#elk安装
1 部署ElasticSearch单点
1.下载ES服务
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.28-amd64.deb
wget http://192.168.17.253/Resources/ElasticStack/softwares/ES7/7.17.28/elasticsearch-7.17.28-amd64.deb
2.安装ElasticSearch
[root@elk91 ~]# dpkg -i elasticsearch-7.17.28-amd64.deb
[root@elk91 ~]#
3.修改ElasticSearch的配置文件
[root@elk91 ~]# egrep -v "^#|^$" /etc/elasticsearch/elasticsearch.yml
cluster.name: test-es7
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
discovery.type: single-node
相关参数说明:
cluster.name
集群的名称
path.data
ES的数据存储路径。
path.logs
ES的日志存储路径。
network.host
ES服务监听的地址。
discovery.type
指的ES集群的部署类型,此处的"single-node",表示的是一个单点环境。
4.启动ES服务
[root@elk91 ~]# systemctl enable --now elasticsearch.service
[root@elk91 ~]# ss -ntl | grep 00
LISTEN 0 4096 *:9300 *:*
LISTEN 0 4096 *:9200 *:*
[root@elk91 ~]#
端口说明:
9200:
ES集群对外提供服务的端口,使用是http|https协议。
9300:
ES集群内部数据同步,master选举的端口。
5.访问ES的WebUI
[root@elk91 ~]# curl http://10.0.0.91:9200/_cat/nodes
10.0.0.91 25 97 0 0.13 0.14 0.06 cdfhilmrstw * elk91
[root@elk91 ~]# curl http://10.0.0.91:9200
2 ES集群部署
- ES集群部署
1.拷贝软件包到其他节点
[root@elk91 ~]# ll -h elasticsearch-7.17.28-amd64.deb
-rw-r--r-- 1 root root 311M Mar 11 11:19 elasticsearch-7.17.28-amd64.deb
[root@elk91 ~]#
[root@elk91 ~]# scp elasticsearch-7.17.28-amd64.deb 10.0.0.92:~
[root@elk91 ~]# scp elasticsearch-7.17.28-amd64.deb 10.0.0.93:~
2.其他节点安装es
[root@elk92 ~]# dpkg -i elasticsearch-7.17.28-amd64.deb
[root@elk93 ~]# dpkg -i elasticsearch-7.17.28-amd64.deb
3.修改ElasticSearch的配置文件
egrep -v "^#|^$" /etc/elasticsearch/elasticsearch.yml
cluster.name: cmy-elk91
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
discovery.seed_hosts: ["10.168.10.91", "10.168.10.92","10.168.10.93"]
cluster.initial_master_nodes: ["10.168.10.91", "10.168.10.92","10.168.10.93"]
[root@elk91 ~]#
相关参数说明:
cluster.name
集群的名称
path.data
ES的数据存储路径。
path.logs
ES的日志存储路径。
network.host
ES服务监听的地址。
discovery.seed_hosts
指的ES集群主机地址列表。
cluster.initial_master_nodes
指定ES集群能够参与master选举的主机列表。
4.将ES集群的配置开机自启动
[root@elk91 ~]# systemctl enable elasticsearch
[root@elk92 ~]# systemctl enable elasticsearch
[root@elk93 ~]# systemctl enable elasticsearch
5.拷贝ES的配置文件
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10168.10.92:/etc/elasticsearch/
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.168.10.93:/etc/elasticsearch/
6.所有节点重置ES集群环境
[root@elk91 ~]# rm -rf /var/{lib,log}/elasticsearch/* /tmp/*
[root@elk92 ~]# rm -rf /var/{lib,log}/elasticsearch/* /tmp/*
[root@elk93 ~]# rm -rf /var/{lib,log}/elasticsearch/* /tmp/*
7.同时重启ES集群
[root@elk91 ~]# systemctl restart elasticsearch.service
[root@elk92 ~]# systemctl restart elasticsearch.service
[root@elk93 ~]# systemctl restart elasticsearch.service
8.验证ES集群
[root@elk-91 ~]# for i in 91 92 93;do curl -s 10.168.10.${i}:9200 |grep "cluster_uuid";done
"cluster_uuid" : "uTMJL60ARzmhQOAEPhXicw",
"cluster_uuid" : "uTMJL60ARzmhQOAEPhXicw",
"cluster_uuid" : "uTMJL60ARzmhQOAEPhXicw",
[root@elk-91 ~]# curl 10.168.10.93:9200/_cat/nodes
10.168.10.92 17 97 21 0.60 0.46 0.29 cdfhilmrstw * elk-92
