Linux搭建ELK

这是一个失败的例子,CentOS6.x用不了ELK7.x,没有使用CentOS7.x测试。
换为ELK6.8.0后,使用CentOS6.10,可以使用,配置基本一致。

创建目录:/opt/elk
下载软件:elasticsearch-7.2.0-linux-x86_64.tar.gzkibana-7.2.0-linux-x86_64.tar.gzlogstash-7.2.0.tar.gzopenjdk-11.0.2_linux-x64_bin.tar.gz

elasticsearch

解压elasticsearch

执行启动命令:

# 添加参数-d可以后台执行
./elasticsearch

可能遇到下列错误:

org.elasticsearch.bootstrap.StartupException: java.lang.RuntimeException: can not run elasticsearch as root

提示我们需要使用其他用户来启动,我们创建用户:

# 创建用户
useradd elk
passwd elk
# 授权
chown -R elk:elk /opt/elk/

如果提示:

java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed

修改config/elasticsearch.yml添加:

bootstrap.system_call_filter: false

自定义JDK,修改启动命令添加:

export JAVA_HOME=/opt/elk/jdk-11.0.2
export PATH=$JAVA_HOME/bin:$PATH

一般配置上面的基本上就可以了,但是如果需要外网访问需要设置:

network.host: 0.0.0.0

配置上面代码之后就会出现:

[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65535]
[2]: max number of threads [1024] for user [elk] is too low, increase to at least [4096]
[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
[4]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured

这就需要我们修改系统配置:

# 修改elk用户打开文件和进程数量,elk可以修改*匹配所有用户。
# vi /etc/security/limits.conf
elk soft nofile 65536
elk hard nofile 65536
elk soft nproc 65536
elk hard nproc 65536
# vi /etc/security/limits.d/90-nproc.conf
elk soft nproc 4096
# 虚拟内存
# vi /etc/sysctl.conf
vm.max_map_count=655360
sysctl -p
# 设置节点
# vi config/elasticsearch.yml
cluster.initial_master_nodes: ["node-1"]

注意:有时候我们会用多个会话窗口,一个修改配置,另外一个启动,但是还是有问题,我们只需要重新登陆一下就好了。

启动访问:http://192.168.1.240:9200/,注意配置防火墙。

logstash

添加配置logstash.conf

input {
	tcp {
		port => 4567
	}
}
output {
	elasticsearch {
		hosts => "localhost:9200"
		index => "acgist-%{+YYYY.MM.dd}"
	}
}

配置log4j:

log4j.appender.elk=org.apache.log4j.net.SocketAppender
log4j.appender.elk.Port=4567
log4j.appender.elk.RemoteHost=192.168.1.240
log4j.appender.elk.ReconnectionDelay=10000
log4j.appender.elk.layout=org.apache.log4j.PatternLayout
log4j.appender.elk.layout.ConversionPattern=[acgist] %d %p [%c] - %m%n

启动:./logstash -f logstash.conf >/dev/null &

kibana

修改配置config/kibana.yml

elasticsearch.hosts: ["http://localhost:9200"]

启动命令:

bin/kibana

由于这个最新的kibana,我是用的是CentOS6所以提示:

  log   [06:18:28.864] [fatal][root] Error: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /opt/elk/kibana-7.2.0-linux-x86_64/node_modules/@elastic/nodegit/build/Release/nodegit.node)
    at Object.Module._extensions..node (internal/modules/cjs/loader.js:718:18)
    at Module.load (internal/modules/cjs/loader.js:599:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
    at Function.Module._load (internal/modules/cjs/loader.js:530:3)
    at Module.require (internal/modules/cjs/loader.js:637:17)
    at require (internal/modules/cjs/helpers.js:22:18)
    at Object.<anonymous> (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/@elastic/nodegit/dist/nodegit.js:12:12)
    at Module._compile (internal/modules/cjs/loader.js:689:30)
    at Module._compile (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/pirates/lib/index.js:99:24)
    at Module._extensions..js (internal/modules/cjs/loader.js:700:10)
    at Object.newLoader [as .js] (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/pirates/lib/index.js:104:7)
    at Module.load (internal/modules/cjs/loader.js:599:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
    at Function.Module._load (internal/modules/cjs/loader.js:530:3)
    at Module.require (internal/modules/cjs/loader.js:637:17)
    at require (internal/modules/cjs/helpers.js:22:18)
    at Object.require (/opt/elk/kibana-7.2.0-linux-x86_64/x-pack/plugins/code/server/git_operations.js:10:19)
    at Module._compile (internal/modules/cjs/loader.js:689:30)
    at Module._compile (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/pirates/lib/index.js:99:24)
    at Module._extensions..js (internal/modules/cjs/loader.js:700:10)
    at Object.newLoader [as .js] (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/pirates/lib/index.js:104:7)
    at Module.load (internal/modules/cjs/loader.js:599:32)

 FATAL  Error: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /opt/elk/kibana-7.2.0-linux-x86_64/node_modules/@elastic/nodegit/build/Release/nodegit.node)

这个需要升级glibc

# 直接更新2.17,因为2.14版本更新后,后面还是提示需要2.17,不要用太新的,否者系统其他软件不支持。
wget http://ftp.gnu.org/gnu/glibc/glibc-2.17.tar.gz
tar -zxvf glibc-2.17.tar.gz
cd gclib-2.17
mkdir build
cd build
../configure --prefix=/usr/local/glibc-2.17
make
make install
rm /lib64/libc.so.6
LD_PRELOAD=/usr/local/glibc-2.17/lib/libc-2.17.so ln -s /usr/local/glibc-2.17/lib/libc-2.17.so /lib64/libc.so.6

然后GG,好吧,我发现升级glibc不是这么简单的。
我还是使用ELK6.x版本吧。

所有组件换为6.8,启动警告:

[warning][security] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml
[warning][reporting] Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml

添加config/kibana.yml配置:

xpack.security.encryptionKey: "123456"
xpack.reporting.encryptionKey: "123456"

必须带有引号,否者提示:

log   [08:35:00.427] [fatal][root] { ValidationError: child "xpack" fails because [child "security" fails because [child "encryptionKey" fails because ["encryptionKey" must be a string]]]

长度不能少于32位,否者提示:

log   [08:35:24.770] [fatal][root] Error: xpack.security.encryptionKey must be at least 32 characters. Please update the key in kibana.yml.

上面两个设置可以忽略,主要是重启后登陆状态会丢失。

设置外网访问:

server.host: "0.0.0.0"

设置国际化:

i18n.locale: "zh-CN"

访问地址:http://192.168.1.240:5601