centos7部署elk集群(filebeat+kafka+logstash+elasticsearch+kibana)
es集群规划:中小型日志收集系统只需要部署(filebeat+elasticsearch+kibana)组合完全够用了
es-node01 192.168.121.30 elasticsearch,kibana,zookerper,kafka
es-node02 192.168.121.31 elasticsearch,logstash,zookerper,kafka
es-node03 192.168.121.32 elasticsearch,zookerper,kafka
kafka集群部署可以参考https://www.cnblogs.com/caidingyu/p/12336365.html
修改所有节点的默认内核参数
echo "vm.swappiness=0" >> /etc/sysctl.conf
echo "vm.max_map_count=655350" >> /etc/sysctl.conf
sysctl -p
修改所有节点的linux资源限制,永久生效
cat /etc/security/limits.conf|grep -v "^#"
* soft nofile 1024000
* hard nofile 1024000
* soft nproc unlimited
* hard nproc unlimited
* soft core unlimited
* hard core unlimited
* soft memlock unlimited
* hard memlock unlimited
执行下以下命令立即生效
ulimit -SHn 1024000
1、分别在3个节点下载并安装elasticsearch
cd /data
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.0-x86_64.rpm
yum localinstall elasticsearch-7.6.0-x86_64.rpm
2、在node1安装kibana
cd /data
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.6.0-x86_64.rpm
yum localinstall kibana-7.6.0-x86_64.rpm
3、在node2安装logstash
cd /data
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.6.0.rpm
yum localinstall logstash-7.6.0.rpm
4、在需要采集的服务器上安装filebeat
cd /data
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-x86_64.rpm
yum localinstall filebeat-7.6.0-x86_64.rpm
5、在任意节点配置生成ca证书用于xpack加密认证,一路回车,无需输入密码,默认证书文件位于path.data:指定的数据目录下,这里我们将其拷贝到所有节点的/etc/elasticsearch/目录下
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
6、分别修改3个节点的elasticsearch配置文件
es-node01配置信息如下:
cluster.name: ES-cluster
node.name: node-1
node.attr.hotwarm_type: hot
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 19201
transport.tcp.port: 19301
discovery.seed_hosts: ["192.168.121.30:19301", "192.168.121.31:19302", "192.168.121.32:19303"]
cluster.initial_master_nodes: ["192.168.121.30:19301"]
gateway.recover_after_nodes: 2
gateway.recover_after_time: 5m
gateway.expected_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
indices.fielddata.cache.size: 20%
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
es-node02配置信息如下:
[root@es-node02 elasticsearch]# cat elasticsearch.yml|grep -vE "^#"
cluster.name: ES-cluster
node.name: node-2
node.attr.hotwarm_type: cold
path.data: /data/elasticsearch/data01
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 19202
transport.tcp.port: 19302
discovery.seed_hosts: ["192.168.121.30:19301", "192.168.121.31:19302", "192.168.121.32:19303"]
cluster.initial_master_nodes: ["192.168.121.30:19301"]
gateway.recover_after_nodes: 2
gateway.recover_after_time: 5m
gateway.expected_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
indices.fielddata.cache.size: 20%
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
es-node03配置信息如下:
cat elasticsearch.yml|grep -vE "^#"
cluster.name: ES-cluster
node.name: node-3
node.attr.hotwarm_type: cold
path.data: /data/elasticsearch/data01
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 19203
transport.tcp.port: 19303
discovery.seed_hosts: ["192.168.121.30:19301", "192.168.121.31:19302", "192.168.121.32:19303"]
cluster.initial_master_nodes: ["192.168.121.30:19301"]
gateway.recover_after_nodes: 2
gateway.recover_after_time: 5m
gateway.expected_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
indices.fielddata.cache.size: 20%
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
7、修改默认的/usr/lib/systemd/system/elasticsearch.service文件,这里我们增加了一行LimitMEMLOCK=infinity,(由于前面配置信息中启用了bootstrap.memory_lock: true,默认为false,如果不启用可以不修改elasticsearch.service)
cat /usr/lib/systemd/system/elasticsearch.service
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target
[Service]
LimitMEMLOCK=infinity
Type=notify
RuntimeDirectory=elasticsearch
PrivateTmp=true
Environment=ES_HOME=/usr/share/elasticsearch
Environment=ES_PATH_CONF=/etc/elasticsearch
Environment=PID_DIR=/var/run/elasticsearch
Environment=ES_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/elasticsearch
WorkingDirectory=/usr/share/elasticsearch
User=elasticsearch
Group=elasticsearch
ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet
# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit
# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535
# Specifies the maximum number of processes
LimitNPROC=4096
# Specifies the maximum size of virtual memory
LimitAS=infinity
# Specifies the maximum file size
LimitFSIZE=infinity
# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0
# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM
# Send the signal only to the JVM rather than its control group
KillMode=process
# Java process is never killed
SendSIGKILL=no
# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
8、分别启动node1、node2、node3的elasticsearch服务
systemctl start elasticsearch
systemctl status elasticsearch
systemctl enable elasticsearch
9、启动es集群以后,使用以下指令来初始化各个用户的密码,密码自行设置
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana]:
Reenter password for [kibana]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]
10、检查集群状态是否正常,集群状态正常可以返回以下参数,注意status是否为green(elastic:xxxxxxx为步骤9中生成的elastic账户和密码)
curl -XGET --user elastic:xxxxxxx http://localhost:19201/_cluster/health?pretty
{
"cluster_name" : "ES-cluster",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 3,
"number_of_data_nodes" : 3,
"active_primary_shards" : 13,
"active_shards" : 23,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
11、修改kibana配置文件,配置文件中的账户密码为步骤9中生成的kibana账户和密码
cat /etc/kibana/kibana.yml|grep -vE "^#|^$"
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://192.168.121.30:19201"]
kibana.index: ".kibana"
elasticsearch.username: "kibana"
elasticsearch.password: "xxxxxxxxx"
i18n.locale: "zh-CN"
12、启动kibana服务并访问kibana所在的节点,并使用elastic的账户和密码进行登录,验证是否kibana是否搭建成功
systemctl start kibana
systemctl status kibana
systemctl enable kibana
在浏览器中访问http://192.168.121.30:5601/
13、待续