当前位置：首页 > news >正文

ELK 保姆级部署教学

news 2026/5/12 13:05:53

首先去官网下载安装包版本，这个我使用的是7.17.18，经量各个插件都是用同一个版本的

mkdir -p /data/elasticsearch /data/logstash /data/kibanatar -zxvf elasticsearch-7.17.18-linux-x86_64.tar.gz
mv elasticsearch-7.17.18 /data/elasticsearch/
ln -Tfs elasticsearch-7.17.18/  elasticsearchtar -zxvf logstash-7.17.18-linux-x86_64.tar.gz
mv logstash-7.17.18 /data/logstash/
ln -Tfs kibana-7.17.18-linux-x86_64/   kibanatar -zxvf kibana-7.17.18-linux-x86_64.tar.gz
mv kibana-7.17.18-linux-x86_64 /data/kibana/
ln -Tfs logstash-7.17.18/  logstashexport JAVA_HOME=/path/to/your/java
export PATH=$JAVA_HOME/bin:$PATH

2。设置密码及CA证书

[root@localhost bin]# ./elasticsearch-certutil ca --out /home/elasticsearch/certs/elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authorityBy default the 'ca' mode produces a single PKCS#12 output file which holds:* The CA certificate* The CA's private keyIf you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private keyDirectory /home/elasticsearch/certs does not exist. Do you want to create it? [Y/n]y
Enter password for elastic-stack-ca.p12 :  s4UY7ySFnrtxWUBe       #这里是你设置的证书密码./elasticsearch-certutil cert --name es1 \
--dns es1 \
--ip xxxxxxxx \          #这里是你的服务器ip
--ca /home/elasticsearch/certs/elastic-stack-ca.p12 \
--ca-pass s4UY7ySFnrtxWUBe \
--out /home/elasticsearch/certs/es1.p12

