安裝包版本：jdk-8u25-linux-x64.tar.gz

#tar -zxvf jdk-8u25-linux-x64.tar.gz

#cd jdk1.8.0_25/

#mkdir –p /app/jdk

#cp -r ../jdk1.8.0_25 /app/jdk

#vim /etc/profile

在最后插入如下幾行：

export JAVA_HOME=/app/jdk/jdk1.8.0_25

export PATH=$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$PATH:$HOME/bin

export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/jre/lib/tools.jar

檢查安裝情況：

# source /etc/profile

# java –version

java version "1.8.0_25"

Java(TM) SE Runtime Environment (build 1.8.0_25-b17)

Java HotSpot(TM) 64-Bit Server VM (build 25.25-b02, mixed mode)

#javac

?

Usage: javac <options> <source files>

where possible options include:

? -g???????????????????????? Generate all debugging info

? -g:none??????????????????? Generate no debugging info

? -g:{lines,vars,source}???? Generate only some debugging info

? -nowarn??????????????????? Generate no warnings

? -verbose?????????????????? Output messages about what the compiler is doing

? -deprecation?????????????? Output source locations where deprecated APIs are used

? -classpath <path>????????? Specify where to find user class files and annotation processors

? -cp <path>???????????????? Specify where to find user class files and annotation processors

? -sourcepath <path>???????? Specify where to find input source files

? -bootclasspath <path>????? Override location of bootstrap class files

? -extdirs <dirs>??????????? Override location of installed extensions

? -endorseddirs <dirs>?????? Override location of endorsed standards path

? -proc:{none,only}????????? Control whether annotation processing and/or compilation is done.

? -processor <class1>[,<class2>,<class3>...] Names of the annotation processors to run; bypasses default discovery process

? -processorpath <path>????? Specify where to find annotation processors

? -parameters??????????????? Generate metadata for reflection on method parameters

? -d <directory>???????????? Specify where to place generated class files

? -s <directory>???????????? Specify where to place generated source files

? -h <directory>????????? ???Specify where to place generated native header files

? -implicit:{none,class}???? Specify whether or not to generate class files for implicitly referenced files

? -encoding <encoding>?????? Specify character encoding used by source files

? -source <release>????????? Provide source compatibility with specified release

? -target <release>????????? Generate class files for specific VM version

? -profile <profile>???????? Check that API used is available in the specified profile

? -version?????????????????? Version information

? -help????????????????????? Print a synopsis of standard options

? -Akey[=value]????????????? Options to pass to annotation processors

? -X???????????????????????? Print a synopsis of nonstandard options

? -J<flag>?????????????????? Pass <flag> directly to the runtime system

? -Werror??????????????????? Terminate compilation if warnings occur

? @<filename>??????????????? Read options and filenames from file

安裝ES：

下載安裝包elasticsearch-6.4.2.rpm

https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.2.rpm

?

#wget –O /app/elasticsearch-6.4.2.rpm?https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.2.rpm

#cd /app

#rpm -ivh elasticsearch-6.4.2.rpm

?

warning: elasticsearch-6.4.2.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY

Preparing...????????????????????????? ################################# [100%]

Creating elasticsearch group... OK

Creating elasticsearch user... OK

Updating / installing...

?? 1:elasticsearch-0:6.4.2-1????????? ################################# [100%]

### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd

?sudo systemctl daemon-reload

?sudo systemctl enable elasticsearch.service

### You can start elasticsearch service by executing

?sudo systemctl start elasticsearch.service

Created elasticsearch keystore in /etc/elasticsearch

?

