ELK 安装

2017-06-19

本文测试环境为 CentOS 7，ELK 版本为 5.4.1。软件可以在官方网站下载得到，也可在百度云下载。

基本安装

Elasticsearch

# Install
[root@localhost elasticsearch]# rpm -ivh elasticsearch-5.4.1.rpm

# Query conf files
[root@localhost elasticsearch]# rpm -qc elasticsearch
/etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/jvm.options
/etc/elasticsearch/log4j2.properties
/etc/elasticsearch/scripts
/etc/init.d/elasticsearch
/etc/sysconfig/elasticsearch
/usr/lib/sysctl.d/elasticsearch.conf
/usr/lib/systemd/system/elasticsearch.service

# Start service
[root@localhost elasticsearch]# service elasticsearch start
Starting elasticsearch (via systemctl):                    [  OK  ]
[root@localhost elasticsearch]# service elasticsearch status
......

# Check listening ports
[root@localhost elasticsearch]# netstat -nltp | grep 9200
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      5477/java           
tcp6       0      0 ::1:9200                :::*                    LISTEN      5477/java

# Test
[root@localhost elasticsearch]# curl http://localhost:9200/
{
  "name" : "HtPtyDo",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "kckhCrsHQGigCMUpZVLiQg",
  "version" : {
    "number" : "5.4.1",
    "build_hash" : "2cfe0df",
    "build_date" : "2017-05-29T16:05:51.443Z",
    "build_snapshot" : false,
    "lucene_version" : "6.5.1"
  },
  "tagline" : "You Know, for Search"
}

Kibana

[root@localhost elasticsearch]# rpm -ivh kibana-5.4.1-x86_64.rpm 
[root@localhost elasticsearch]# rpm -qc kibana
/etc/kibana/kibana.yml

# Alter conf file
[root@localhost elasticsearch]# vim /etc/kibana/kibana.yml
# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "192.168.0.201"
......
# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "http://localhost:9200"

# Start service
[root@localhost elasticsearch]# service kibana start

浏览器打开 http://192.168.0.201:5601，进入 Dev Tools，执行请求，就可以得到如下结果

Logstash

[root@localhost elasticsearch]# rpm -ivh logstash-5.4.1.rpm 
[root@localhost elasticsearch]# rpm -qc logstash
/etc/logstash/jvm.options
/etc/logstash/logstash.yml
/etc/logstash/startup.options
[root@localhost xiehongfeng100]# service logstash start

# Create a simple conf file
# Ref: https://www.elastic.co/guide/en/logstash/current/configuration.html
[root@localhost logstash]# pwd
/usr/share/logstash
[root@localhost logstash]# cat logstash-simple.conf 
input { stdin { } }
output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}
[root@localhost logstash]# bin/logstash -f logstash-simple.conf
......
Hello World!		# 手动输入
{
    "@timestamp" => 2017-06-19T15:55:58.113Z,
      "@version" => "1",
          "host" => "localhost.localdomain",
       "message" => "Hello World!"
}
......

除了会在控制台输出，通过配置 Index Pattern 也可以在 Kibana 上同步输出。首先配置 Kibana（因为 Elasticsearch 识别到 pattern 需要时间，所以一下可能需要稍等一点时间才能看到 pattern）：

通过搜索关键字就可以看到我们刚刚的输入：

关于更复杂的 Logstash 配置样例可参考官网样例。写的简单易懂，必看。

插件 X-Pack

接下来我们就要为 ELK 安装上强大的插件 X-Pack：

[root@localhost share]# pwd
/usr/share

[root@localhost share]# elasticsearch/bin/elasticsearch-plugin install file:///home/xiehongfeng100/elasticsearch/x-pack-5.4.1.zip
[root@localhost share]# kibana/bin/kibana-plugin install file:///home/xiehongfeng100/elasticsearch/x-pack-5.4.1.zip
[root@localhost share]# logstash/bin/logstash-plugin install file:///home/xiehongfeng100/elasticsearch/x-pack-5.4.1.zip

[root@localhost share]# service elasticsearch restart
[root@localhost share]# service kibana restart
[root@localhost share]# service logstash restart

我们再次在浏览器打开 Kibana 页面，发现需要用户名密码登录。X-Pack 会默认为我们新建 3 个默认的用户：elastic、kibana 及 logstash_system，其中 elastic 是超级管理员。它们的默认密码都是 changeme。我们用 elastic/changeme 登录 kibana，可以发现页面多了几个组件：

这是，我们再执行上文中的 logstash 命令收集收入信息，就会得到如下错误：

[root@localhost logstash]# bin/logstash -f logstash-simple.conf
......
error=>"Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/'"}
......

也就是说，logstash 连接 elasticsearch 服务失败了，因为现在连接到后者需要认证信息。我们改动如下就可以了：

Ref: https://www.elastic.co/guide/en/x-pack/current/logstash.html

[root@localhost logstash]# tail -n 3 /etc/logstash/logstash.yml
#xpack.monitoring.elasticsearch.url: http://localhost:9200
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: changeme
[root@localhost logstash]# service logstash restart

[root@localhost logstash]# cat logstash-simple.conf
input { stdin { } }
output {
  elasticsearch { 
    hosts => ["localhost:9200"]
    user => 'elastic'	# Can be other user
    password => 'changeme'
  }
  stdout { codec => rubydebug }
}

[root@localhost logstash]# bin/logstash -f logstash-simple.conf
# Success this time!

基本安装

Elasticsearch

Kibana

Logstash

插件 X-Pack

官方教程