ELK集群安装

一、Elasticsearch

1.1 下载压缩包

elasticsearch
kibana
logstash

1.2 修改/etc/sysctl.conf

vm.max_map_count=262144 # 添加配置
1

sysctl -p # 执行生效
1

1.3 生成证书

cd /etc/elk/elasticsearch # 转到压缩包目录
tar zxvf elasticsearch-8.5.0-linux-x86_64.tar.gz # 解压文件
cd /etc/elk/elasticsearch/elasticsearch-8.5.0 # 转到对应目录
bin/elasticsearch-certutil ca # 生成ca证书，直接回车到结束
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 # 通过ca证书生成统一通信证书，用于集群间连接
# 生成http证书，分别输入对应对话框选项
# n 不创建csr
# y 使用已经存在ca证书
# ca证书路径 /etc/elk/elasticsearch/elasticsearch-8.5.0/elastic-stack-ca.p12
# 5y 证书有效期5年
# 输入主机名（可用ip）回车结束
# 输入主机名对应ip 回车结束
bin/elasticsearch-certutil http 
unzip elasticsearch-ssl-http.zip # 解压得到的zip文件
# 分别拷贝以下文件到 /etc/elk/elasticsearch
# /etc/elk/elasticsearch/elasticsearch-8.5.0/elastic-certificates.p12
# /etc/elk/elasticsearch/elasticsearch-8.5.0/elasticsearch/http.p12
# /etc/elk/elasticsearch/elasticsearch-8.5.0/config/elasticsearch.yml

bin/elasticsearch-certutil csr --name kibana  # 生成csr
unzip  /etc/elk/elasticsearch/elasticsearch-8.5.0/csr-bundle.zip # 解压
# 拷贝以下文件到kibana主机目录 /etc/elk/kibana
# /etc/elk/elasticsearch/elasticsearch-8.5.0/kibana/kibana.csr
# /etc/elk/elasticsearch/elasticsearch-8.5.0/kibana/kibana.key
# /etc/elk/elasticsearch/elasticsearch-8.5.0/kibana/elasticsearch-ca.pem

# 拷贝以下文件到logstash主机目录 /etc/elk/logstash
# /etc/elk/elasticsearch/elasticsearch-8.5.0/kibana/elasticsearch-ca.pem

cd /etc/elk/elasticsearch/
mkdir data # 挂载数据
mkdir logs # 挂载日志
chmod 777 /etc/elk/elasticsearch/logs # 授权
chmod 777 /etc/elk/elasticsearch/data # 授权
chmod 777 /etc/elk/elasticsearch/http.p12 # 授权
chmod 777 /etc/elk/elasticsearch/elastic-certificates.p12 # 授权
chmod 777 /etc/elk/elasticsearch/elasticsearch.yml # 授权
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

1.4 elasticsearch.yml

# 末尾追加配置，其他主机（变更节点名和ip即可）
cluster.name: elasticsearch-cluster
node.name: elasticsearch-cluster-01

path.data: /usr/share/elasticsearch/data/
path.logs: /usr/share/elasticsearch/logs/

network.host: 0.0.0.0
network.publish_host: 192.168.157.142

http.port: 9200

discovery.seed_hosts: ["192.168.157.142:9300", "192.168.157.143:9300"]
cluster.initial_master_nodes: ["192.168.157.142:9300","192.168.157.143:9300"]

xpack.security.enabled: false

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

1.5 启动容器

docker network create elasticsearch # 创建容器网络
docker run -d --restart=always \
--name elasticsearch \
--net elasticsearch \
-p 9200:9200 \
-p 9300:9300 \
-v /etc/elk/elasticsearch/logs/:/usr/share/elasticsearch/logs/ \
-v /etc/elk/elasticsearch/data/:/usr/share/elasticsearch/data/ \
-v /etc/elk/elasticsearch/http.p12:/usr/share/elasticsearch/config/http.p12 \
-v /etc/elk/elasticsearch/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12 \
-v /etc/elk/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \
docker.elastic.co/elasticsearch/elasticsearch:8.5.0
1
2
3
4
5
6
7
8
9
10
11
12