配置ES：

elasticsearch配置文件在/etc/elasticsearch/下和/etc/sysconfig/elasticsearch這個文件，其中elasticsearch.yml 文件用于配置集群節點等相關信息的，elasticsearch 文件則是配置服務本身相關的配置，例如某個配置文件的路徑以及java的一些路徑配置什么的。

# cd /etc/elasticsearch/

# ll

total 28

-rw-rw---- 1 root elasticsearch? 207 Nov? 5 11:48 elasticsearch.keystore

-rw-rw---- 1 root elasticsearch 2869 Sep 26 21:39 elasticsearch.yml

-rw-rw---- 1 root elasticsearch 3009 Sep 26 21:39 jvm.options

-rw-rw---- 1 root elasticsearch 6380 Sep 26 21:39 log4j2.properties

-rw-rw---- 1 root elasticsearch? 473 Sep 26 21:39 role_mapping.yml

-rw-rw---- 1 root elasticsearch? 197 Sep 26 21:39 roles.yml

-rw-rw---- 1 root elasticsearch??? 0 Sep 26 21:39 users

-rw-rw---- 1 root elasticsearch??? 0 Sep 26 21:39 users_roles

?

# ll /etc/sysconfig/elasticsearch

-rw-rw---- 1 root elasticsearch 1613 Sep 26 21:39 /etc/sysconfig/elasticsearch

?

在每個節點上創建數據data和logs目錄：

#mkdir -p /app/elk/elasticsearch/data

#mkdir -p /app/elk/elasticsearch/logs

#chown -R elasticsearch /app/elk/elasticsearch/

?

開始配置集群節點，在主節點 192.168.25.30 上編輯配置文件：

# vim /etc/elasticsearch/elasticsearch.yml

添加或修改以下內容（沒有的增加，存在的修改）：

path.data: /app/elk/elasticsearch/data

path.logs: /app/elk/elasticsearch/logs

cluster.name: elk-test? # 集群中的名稱

node.name: data-node-0? # 該節點名稱

node.master: true? # 意思是該節點是否可選舉為主節點

node.data: true? ?# 表示這不是數據節點

network.host: 0.0.0.0? # 監聽全部ip，在實際環境中應為一個安全的ip

http.port: 9200? ?# es服務的端口號

discovery.zen.ping.unicast.hosts: ["192.168.25.30", "192.168.25.31", "192.168.25.32"]? ?# 配置自動發現

?

然后在從節點192.168.25.31、32上編輯配置文件，添加或修改如下內容：

path.data: /app/elk/elasticsearch/data

path.logs: /app/elk/elasticsearch/logs

cluster.name: elk-test? # 集群中的名稱

node.name: data-node-?? # 該節點名稱，與前面配置hosts保持一致

node.master: true? # 意思是該節點是否可選舉為主節點

node.data: true? ?# 表示這不是數據節點

network.host: 0.0.0.0? # 監聽全部ip，在實際環境中應為一個安全的ip

http.port: 9200? ?# es服務的端口號

discovery.zen.ping.unicast.hosts: ["192.168.25.30", "192.168.25.31", "192.168.25.32"]? ?# 配置自動發現

?

修改 /etc/sysconfig/elasticsearch中的java路徑

# vim /etc/sysconfig/elasticsearch

JAVA_HOME=/app/jdk/jdk1.8.0_25

?

完成以上的配置之后，到主節點上，啟動es服務, 主節點啟動完成之后，再啟動其他節點的es服務:

# systemctl start elasticsearch.service

# systemctl status elasticsearch.service

● elasticsearch.service - Elasticsearch

?? Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; disabled; vendor preset: disabled)

?? Active: active (running) since Mon 2018-11-05 14:30:56 CST; 2s ago

???? Docs: http://www.elastic.co

?Main PID: 522372 (java)

?? CGroup: /system.slice/elasticsearch.service

?????????? ├─522372 /app/jdk/jdk1.8.0_25/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m -...

?????????? └─522574 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

?

Nov 05 14:30:56 cnsz22pl1030 systemd[1]: Started Elasticsearch.

Nov 05 14:30:56 cnsz22pl1030 systemd[1]: Starting Elasticsearch...

?