编写启动脚本

#### es启动脚本[Unit]
Description=Elasticsearch
Wants=network-online.target
After=network-online.target[Service]
# 用于指定服务的启动类型
Type=forkingRuntimeDirectory=elasticsearchPrivateTmp=true# Environment 属性允许你直接在服务单元文件中设置环境变量
Environment=ES_HOME=/homeelasticsearch
Environment=ES_PATH_CONF=/home/elasticsearch/config
Environment=PID_DIR=/home/elasticsearch
Environment=ES_SD_NOTIFY=true# 变量参数文件，kv格式，可以被下面读取，如$OPTIONS
# EnvironmentFile 属性允许你将环境变量的设置放在一个独立的文件中，以便更轻松地管理和维护。如果存在重复的环境变量，Environment 中的设置会覆盖 EnvironmentFile 中的设置。
# EnvironmentFile=-/etc/default/elasticsearch# 工作目录
WorkingDirectory=/home/elasticsearch# 启动用户和用户组
User=elastic
Group=elastic# 启动
ExecStart=/home/elasticsearch/bin/elasticsearch -d -p ${PID_DIR}/elasticsearch.pid
ExecReload=/bin/kill -HUP $MAINPID# systemd会在服务退出状态不是成功时触发自动重启
Restart=on-failure
# 指定在尝试重启之前等待的时间间隔。这有助于防止在服务启动问题导致的无限重启循环。
RestartSec=42s# 标准输出配置为重定向到journalctl，因为在es日志系统初始化之前，一些错误消息可能会记录在标准输出中。Elasticsearch将其日志存储在属性{path.logs}定义的日志目录中，并且默认情况下不使用JournalCtl。如果您还想启用journalctl日志记录，您可以简单地从ExecStart中删除“quiet”选项。
StandardOutput=journal
StandardError=inherit# 指定此进程可以打开的最大文件数
LimitNOFILE=655350
# 指定此进程可以打开的最大进程数
LimitNPROC=65535
# 指定最大虚拟内存virtual memory
LimitAS=infinity
# 指定最大文件大小
LimitFSIZE=infinity
# 超时设置 0-永不超时，一直等待，直到进程停止
TimeoutStopSec=0
# SIGTERM是停止java进程的信号
KillSignal=SIGTERM
# 信号只发送给给JVM而不是其控制组
KillMode=process
# java进程不会被杀掉
SendSIGKILL=no
# 当JVM接收到SIGTERM信号时，它以代码143退出（定义正常退出状态）
SuccessExitStatus=143
# 允许在systemd通知模块启动之前缓慢启动以延长超时时间
TimeoutStartSec=900[Install]
WantedBy=multi-user.target
Elasticsearch 默认使用 mmapfs 方式管理索引文件，需要较大的内存映射区域。当前系统设置的 vm.max_map_count=65530 无法满足需求，必须将其提升至 262144 或更高。echo "vm.max_map_count=262144" >> /etc/sysctl.conf   # 调大配置
systemctl  daemon-reload
systemctl  restart elasticsearch.service
systemctl  status  elasticsearch.service
systemctl enable --now elasticsearchcd /data/elasticsearch-7.17.24/bin
./elasticsearch-setup-passwords interactiveroot@elk:/data/elasticsearch/bin# ./elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]   yEnter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana_system]: 
Reenter password for [kibana_system]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
验证状态
curl -u elastic:<password> 'http://192.168.0.111:19200/_cat/nodes?v'
curl -u elastic:<password> 'http://192.168.0.112:19200/_cat/nodes?v'
curl -u elastic:<password> 'http://192.168.0.113:19200/_cat/nodes?v'
curl -u elastic:<password> 'http://192.168.0.111:19200/_cat/health?v'curl -XPOST -u elastic:原密码 "http://localhost:9200/_security/user/elastic/_password" \
-H 'Content-Type: application/json' -d'{"password":"新密码"}'    #重置密码root@elk:/data/elasticsearch/bin# curl  -u elastic:LsQ5dV\&nWYgXp\^ -X GET "http://192.168.2.5:9200/_cluster/health?pretty"
{"error" : {"root_cause" : [{"type" : "security_exception","reason" : "unable to authenticate user [elastic] for REST request [/_cluster/health?pretty]","header" : {"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""}}],"type" : "security_exception","reason" : "unable to authenticate user [elastic] for REST request [/_cluster/health?pretty]","header" : {"WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""}},"status" : 401
}### kibana启动脚本
[Unit]
Description=kibana
After=network.target[Service]
User=elastic
Group=elastic
ExecStart=/usr/local/kibana/bin/kibana
ExecStop=/usr/bin/kill -15 $MAINPID
ExecReload=/usr/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=42s
Type=simple
RemainAfterExit=yes
PrivateTmp=true
# file size
LimitFSIZE=infinity
# cpu time
LimitCPU=infinity
# virtual memory size
LimitAS=infinity
# open files
LimitNOFILE=65535
# processes/threads
LimitNPROC=64000
# locked memory
LimitMEMLOCK=infinity
# total threads (user+kernel)
TasksMax=infinity
TasksAccounting=false[Install]
WantedBy=multi-user.target######logstarch启动脚本
[Unit]
Description=kibana
After=network.target[Service]
User=elastic
Group=elastic
ExecStart=/usr/local/kibana/bin/kibana
ExecStop=/usr/bin/kill -15 $MAINPID
ExecReload=/usr/bin/kill -HUP $MAINPID
Restart=on-failure
RestartSec=42s
Type=simple
RemainAfterExit=yes
PrivateTmp=true
# file size
LimitFSIZE=infinity
# cpu time
LimitCPU=infinity
# virtual memory size
LimitAS=infinity
# open files
LimitNOFILE=65535
# processes/threads
LimitNPROC=64000
# locked memory
LimitMEMLOCK=infinity
# total threads (user+kernel)
TasksMax=infinity
TasksAccounting=false[Install]
WantedBy=multi-user.target
root@elkSingle:/usr/lib/systemd/system# cat logstash.service 
[Unit]
Description=logstash
Wants=network-online.target
After=network-online.target[Service]
User=root
ExecStart=/data/logstash/bin/logstash
Restart=always[Install]
WantedBy=multi-user.target#####filebeat启动脚本
[Unit]
Description=filebeat server daemon
Documentation=https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Wants=network-online.target
After=network-online.target[Service]
User=root
Group=root
ExecStart=/data/filebeat/filebeat -e -c /data/filebeat/filebeat.yml
Restart=always[Install]
WantedBy=multi-user.target

查看全文

http://www.jsqmd.com/news/123636/