1.6 开启认证

# 集群节点 elasticsearch.yml 追加配置
xpack.security.enabled: true

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/http.p12
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/http.p12

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
1
2
3
4
5
6
7
8
9
10
11

1.7 配置密码

docker restart elasticsearch # 重启容器
docker exec -it elasticsearch  /bin/sh # 进入容器
cd /usr/share/elasticsearch
bin/elasticsearch-setup-passwords interactive # 输入密码即可
1
2
3
4

二、Kibana

2.1 生成证书

cd /etc/elk/kibana
tar zxvf kibana-8.5.0-linux-x86_64.tar.gz
openssl x509 -req -in kibana.csr --signkey kibana.key -out kibana.crt

chmod 777 /etc/elk/kibana/data
chmod 777 /etc/elk/kibana/kibana.crt
chmod 777 /etc/elk/kibana/kibana.key
chmod 777 /etc/elk/kibana/elasticsearch-ca.pem
1
2
3
4
5
6
7
8

2.2 kibana.yml

# 末尾追加配置
server.port: 5601
server.host: "0.0.0.0"

server.ssl.enabled: true
server.ssl.certificate: /usr/share/kibana/config/kibana.crt
server.ssl.key: /usr/share/kibana/config/kibana.key

elasticsearch.hosts: ["https://192.168.157.142:9200","https://192.168.157.143:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "123456"

elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/config/elasticsearch-ca.pem" ]

i18n.locale: "zh-CN"

xpack.reporting.roles.enabled: false
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

2.3 启动容器

docker run -d --restart=always \
--name kibana \
--net elasticsearch \
-p 5601:5601 \
-v /etc/elk/kibana/data/:/usr/share/kibana/data/ \
-v /etc/elk/kibana/kibana.crt:/usr/share/kibana/config/kibana.crt \
-v /etc/elk/kibana/kibana.key:/usr/share/kibana/config/kibana.key \
-v /etc/elk/kibana/elasticsearch-ca.pem:/usr/share/kibana/config/elasticsearch-ca.pem \
-v /etc/elk/kibana/kibana.yml:/usr/share/kibana/config/kibana.yml \
docker.elastic.co/kibana/kibana:8.5.0
1
2
3
4
5
6
7
8
9
10

# 使用 elastic 123456（自己设的密码）进行登录
1

三、Logstash

cd /etc/elk/logstash
tar zxvf logstash-8.5.0-linux-x86_64.tar.gz
mkdir pipeline
chmod 777 /etc/elk/logstash/pipeline
chmod 777 /etc/elk/logstash/elasticsearch-ca.pem
chmod 777 /etc/elk/logstash/logstash.yml
1
2
3
4
5
6

3.1 logstash.yml

# 文件末尾追加
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "123456"
xpack.monitoring.elasticsearch.hosts: ["https://192.168.157.142:9200", "https://192.168.157.143:9200"]

xpack.monitoring.elasticsearch.ssl.certificate_authority: "/usr/share/logstash/elasticsearch-ca.pem"
1
2
3
4
5
6
7

3.2 logstash.conf

# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  rabbitmq {
    host => "192.168.157.142"
    port => 5672
    user => "guest"
    password => "guest"
    vhost => "/"
    exchange => "logstash"
    exchange_type => "topic"
    key => "apigateway"
    durable => true
  }
}

output {
  elasticsearch {
    hosts => ["https://192.168.157.142:9200", "https://192.168.157.143:9200"]
    index => "apigateway-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "123456"
    cacert => "/usr/share/logstash/elasticsearch-ca.pem"
  }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

3.3 运行容器

docker run -d \
--restart=always \
--name logstash \
-v /etc/elk/logstash/elasticsearch-ca.pem:/usr/share/logstash/elasticsearch-ca.pem \
-v /etc/elk/logstash/pipeline/:/usr/share/logstash/pipeline/ \
-v /etc/elk/logstash/logstash.yml:/usr/share/logstash/config/logstash.yml \
docker.elastic.co/logstash/logstash:8.5.0
1
2
3
4
5
6
7