearch 7.8.0、logstash 7.8.0、kibana 7.8.0(官网下载)   jdk 11

elk的启动账号（必须以非root账号启动）

• 1、检查本地jdk版本是匹配

java -version

 本地jdk环境是1.8（项目需求），此时需要在jdk中重新指定jdk版本

进入elasticsearch下bin目录的启动文件elasticsearch,配置如下：

#!/bin/bash

# CONTROLLING STARTUP:
#
# This script relies on a few environment variables to determine startup
# behavior, those variables are:
#
#   ES_PATH_CONF -- Path to config directory
#   ES_JAVA_OPTS -- External Java Opts on top of the defaults set
#
# Optionally, exact memory values can be set using the `ES_JAVA_OPTS`. Example
# values are "512m", and "10g".
#
#   ES_JAVA_OPTS="-Xms8g -Xmx8g" ./bin/elasticsearch
# 指定jdk11
export JAVA_HOME=/gfkdata/elk/jdk-11.0.8
export PATH=$JAVA_HOME/bin:$PATH

source "`dirname "$0"`"/elasticsearch-env

CHECK_KEYSTORE=true
DAEMONIZE=false
for option in "aaa@qq.com"; do
  case "$option" in
    -h|--help|-V|--version)
      CHECK_KEYSTORE=false
      ;;
    -d|--daemonize)
      DAEMONIZE=true
      ;;
  esac
done

if [ -z "$ES_TMPDIR" ]; then
  ES_TMPDIR=`"$JAVA" "$XSHARE" -cp "$ES_CLASSPATH" org.elasticsearch.tools.launchers.TempDirectory`
fi

# get keystore password before setting java options to avoid
# conflicting GC configurations for the keystore tools
unset KEYSTORE_PASSWORD
KEYSTORE_PASSWORD=
if [[ $CHECK_KEYSTORE = true ]] \
    && bin/elasticsearch-keystore has-passwd --silent
then
  if ! read -s -r -p "Elasticsearch keystore password: " KEYSTORE_PASSWORD ; then
    echo "Failed to read keystore password on console" 1>&2
    exit 1
  fi
fi

# The JVM options parser produces the final JVM options to start Elasticsearch.
# It does this by incorporating JVM options in the following way:
#   - first, system JVM options are applied (these are hardcoded options in the
#     parser)
#   - second, JVM options are read from jvm.options and jvm.options.d/*.options
#   - third, JVM options from ES_JAVA_OPTS are applied
#   - fourth, ergonomic JVM options are applied
ES_JAVA_OPTS=`export ES_TMPDIR; "$JAVA" "$XSHARE" -cp "$ES_CLASSPATH" org.elasticsearch.tools.launchers.JvmOptionsParser "$ES_PATH_CONF"`

# 添加jdk判断
if [ -x "$JAVA_HOME/bin/java" ]; then
        JAVA="/gfkdata/elk/jdk-11.0.8/bin/java"
else
        JAVA=`which java`
fi

# manual parsing to find out, if process should be detached
if [[ $DAEMONIZE = false ]]; then
  exec \
    "$JAVA" \
    "$XSHARE" \
    $ES_JAVA_OPTS \
    -Des.path.home="$ES_HOME" \
    -Des.path.conf="$ES_PATH_CONF" \
    -Des.distribution.flavor="$ES_DISTRIBUTION_FLAVOR" \
    -Des.distribution.type="$ES_DISTRIBUTION_TYPE" \
    -Des.bundled_jdk="$ES_BUNDLED_JDK" \
    -cp "$ES_CLASSPATH" \
    org.elasticsearch.bootstrap.Elasticsearch \
    "aaa@qq.com" <<<"$KEYSTORE_PASSWORD"
else
  exec \
    "$JAVA" \
    "$XSHARE" \
    $ES_JAVA_OPTS \
    -Des.path.home="$ES_HOME" \
    -Des.path.conf="$ES_PATH_CONF" \
    -Des.distribution.flavor="$ES_DISTRIBUTION_FLAVOR" \
    -Des.distribution.type="$ES_DISTRIBUTION_TYPE" \
    -Des.bundled_jdk="$ES_BUNDLED_JDK" \
    -cp "$ES_CLASSPATH" \
    org.elasticsearch.bootstrap.Elasticsearch \
    "aaa@qq.com" \
    <<<"$KEYSTORE_PASSWORD" &
  retval=$?
  pid=$!
  [ $retval -eq 0 ] || exit $retval
  if [ ! -z "$ES_STARTUP_SLEEP_TIME" ]; then
    sleep $ES_STARTUP_SLEEP_TIME
  fi
  if ! ps -p $pid > /dev/null ; then
    exit 1
  fi
  exit 0
fi

exit $?

                                                                                                                                                                                                                     
                                                                                                                                                                                                                  

elasticsearch相关配置

config/elasticsearch.yml        主配置文件

config/jvm.options                 jvm参数配置文件

config/log4j2.properties         日志配置文件

1、修改config目录下elasticsearch.yml配置文件（单机搭建）

####集群名称
cluster.name: my-application
####节点名称
node.name: node-1

#### 是否可以成为master节点
#node.master: true
# 是否允许该节点存储数据,默认开启
#node.data: true

####服务ip（支持外网访问）
network.host: 0.0.0.0
####服务端口(默认对外9200)
http.port: 9200

#### 支持跨域访问
#http.cors.enabled: true
#http.cors.allow-origin: "*"


####提供群集中可以成为master
discovery.seed_hosts: ["127.0.0.1"]

####手动指定可成为master的所有节点的name或者ip，这些配置将会在第一次选举中进行计算
cluster.initial_master_nodes: ["127.0.0.1:9300"]

2、更改默认内存配置(默认内存大小1个G)

-Xms256m
-Xmx256m

3、启动报错：max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

解决方法：

vi /etc/sysctl.conf
vm.max_map_count=262144

####修改完 执行以下命令使之生效
sysctl -p

4、启动elasticsearch，bin目录下：./elasticsearch

5、访问启动是否成功 curl http://localhost:9200 (出现下图表示启动成功)

logstash相关配置

在config目录下创建自定义配置文件myes.conf，内容如下

nput{
        # 从文件读取日志信息、输送到控制台,以json格式输出
        file{
                path => "/var/log/messages"
                codec =>"json"
                type =>"system"
                start_position =>"beginning"
        }
}

#filter{
#
#}

output{
        # 标准输出
        # stdout{}
        # 输出进行格式化、采用Ruby库来解析日志
        stdout{
                codec=>rubydebug
        }
        elasticsearch{
                ###此处是elasticsearch的ip
                hosts =>"127.0.0.1:9200"
                ##根据每天创建索引
                index =>"system-%{+YYYY.MM.dd}"
        }
}

启动logstash：

启动指定配置文件： ./logstash -f ../config/myes.conf

logstash启动失败时，进入data目录删除.lock文件，重启

查询： ls -alh
删除.lock： rm .lock

kibana相关配置

进入config目录下

####端口
server.port: 5601
####服务ip支持外网访问
server.host: "0.0.0.0"
####服务名称
server.name: "mykibana"
####查询的elasticsearch实例的url
elasticsearch.hosts: ["http://localhost:9200"]

启动kibana，bin目录下 ./kibana

访问url :http://ip:9200/status   或者http://ip:5601/app/kibana

至此，elk单击环境搭建好