当前位置：首页 > news >正文

安装elk

news 2025/10/11 7:06:10

1.下载安装包

# 创建安装目录
mkdir -p /home/elk
cd /home/elk# 下载各组件（选择自带JDK的版本）
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.0-linux-x86_64.tar.gz
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.17.0-linux-x86_64.tar.gz
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.17.0-linux-x86_64.tar.gz
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.0-linux-x86_64.tar.gz# 解压
tar -zxvf elasticsearch-7.17.0-linux-x86_64.tar.gz
tar -zxvf kibana-7.17.0-linux-x86_64.tar.gz
tar -zxvf logstash-7.17.0-linux-x86_64.tar.gz
tar -zxvf filebeat-7.17.0-linux-x86_64.tar.gz

2.Elasticsearch 配置

# 创建elasticsearch用户
useradd elasticsearch
passwd elasticsearch# 更改目录所有者
chown -R elasticsearch:elasticsearch /home/elk/elasticsearch-7.17.0

# 打开目录
cd /home/elk/elasticsearch-7.17.0
# 修改文件
vim config/elasticsearch.yml# 网络配置
network.host: 0.0.0.0
http.port: 9200
# 节点配置
cluster.name: my-elk-cluster
node.name: node-1
node.roles: [ master, data ]
# 内存锁定
bootstrap.memory_lock: true
# 发现配置
discovery.type: single-node
# 安全配置（生产环境建议开启）
xpack.security.enabled: false# 按上面信息修改完后输入:wq!保存退出

# 编辑系统限制
vi /etc/security/limits.conf# 添加以下内容
elasticsearch soft nofile 65536
elasticsearch hard nofile 65536
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited# 编辑sysctl配置
vi /etc/sysctl.conf# 添加
vm.max_map_count=262144# 生效配置
sysctl -p

su - elasticsearch
cd /home/elk/elasticsearch-7.17.0# 使用自带的JDK启动
./bin/elasticsearch -d

3.logstash配置

mkdir -p /home/elk/logstash-7.17.0/conf.d


vim /home/elk/logstash-7.17.0/conf.d/filebeat-to-es.conf

input {beats {port => 5044host => "0.0.0.0"}
}filter {# 如果有Grok解析需求，可以在这里添加grok {match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} %{GREEDYDATA:message}" }}# 日期解析date {match => [ "timestamp", "ISO8601" ]}
}output {elasticsearch {hosts => ["localhost:9200"]index => "logs-%{+YYYY.MM.dd}"}# 可选：同时输出到控制台用于调试stdout {codec => rubydebug}
}

cd /home/elk/logstash-7.17.0# 使用自带JDK启动
./bin/logstash -f conf.d/filebeat-to-es.conf --config.reload.automatic &

4.Filebeat 配置

cd /home/elk/filebeat-7.17.0-linux-x86_64
vi filebeat.yml

filebeat.inputs:
- type: logenabled: truepaths:- /var/log/*.log- /var/log/messages- /var/log/secure# 添加你的应用日志路径- /path/to/your/app/*.log# 输出到Logstash
output.logstash:hosts: ["localhost:5044"]# 设置Filebeat自身日志
logging.level: info
logging.to_files: true
logging.files:path: /var/log/filebeatname: filebeatkeepfiles: 7permissions: 0644

cd /home/elk/filebeat-7.17.0-linux-x86_64# 测试配置
./filebeat test config# 启动Filebeat
./filebeat &

5.kibana配置

cd /home/elk/kibana-7.17.0-linux-x86_64
vi config/kibana.yml

server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]# 可选：中文化
i18n.locale: "zh-CN"

# 创建kibana用户
useradd kibana
passwd kibana# 更改目录所有者
chown -R kibana:kibana /home/elk/kibana-7.17.0-linux-x86_64

cd /home/elk/kibana-7.17.0-linux-x86_64# 使用自带JDK启动
./bin/kibana &

6.创建脚本

1.启动脚本

# 创建日志目录
sudo mkdir -p /var/log/kibana
# 赋予 kibana 用户读写权限
sudo chown -R kibana:kibana /var/log/kibana

vim /home/elk/start_elk.sh

#!/bin/bashecho "Starting ELK Stack..."# 启动Elasticsearch（-d 后台启动，日志默认在 logs/ 目录）
su - elasticsearch -c "cd /home/elk/elasticsearch-7.17.0 && ./bin/elasticsearch -d"
sleep 30  # 等待ES初始化（视服务器性能可调整时间）# 启动Logstash（日志重定向到 logstash.log）
cd /home/elk/logstash-7.17.0
nohup ./bin/logstash -f conf.d/filebeat-to-es.conf --config.reload.automatic > logstash.log 2>&1 &
sleep 10# 启动Filebeat（日志重定向到 filebeat.log）
cd /home/elk/filebeat-7.17.0-linux-x86_64
nohup ./filebeat > filebeat.log 2>&1 &
sleep 10# 启动Kibana（修正参数，日志重定向到 kibana.log）
su - kibana -c "cd /home/elk/kibana-7.17.0-linux-x86_64 && nohup ./bin/kibana > /var/log/kibana/kibana.log 2>&1 &"echo "ELK Stack started successfully! Check component logs for details."

2.停止脚本

vim /home/elk/stop_elk.sh

#!/bin/bashecho "Stopping ELK Stack..."# 函数：安全停止进程（先尝试正常终止，失败再强制）
stop_process() {local name=$1local pid=$(ps aux | grep -E "$name" | grep -v grep | awk '{print $2}')if [ -n "$pid" ]; thenecho "Stopping $name (PID: $pid)..."# 先发送 SIGTERM（15）正常终止kill $pid >/dev/null 2>&1# 等待5秒，检查是否终止sleep 5# 若仍存在，发送 SIGKILL（9）强制终止if ps -p $pid >/dev/null; thenecho "$name did not stop gracefully, forcing termination..."kill -9 $pid >/dev/null 2>&1fi# 最终检查if ps -p $pid >/dev/null; thenecho "Failed to stop $name"return 1elseecho "$name stopped"fielseecho "$name is not running"fi
}# 按顺序停止组件（数据流入 → 展示 → 存储）
stop_process "filebeat"
stop_process "logstash"
stop_process "kibana"
stop_process "elasticsearch"echo "ELK Stack stop process completed!"

3.设置脚本权限

chmod +x /home/elk/start_elk.sh
chmod +x /home/elk/stop_elk.sh

4.开放端口

开放9022,5601,5044端口

7.验证部署

# 检查Elasticsearch
curl http://localhost:9200# 检查索引
curl http://localhost:9200/_cat/indices?v# 检查进程
ps aux | grep -e elasticsearch -e logstash -e kibana -e filebeat# 访问页面
http://your_ip:5601

查看全文

http://www.dtcms.com/a/465468.html