centos7部署elk集群(filebeat+kafka+logstash+elasticsearch+kibana)

es集群規划：中小型日志收集系統只需要部署(filebeat+elasticsearch+kibana)組合完全夠用了

es-node01 192.168.121.30 elasticsearch，kibana，zookerper，kafka
es-node02 192.168.121.31 elasticsearch，logstash，zookerper，kafka
es-node03 192.168.121.32 elasticsearch，zookerper，kafka
kafka集群部署可以參考https://www.cnblogs.com/caidingyu/p/12336365.html

修改所有節點的默認內核參數

echo "vm.swappiness=0" >> /etc/sysctl.conf
echo "vm.max_map_count=655350" >> /etc/sysctl.conf
sysctl -p

修改所有節點的linux資源限制，永久生效

cat /etc/security/limits.conf|grep -v "^#"
* soft    nofile  1024000
* hard    nofile  1024000
* soft    nproc   unlimited
* hard    nproc   unlimited
* soft    core    unlimited
* hard    core    unlimited
* soft    memlock unlimited
* hard    memlock unlimited

執行下以下命令立即生效

ulimit -SHn 1024000

1、分別在3個節點下載並安裝elasticsearch

cd /data
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.6.0-x86_64.rpm
yum localinstall elasticsearch-7.6.0-x86_64.rpm

2、在node1安裝kibana

cd /data
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.6.0-x86_64.rpm
yum localinstall kibana-7.6.0-x86_64.rpm

3、在node2安裝logstash

cd /data
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.6.0.rpm
yum localinstall logstash-7.6.0.rpm

4、在需要采集的服務器上安裝filebeat

cd /data
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.0-x86_64.rpm
yum localinstall filebeat-7.6.0-x86_64.rpm

5、在任意節點配置生成ca證書用於xpack加密認證,一路回車，無需輸入密碼,默認證書文件位於path.data:指定的數據目錄下，這里我們將其拷貝到所有節點的/etc/elasticsearch/目錄下

/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

6、分別修改3個節點的elasticsearch配置文件
es-node01配置信息如下：

cluster.name: ES-cluster
node.name: node-1
node.attr.hotwarm_type: hot
path.data: /data/elasticsearch/data
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 19201
transport.tcp.port: 19301
discovery.seed_hosts: ["192.168.121.30:19301", "192.168.121.31:19302", "192.168.121.32:19303"]
cluster.initial_master_nodes: ["192.168.121.30:19301"]
gateway.recover_after_nodes: 2
gateway.recover_after_time: 5m
gateway.expected_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
indices.fielddata.cache.size: 20%
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

es-node02配置信息如下：

[root@es-node02 elasticsearch]# cat elasticsearch.yml|grep -vE "^#"
cluster.name: ES-cluster
node.name: node-2
node.attr.hotwarm_type: cold
path.data: /data/elasticsearch/data01
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 19202
transport.tcp.port: 19302
discovery.seed_hosts: ["192.168.121.30:19301", "192.168.121.31:19302", "192.168.121.32:19303"]
cluster.initial_master_nodes: ["192.168.121.30:19301"]
gateway.recover_after_nodes: 2
gateway.recover_after_time: 5m
gateway.expected_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
indices.fielddata.cache.size: 20%
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

es-node03配置信息如下：

cat elasticsearch.yml|grep -vE "^#"
cluster.name: ES-cluster
node.name: node-3
node.attr.hotwarm_type: cold
path.data: /data/elasticsearch/data01
path.logs: /data/elasticsearch/logs
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 19203
transport.tcp.port: 19303
discovery.seed_hosts: ["192.168.121.30:19301", "192.168.121.31:19302", "192.168.121.32:19303"]
cluster.initial_master_nodes: ["192.168.121.30:19301"]
gateway.recover_after_nodes: 2
gateway.recover_after_time: 5m
gateway.expected_nodes: 3
http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
indices.fielddata.cache.size: 20%
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

7、修改默認的/usr/lib/systemd/system/elasticsearch.service文件，這里我們增加了一行LimitMEMLOCK=infinity，（由於前面配置信息中啟用了bootstrap.memory_lock: true，默認為false，如果不啟用可以不修改elasticsearch.service）

cat /usr/lib/systemd/system/elasticsearch.service
[Unit]
Description=Elasticsearch
Documentation=http://www.elastic.co
Wants=network-online.target
After=network-online.target

[Service]
LimitMEMLOCK=infinity
Type=notify
RuntimeDirectory=elasticsearch
PrivateTmp=true
Environment=ES_HOME=/usr/share/elasticsearch
Environment=ES_PATH_CONF=/etc/elasticsearch
Environment=PID_DIR=/var/run/elasticsearch
Environment=ES_SD_NOTIFY=true
EnvironmentFile=-/etc/sysconfig/elasticsearch

WorkingDirectory=/usr/share/elasticsearch

User=elasticsearch
Group=elasticsearch

ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet

# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535

# Specifies the maximum number of processes
LimitNPROC=4096

# Specifies the maximum size of virtual memory
LimitAS=infinity

# Specifies the maximum file size
LimitFSIZE=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0

# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM

# Send the signal only to the JVM rather than its control group
KillMode=process

# Java process is never killed
SendSIGKILL=no

# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143

[Install]
WantedBy=multi-user.target

8、分別啟動node1、node2、node3的elasticsearch服務

systemctl start elasticsearch
systemctl status elasticsearch
systemctl enable elasticsearch

9、啟動es集群以后，使用以下指令來初始化各個用戶的密碼,密碼自行設置

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana]: 
Reenter password for [kibana]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

10、檢查集群狀態是否正常,集群狀態正常可以返回以下參數，注意status是否為green(elastic:xxxxxxx為步驟9中生成的elastic賬戶和密碼)

curl -XGET --user elastic:xxxxxxx http://localhost:19201/_cluster/health?pretty
{
  "cluster_name" : "ES-cluster",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 3,
  "number_of_data_nodes" : 3,
  "active_primary_shards" : 13,
  "active_shards" : 23,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

11、修改kibana配置文件，配置文件中的賬戶密碼為步驟9中生成的kibana賬戶和密碼

cat /etc/kibana/kibana.yml|grep -vE "^#|^$"
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://192.168.121.30:19201"]
kibana.index: ".kibana"
elasticsearch.username: "kibana"
elasticsearch.password: "xxxxxxxxx"
i18n.locale: "zh-CN"

12、啟動kibana服務並訪問kibana所在的節點，並使用elastic的賬戶和密碼進行登錄，驗證是否kibana是否搭建成功

systemctl start kibana
systemctl status kibana
systemctl enable kibana
在瀏覽器中訪問http://192.168.121.30:5601/

13、待續