10.168.10.91 7 94 22 0.63 0.47 0.32 cdfhilmrstw - elk-91
10.168.10.93 13 97 15 0.39 0.21 0.09 cdfhilmrstw - elk-93
- 测试ES集群DSL语句的读写
1.写入数据
curl --location --request POST 'http://10.168.10.91:9200/_bulk' \
--header 'Content-Type: application/json' \
--data-raw '{ "create" : { "_index" : "test-cmy", "_id" : "1001" } }
{ "name" : "猪八戒","hobby": ["猴哥","高老庄"] }
{ "create" : { "_index" : "test-cmy", "_id" : "1002" } }
{ "name" : "沙和尚","hobby": ["流沙河","挑行李"] }
{ "create" : { "_index" : "test-cmy", "_id" : "1003" } }
{ "name" : "白龙马","hobby": ["大师兄,师傅被妖怪抓走啦"] }
'
2.查询数据
curl --location --request GET '10.0.0.93:9200/test-cmy/_search' \
--header 'Content-Type: application/json' \
--data-raw '{
"query": {
"match": {
"hobby": "猴哥"
}
}
}'
温馨提示:
这种语法是ElasticSearch特有的语言,称为DSL语句,一般是DBA或者Java开发人员会进一步学习。
运维人员只需要知道ES可以进行数据的读写且知道一些ES相关术语即可。
3 kibana环境部署
1.下载kibana
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.17.28-amd64.deb
wget http://192.168.17.253/Resources/ElasticStack/softwares/ES7/7.17.28/kibana-7.17.28-amd64.debet
2.安装kibana软件包
[root@elk91 ~]# dpkg -i kibana-7.17.28-amd64.deb
3.修改kibana的配置文件
[root@elk-91 ~]# egrep -v "^#|^$" /etc/kibana/kibana.yml
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://10.168.10.91:9200","http://10.168.10.92:9200","http://10.168.10.93:9200"]
i18n.locale: "zh-CN"
[root@elk-91 ~]#
4.启动kibana服务
[root@elk91 ~]# systemctl enable --now kibana.service
[root@elk91 ~]#
[root@elk91 ~]# ss -ntl | grep 5601
LISTEN 0 511 0.0.0.0:5601 0.0.0.0:*
[root@elk91 ~]#
5.访问kibana的WebUI
http://10.0.0.91:5601/
4 Filebeat环境部署实战
1.下载Filebeat
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.28-amd64.deb
SVIP:
[root@elk93 ~]# wget http://192.168.17.253/Resources/ElasticStack/softwares/ES7/7.17.28/filebeat-7.17.28-amd64.deb
2.安装Filebeat
[root@elk93 ~]# dpkg -i filebeat-7.17.28-amd64.deb
3.编写配置文件
[root@elk93 ~]# mkdir /etc/filebeat/config
[root@elk93 ~]#
[root@elk93 ~]# cat /etc/filebeat/config/01-stdin-to-console.yaml
filebeat.inputs:
- type: stdin
output.console:
pretty: true
[root@elk93 ~]#
4.启动filebeat实例
[root@elk93 ~]# filebeat -e -c /etc/filebeat/config/01-stdin-to-console.yaml
5.发送测试数据
1qaz
{
"@timestamp": "2025-04-29T07:09:49.325Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.17.28"
},
"log": {
"file": {
"path": ""
},
"offset": 0
},
"message": "1qaz",
"input": {
"type": "stdin"
},
"ecs": {
"version": "1.12.0"
},
"host": {
"name": "elk-93"
},
"agent": {
"ephemeral_id": "c23cdf16-3db9-4c38-9bd3-a42b0e8e78c9",
"id": "ecbdde39-c0ed-4982-bf40-3769c49a3c1b",
"name": "elk-93",
"type": "filebeat",
"version": "7.17.28",
"hostname": "elk-93"
}
}
5 logstach部署
16 wget http://192.168.17.253/Resources/ElasticStack/softwares/ES7/7.17.28/logstash-7.17.28-amd64.deb
17 dpkg -i logstash-7.17.28-amd64.deb
18 ln -svf /usr/share/logstash/bin/logstash /usr/local/bin/
logstash -e "input { stdin { type => stdin } } output { stdout { codec => rubydebug } }"
cat >> /etc/logstash/conf.d/01-stdin-to-stdout.conf << EOF
> input {
stdin {}
}
output {
stdout {}
}
> EOF
logstash -f /etc/logstash/conf.d/01-stdin-to-stdout.conf
#elk