ELK stack安裝

• logstash 收集日志
• elasticsearch 存儲+搜索
• kibana 顯示

前置條件

需要先安裝java

yum install -y java

安裝

• 可下載源碼忆矛，解壓，即可以運行
• 可yum安裝

源碼解壓

從官網(wǎng)下載tar.gz文件裕便，解壓后绒净，即可使用。官網(wǎng)下載地址：

https://www.elastic.co/downloads

centos yum安裝

elasticsearch

$ rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
$ cat /etc/yum.repos.d/elasticsearch.repo
    [elasticsearch-2.x]
    name=Elasticsearch repository for 2.x packages
    baseurl=http://packages.elastic.co/elasticsearch/2.x/centos
    gpgcheck=1
    gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
    enabled=1
$ yum install elasticsearch

logstash

$ rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

// 配置yum
$ cat /etc/yum.repos.d/logstash.repo
    [logstash-2.3]
    name=Logstash repository for 2.3.x packages
    baseurl=https://packages.elastic.co/logstash/2.3/centos
    gpgcheck=1
    gpgkey=https://packages.elastic.co/GPG-KEY-elasticsearch
    enabled=1

// 安裝logstash
$ yum -y install logstash

kibana

// 安裝key. 
rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

// 配置yum
$ vim /etc/yum.repos.d/kibana.repo 
    [kibana-4.5]
    name=Kibana repository for 4.5.x packages
    baseurl=http://packages.elastic.co/kibana/4.5/centos
    gpgcheck=1
    gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    
// 安裝kibana
$ yum install -y kibana

啟動準備

elasticsearch

設置jvm.options,

-XX:ParallelGCThreads=3 #3可修改

elasticsearch 不能用root啟動偿衰；

groupadd elsearch
useradd elsearch -g elsearch -p elasticsearch
su elsearch

修改 /etc/security/limits.conf, 增加：

elsearch soft nofile 819200
elsearch hard nofile 819200
elsearch soft nproc 2048
elsearch hard nproc 4096
elsearch soft memlock unlimited
elsearch hard memlock unlimited

修改 /etc/security/limits.d/90-nproc.conf：

*          soft    nproc    1024

修改為

*          soft    nproc    2048

修改 /etc/sysctl.conf挂疆。如果在docker中改览，修改/etc/sysctl.conf文件，需要--privileged權限缤言。：

vm.max_map_count=655360

這個文件修改后宝当，需要執(zhí)行：

sysctl -p

修改配置文件 config/elasticsearch.yml

cluster.name: myes
node.name: abcdocker-node-1
path.data: /home/worker/data/www/src/data/es-date
path.logs: /home/worker/data/www/src/logs/elasticsearch
bootstrap.memory_lock: true
network.host: 172.17.0.2
http.port: 9200

logstash

設置jvm.options,

-XX:ParallelGCThreads=3 #3可修改

kibana

啟動前，需設置elasticsearch訪問端口

修改配置文件 config/kibana.yml

elasticsearch.url: "http://172.17.0.2:9200"
server.port: 80

啟動命令

elasticsearch

進入elasticsearch的bin目錄：

./elasticsearch -d

-d參數(shù)是后臺運行

logstash

bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug} }'

寫入elasticsearch

bin/logstash -e 'input { stdin{} } output { stdout{ codec => rubydebug} elasticsearch { hosts => ["172.17.0.2:9200"] index => "logstash-%{+YYYY.MM.dd}" } }'

可用配置文件方式胆萧，配置文件內(nèi)容：

input{
    file{
        path => ["/home/worker/data/www/runtime/demo/err.log"]
        type => "system-log"
        start_position => "beginning"
    }
    stdinP{}
}

filter{
}

output{
    elasticsearch{
        hosts => ["172.17.0.1:9200"]
        index => "logstash-%{+YYYY.MM.dd}"
    }
    stdout{
        codec=>rubydebug
    }
}

啟動方式：

bin/logstash -f /etc/logstash/conf.d/file.conf

kibana

 bin/kibana

參考

http://www.cnblogs.com/xing901022/p/4805586.html
https://kibana.logstash.es/content/
https://caidezhi.gitbooks.io/elk-getting-started-guide/content/