1. Create Elk users
You must create a elk user, and if you do not create a dedicated user, the following steps will cause an error when the Elk component is turned on by the root user. 2. Switch Elk User, download the Elk component in the Elk folder below home 2.1. Download Elasticsearch
[Root@localhost elk]# su Elk
[elk@localhost ~]$ pwd
/home/elk
[elk@localhost ~]$ wget https:// Artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.4.3.tar.gz
Unzip the tar package
[Elk@localhost ~]$ TAR-XVF elasticsearch-5.4.3.tar.gz
Enter elasticsearch-5.4.3
[Elk@localhost ~]$ CD elasticsearch-5.4.3
Modify the elasticsearch.yml file in config
Modified: Cluster.name: And Node.name: (can also use default)
Modified: Network.host: For 0.0.0.0
Modified: Http.port: For 9200
Save exit.
Start Elasticsearch:
to elk Users, start in the Elasticsearch directory:
[Elk@localhost elasticsearch-5.4.3]$ bin/elasticsearch #前台运行
#或者
[Elk@localhost elasticsearch-5.4.3]$ bin/elasticsearch-d #后台运行
[elk@localhost ~]$ Curl http://localhost:9200
# # #返回以下内容则成功: # # #
Enter Host password for user ' elastic ':
{
"name": "Elk-1", "
cluster_name": "Elastic-cluster",
"Cluster_ UUID ":" mfp7_aauqyiy190wwbk53g ",
" version ": {
" number ":" 5.4.3 ",
" Build_hash ":" Eed30a8 ",
" Build_date ":" 2017-06-22t00:34:03.743z ",
" Build_snapshot ": false,
" lucene_version ":" 6.5.1 "
},
"tagline": "You Know, for Search"
}
Startup Elascricsearch encountered an error
Encountered these two errors
1, Error:bootstrap checks failed
Max virtual Memory Areas Vm.max_map_count [65530] is too low, increase to at least [262144]
2, Error:bootstrap checks failed
System call filters failed to install; Check the logs and fix your configuration or disable system call filters at your own risk
I will not write, add a link: Click here, the error address
Install X-pack:
[Elk@localhost elasticsearch-5.4.3]$/bin/elasticsearch-plugin Install X-pack
(Time is longer)
You can also go to the official website to download x-pack, and then upload to the server and then install
Restart Elasticsearch x-pack Effective
Re-curl Http://localhost:9200-u elastic
Password: changeme 2.2, installation Logstash
Download Logstash
[Elk@localhost ~]$ wget https://artifacts.elastic.co/downloads/logstash/logstash-5.4.3.tar.gz
# # #解压
[ Elk@localhost ~]$ TAR-XVF logstash-5.4.3.tar.gz
Enter logstash-5.4.3
[Elk@localhost logstash-5.4.3]$ vim config/logstash.conf
# #内容:
Input {
file {
type = ' TypeName ' # Type title, used to differentiate (cannot be capitalized) path "
/program Log path/*.log" #日志路径 (you can specify a file)
codec + Multiline {
pattern = =%{ Timestamp_iso8601:date} "#匹配 log lines that start with a time can be matched with" ^\["if they start with []
negate = true what
=" Previous "
}
Start_position = "Beginning"
}
}
output {
elasticsearch {
action = "Index"
hosts = "127.0.0.1:9200" #elasticsearch地址和端口
index = "logstash-%{type}-%{+yyyy. MM.DD} "# Output to ELA file name
Document_type ="%{type} "
user =" Elastic " #ela的用户名
password =" Changeme " #ela密码 (if it is installed, the password has been changed in Kibana, it must be modified here)
}
stdout {
codec = Rubydebug
}
}
Test Logstash
[Elk@localhost logstash-5.4.3]$ bin/logstash-e ' input {stdin {}} ' output {stdout {codec=>rubydebug}} '
# # #然后你会发 Now the terminal is waiting for your input. No problem, hit Hello world, enter, and see what results will be returned.
# # #出现如下结果
2017-02-23t08:34:25.661z c-101 Hello World
Start Logstash
[Elk@localhost logstash-5.4.3]$ nohup./bin/logstash-f config/logstash.conf &
2.3, installation Kibana
Download Kibana
[Elk@localhost ~]$ wget https://artifacts.elastic.co/downloads/kibana/kibana-5.4.3-linux-x86_64.tar.gz
[ Elk@localhost ~]$ TAR-ZXVF kibana-5.4.3-linux-x86_64.tar.gz
Enter kibana-5.4.3-linux-x86_64
Edit Config/kibana.yml
[Elk@localhost ~]$ cd kibana-5.4.3-linux-x86_64/
[elk@localhost kibana-5.4.3-linux-x86_64]$ vim config/ Kibana.yml
# # #内容修改
removed: server.port ago #
Modified: server.host: For 0.0.0.0
Modify: elasticsearch.url:http:// 127.0.0.1:9200 (Elasticsearch address)
modified:
elasticsearch.username: "User"
Elasticsearch.password: "Pass"
the user name and password for the elasticsearch.
# # #启动
[Elk@localhost kibana-5.4.3-linux-x86_64]$ nohup./bin/kibana &
Kibana Installation X-pack
[Elk@localhost kibana-5.4.3-linux-x86_64]$/bin/kibana-plugin install x-pack
# # #下载很慢 ~ may also be broken, so use wget direct download.
[Elk@localhost kibana-5.4.3-linux-x86_64]$ wget https://artifacts.elastic.co/downloads/kibana-plugins/ X-pack/x-pack-5.4.3.zip
# # #安装文件命令
[elk@localhost kibana-5.4.3-linux-x86_64]$./bin/kibana-plugin Install File:///home/elk/kibana-5.4.3-linux-x86_64/x-pack-5.4.3.zip
# # # Restart Kibana, or you can mount the x-pack before booting
Browser Access http://IP:5601
Kibana Page Modify Login password
Modify the login password followed by modifying the corresponding Elasticsearch,logstash,kibana file.
Restart E, L, K 3, Precautions:
Open firewall ports.
If you read log logs from another group, add the Elk user to the group
such as: usermod-a-G Group name User name