安裝成功

檢查安裝好的集群健康狀態：

# curl '192.168.25.30:9200/_cluster/health?pretty'

{

? "cluster_name" : "master-node",

? "status" : "green",

? "timed_out" : false,

? "number_of_nodes" : 3,

? "number_of_data_nodes" : 2,

? "active_primary_shards" : 0,

? "active_shards" : 0,

? "relocating_shards" : 0,

? "initializing_shards" : 0,

? "unassigned_shards" : 0,

? "delayed_unassigned_shards" : 0,

? "number_of_pending_tasks" : 0,

? "number_of_in_flight_fetch" : 0,

? "task_max_waiting_in_queue_millis" : 0,

? "active_shards_percent_as_number" : 100.0

}

?

查看集群的詳細信息：

# curl '192.168.25.30:9200/_cluster/state?pretty'

Kibana只需要在主節點192.168.25.30上安裝即可，由于kibana是使用node.js開發的，所以進程名稱為node。

下載RPM安裝包：kibana-6.4.2-x86_64.rpm

下載地址：https://artifacts.elastic.co/downloads/kibana/kibana-6.4.2-x86_64.rpm

如果主機可以上外網，也可以執行以下命令：

#wget –O /app/ kibana-6.4.2-x86_64.rpm?https://artifacts.elastic.co/downloads/kibana/kibana-6.4.2-x86_64.rpm

?

# cd /app

# rpm -ivh kibana-6.4.2-x86_64.rpm

warning: kibana-6.4.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY

Preparing...????????????????????????? ################################# [100%]

Updating / installing...

?? 1:kibana-6.4.2-1??????????? ???????################################# [100%]

?

配置kibana

# vim /etc/kibana/kibana.yml

添加或修改如下項：

server.port: 5601? # 配置kibana的端口

server.host: 192.168.25.30? # 配置監聽ip

elasticsearch.url: "http://192.168.25.30:9200"? # 配置es服務器的ip，如果是集群則配置該集群中主節點的ip

logging.dest: /var/log/kibana.log? # 配置kibana的日志文件路徑，不然默認是messages里記錄日志

?

由于我們配置了日志路徑，所以需要創建日志文件：

# touch /var/log/kibana.log

# chmod 777 /var/log/kibana.log

?

啟動kibana服務，并檢查進程和監聽端口：

# systemctl start kibana

# systemctl status kibana

● kibana.service - Kibana

Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: disabled)

?Active: active (running) since Mon 2018-11-05 15:09:00 CST; 4s ago

?Main PID: 146989 (node)

?CGroup: /system.slice/kibana.service

?????????? └─146989 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml

?

Nov 05 15:09:00 cnsz22pl1030 systemd[1]: Started Kibana.

Nov 05 15:09:00 cnsz22pl1030 systemd[1]: Starting Kibana...

?

# ps aux |grep kibana

kibana?? 146989 47.0? 0.0 1349520 269736 ?????? Ssl? 15:09?? 0:29 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml

root???? 150923? 0.0? 0.0 112644?? 952 pts/1??? R+?? 15:10?? 0:00 grep --color=auto kibana

?

#netstat -lntp |grep 5601

tcp??????? 0????? 0 127.0.0.1:5601????????? 0.0.0.0:*?????????????? LISTEN????? 146989/node

在192.168.25.31上安裝logstash，注意目前logstash不支持JDK1.9：

下載RPM安裝包logstash-6.4.2.rpm，下載地址如下：

https://artifacts.elastic.co/downloads/logstash/logstash-6.4.2.rpm

如果主機支持外網，可直接執行以下命令下載：

wget –O /app/ logstash-6.4.2.rpm?https://artifacts.elastic.co/downloads/logstash/logstash-6.4.2.rpm

?

# rpm -ivh logstash-6.4.2.rpm

warning: logstash-6.4.2.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY

Preparing...????????????????????????? ################################# [100%]

Updating / installing...

?? 1:logstash-1:6.4.2-1?????????????? ################################# [100%]

Using provided startup.options file: /etc/logstash/startup.options

Successfully created system startup script for Logstash

?

