Linux搭建ELK
0
这是一个失败的例子,CentOS6.x用不了ELK7.x,没有使用CentOS7.x测试。
换为ELK6.8.0后,使用CentOS6.10,可以使用,配置基本一致。
创建目录:/opt/elk
下载软件:elasticsearch-7.2.0-linux-x86_64.tar.gz、kibana-7.2.0-linux-x86_64.tar.gz、logstash-7.2.0.tar.gz、openjdk-11.0.2_linux-x64_bin.tar.gz
elasticsearch
解压elasticsearch
执行启动命令:
# 添加参数-d可以后台执行
./elasticsearch
可能遇到下列错误:
org.elasticsearch.bootstrap.StartupException: java.lang.RuntimeException: can not run elasticsearch as root
提示我们需要使用其他用户来启动,我们创建用户:
# 创建用户
useradd elk
passwd elk
# 授权
chown -R elk:elk /opt/elk/
如果提示:
java.lang.UnsupportedOperationException: seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed
修改config/elasticsearch.yml添加:
bootstrap.system_call_filter: false
自定义JDK,修改启动命令添加:
export JAVA_HOME=/opt/elk/jdk-11.0.2
export PATH=$JAVA_HOME/bin:$PATH
一般配置上面的基本上就可以了,但是如果需要外网访问需要设置:
network.host: 0.0.0.0
配置上面代码之后就会出现:
[1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65535]
[2]: max number of threads [1024] for user [elk] is too low, increase to at least [4096]
[3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
[4]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured
这就需要我们修改系统配置:
# 修改elk用户打开文件和进程数量,elk可以修改*匹配所有用户。
# vi /etc/security/limits.conf
elk soft nofile 65536
elk hard nofile 65536
elk soft nproc 65536
elk hard nproc 65536
# vi /etc/security/limits.d/90-nproc.conf
elk soft nproc 4096
# 虚拟内存
# vi /etc/sysctl.conf
vm.max_map_count=655360
sysctl -p
# 设置节点
# vi config/elasticsearch.yml
cluster.initial_master_nodes: ["node-1"]
注意:有时候我们会用多个会话窗口,一个修改配置,另外一个启动,但是还是有问题,我们只需要重新登陆一下就好了。
启动访问:http://192.168.1.240:9200/,注意配置防火墙。
logstash
添加配置logstash.conf:
input {
tcp {
port => 4567
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "acgist-%{+YYYY.MM.dd}"
}
}
配置log4j:
log4j.appender.elk=org.apache.log4j.net.SocketAppender
log4j.appender.elk.Port=4567
log4j.appender.elk.RemoteHost=192.168.1.240
log4j.appender.elk.ReconnectionDelay=10000
log4j.appender.elk.layout=org.apache.log4j.PatternLayout
log4j.appender.elk.layout.ConversionPattern=[acgist] %d %p [%c] - %m%n
启动:./logstash -f logstash.conf >/dev/null &
kibana
修改配置config/kibana.yml:
elasticsearch.hosts: ["http://localhost:9200"]
启动命令:
bin/kibana
由于这个最新的kibana,我是用的是CentOS6所以提示:
log [06:18:28.864] [fatal][root] Error: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /opt/elk/kibana-7.2.0-linux-x86_64/node_modules/@elastic/nodegit/build/Release/nodegit.node)
at Object.Module._extensions..node (internal/modules/cjs/loader.js:718:18)
at Module.load (internal/modules/cjs/loader.js:599:32)
at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
at Function.Module._load (internal/modules/cjs/loader.js:530:3)
at Module.require (internal/modules/cjs/loader.js:637:17)
at require (internal/modules/cjs/helpers.js:22:18)
at Object.<anonymous> (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/@elastic/nodegit/dist/nodegit.js:12:12)
at Module._compile (internal/modules/cjs/loader.js:689:30)
at Module._compile (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/pirates/lib/index.js:99:24)
at Module._extensions..js (internal/modules/cjs/loader.js:700:10)
at Object.newLoader [as .js] (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/pirates/lib/index.js:104:7)
at Module.load (internal/modules/cjs/loader.js:599:32)
at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
at Function.Module._load (internal/modules/cjs/loader.js:530:3)
at Module.require (internal/modules/cjs/loader.js:637:17)
at require (internal/modules/cjs/helpers.js:22:18)
at Object.require (/opt/elk/kibana-7.2.0-linux-x86_64/x-pack/plugins/code/server/git_operations.js:10:19)
at Module._compile (internal/modules/cjs/loader.js:689:30)
at Module._compile (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/pirates/lib/index.js:99:24)
at Module._extensions..js (internal/modules/cjs/loader.js:700:10)
at Object.newLoader [as .js] (/opt/elk/kibana-7.2.0-linux-x86_64/node_modules/pirates/lib/index.js:104:7)
at Module.load (internal/modules/cjs/loader.js:599:32)
FATAL Error: /lib64/libc.so.6: version `GLIBC_2.14' not found (required by /opt/elk/kibana-7.2.0-linux-x86_64/node_modules/@elastic/nodegit/build/Release/nodegit.node)
这个需要升级glibc:
# 直接更新2.17,因为2.14版本更新后,后面还是提示需要2.17,不要用太新的,否者系统其他软件不支持。
wget http://ftp.gnu.org/gnu/glibc/glibc-2.17.tar.gz
tar -zxvf glibc-2.17.tar.gz
cd gclib-2.17
mkdir build
cd build
../configure --prefix=/usr/local/glibc-2.17
make
make install
rm /lib64/libc.so.6
LD_PRELOAD=/usr/local/glibc-2.17/lib/libc-2.17.so ln -s /usr/local/glibc-2.17/lib/libc-2.17.so /lib64/libc.so.6
然后GG,好吧,我发现升级glibc不是这么简单的。
我还是使用ELK6.x版本吧。
所有组件换为6.8,启动警告:
[warning][security] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml
[warning][reporting] Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml
添加config/kibana.yml配置:
xpack.security.encryptionKey: "123456"
xpack.reporting.encryptionKey: "123456"
必须带有引号,否者提示:
log [08:35:00.427] [fatal][root] { ValidationError: child "xpack" fails because [child "security" fails because [child "encryptionKey" fails because ["encryptionKey" must be a string]]]长度不能少于32位,否者提示:
log [08:35:24.770] [fatal][root] Error: xpack.security.encryptionKey must be at least 32 characters. Please update the key in kibana.yml.上面两个设置可以忽略,主要是重启后登陆状态会丢失。
设置外网访问:
server.host: "0.0.0.0"
设置国际化:
i18n.locale: "zh-CN"
访问地址:http://192.168.1.240:5601