修改環境變量

# vim /etc/default/logstash

添加以下項：

JAVA_HOME=/app/jdk/jdk1.8.0_25

?

修改日志存儲路徑：

#mkdir -p /app/elk/logstash/data

#mkdir -p /app/elk/logstash/logs

#chown -R logstash /app/elk/logstash/

?

修改配置文件

# vim /etc/logstash/logstash.yml

將如下項的值修改為如下：

path.data: /app/elk/logstash/data

http.host: "192.168.25.31"

path.logs: /app/elk/logstash/logs

#

?

安裝完之后，先不要啟動服務，先配置logstash收集syslog日志：

#vim /etc/logstash/conf.d/syslog.conf

加入如下內容：

input {? # 定義日志源

? syslog {

??? type => "system-syslog"? # 定義類型

??? port => 10514??? # 定義監聽端口

? }

}

• output {? # 定義日志輸出

? elasticsearch {

??? hosts => ["192.168.25.30:9200","192.168.25.31:9200","192.168.25.32:9200"]? # 定義es服務器的ip

??? index => "system-syslog-%{+YYYY.MM.dd}" # 定義索引

? }

}

?

檢測配置文件是否有錯：

# cd /usr/share/logstash/bin

# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit

Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties

[2018-11-05T16:20:07,997][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified

Configuration OK

[2018-11-05T16:20:09,448][INFO ][logstash.runner????????? ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

Configuration OK? # 為ok則代表配置文件沒有問題

命令說明：

• --path.settings 用于指定logstash的配置文件所在的目錄
• -f 指定需要被檢測的配置文件的路徑
• --config.test_and_exit 指定檢測完之后就退出，不然就會直接啟動了

配置logstash服務器的ip以及配置的監聽端口：

# vim /etc/rsyslog.conf

#### RULES ####

*.* @@192.168.25.31:10514

?

重啟rsyslog，讓配置生效：

# systemctl restart rsyslog

?

啟動logstash并檢查服務狀態：

# systemctl start logstash

# systemctl status logstash

?

在192.168.25.32上安裝filebeat。

下載RPM包filebeat-6.4.2-x86_64.rpm，下載地址：

https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.2-x86_64.rpm

如果安裝的主機可以直接上外網，也可以使用如下命令下載：

wget –O /app/filebeat-6.4.2-x86_64.rpm?https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.2-x86_64.rpm

?

下載完成執行命令安裝

#rpm -ivh filebeat-6.4.2-x86_64.rpm

warning: filebeat-6.4.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY

Preparing...????????????????????????? ################################# [100%]

Updating / installing...

?? 1:filebeat-6.4.2-1???????????????? ################################# [100%]

安裝完成后編輯配置文件：

# vim /etc/filebeat/filebeat.yml

- type: log

# Change to true to enable this input configuration.

? enabled: true

#================== Kibana=====================================

setup.kibana:

? host: "192.168.25.30:5601"

#==================== Outputs =================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------

output.elasticsearch:

# Array of hosts to connect to.

? hosts: ["192.168.25.30:9200","192.168.25.31:9200","192.168.25.32:9200"]

以下配置可選，根據實際需要配置

#----------------------------- Logstash output --------------------------------

#output.logstash:

# The Logstash hosts

? #hosts: ["192.168.25.31:5044"]

?

啟動服務：

#systemctl start filebeat.service

查看服務啟動狀態

#systemctl status filebeat.service

?

查看elasticsearch

#?curl '192.168.25.30:9200/_cat/indices?v'

health status index???????????????????? uuid?????????????????? pri rep docs.count docs.deleted store.size pri.store.size

green? open?? system-syslogs-2018.11.06 9-WQSrX7Su2FeORk5XM5-w?? 5?? 1??????? 614??????????? 0??? 924.1kb??????? 406.5kb

green? open?? filebeat-6.4.2-2018.11.06 gYOcxCK8THaJ57AWAUbK3Q?? 3?? 1?????? 8039??????????? 0????? 2.7mb????????? 1.3mb

?