elk 集群安装

#  7.9.3 elasticsearch   logstash  kibana
#	Linux version	CentOS Linux release 7.9.2009 (Core)
[root@localhost ~]# cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)
es1    192.168.1.149
es2    192.168.1.145
es3    192.168.1.147

安装前配置

#  yum 设置
curl -o /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
sed -ri 's/\$releasever/7/g' /etc/yum.repos.d/CentOS-Base.repo
yum clean all
yum install lrzsz wget vim net-tools bind-utils -y
yum install ntp -y
ntpdate cn.ntp.org.cn
setenforce 0
systemctl stop firewalld;systemctl disable firewalld
sed -ri '/^SELINUX=/cSELINUX=disabled' /etc/selinux/config

#配置hosts
[root@es1 ~]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.149 es1
192.168.1.145 es2

#es 下载
https://mirrors.aliyun.com/elasticstack/7.x/yum/7.9.3/?spm=a2c6h.25603864.0.0.69183851dogJaO

#也可以选择下载完上传上去
[root@es1 ~]# scp -r elasticsearch-7.9.3-x86_64.rpm  192.168.1.145:/root
[root@es1 ~]# scp -r elasticsearch-7.9.3-x86_64.rpm  192.168.1.147:/root

#install
#所有节点执行
 yum install elasticsearch-7.9.3-x86_64.rpm   -y
 
 #es1
 [root@es1 ~]# cat /etc/elasticsearch/elasticsearch.yml |egrep -v '^#'
node.name: es1
path.data: /var/lib/elasticsearch     #数据目录
path.logs: /var/log/elasticsearch		#日志目录
network.host: 192.168.1.149		#IP地址
http.port: 9200				#es端口号
discovery.seed_hosts: ["es1", "es2","es3"]		#发现主机
cluster.initial_master_nodes: ["es2", "es3"]		#集群

#es2
[root@es2 ~]# cat /etc/elasticsearch/elasticsearch.yml |egrep -v '^#'
node.name: es2
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.1.145
http.port: 9200
discovery.seed_hosts: ["es1", "es2","es3"]
cluster.initial_master_nodes: ["es1", "es2"]

#es3
[root@es3 ~]# cat /etc/elasticsearch/elasticsearch.yml |egrep -v '^#'
node.name: es3
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.1.147
http.port: 9200
discovery.seed_hosts: ["es1", "es2"."es3"]
cluster.initial_master_nodes: ["es1", "es2"]

生成xpack

#es ssl生成证书
[root@es1 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
ERROR: Output file '/usr/share/elasticsearch/elastic-stack-ca.p12' already exists
[root@es1 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
ERROR: Output file '/usr/share/elasticsearch/elastic-stack-ca.p12' already exists
[root@es1 ~]# rm -rf /usr/share/elasticsearch/elastic-stack-ca.p12 
[root@es1 ~]# /usr/share/elasticsearch/bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]:    #zip文件回车即可
Enter password for elastic-stack-ca.p12 :    #键入密码


---------------------------------------------------------------------------------------

#证书目录
[root@es1 ~]# ls /usr/share/elasticsearch/elastic-stack-ca.p12 
/usr/share/elasticsearch/elastic-stack-ca.p12
[root@es1 ~]# cd /usr/share/elasticsearch/
[root@es1 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca  elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.

    * All certificates generated by this tool will be signed by a certificate authority (CA).
    * The tool can automatically generate a new CA for you, or you can provide your own with the
         -ca or -ca-cert command line options.

By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -keep-ca-key (retain generated CA key)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) :    #输入上次键入的密码  如果上次是直接回车 这次也回车即可
Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 :      #同上

Certificates written to /usr/share/elasticsearch/elastic-certificates.p12

This file should be properly secured as it contains the private key for 
your instance.

This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the C

# 证书复制
mkdir /etc/elasticsearch/certs/
cp  /usr/share/elasticsearch/*.p12  /etc/elasticsearch/certs/
chown -R elasticsearch:elasticsearch /etc/elasticsearch/certs/
scp -rp /etc/elasticsearch/certs/ 192.168.1.145:/etc/elasticsearch/certs/
scp -rp /etc/elasticsearch/certs/ 192.168.1.147:/etc/elasticsearch/certs/

#所有节点配置xpack   e主配置文件添加即可
xpack.security.enabled: true 
xpack.security.transport.ssl.enabled: true 
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-stack-ca.p12 
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-stack-ca.p12 


#重启es
systemctl enable elasticsearch
systemctl restart elasticsearch

#如果节点证书配置密码的话，这里要加入密码库  我们上面配置了密码 所以这里需要加入
[root@es1 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
Enter value for xpack.security.transport.ssl.keystore.secure_password: 

[root@es1 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Enter value for xpack.security.transport.ssl.truststore.secure_password: 

xpack密码初始化

#初始化es密码
[root@es1 elasticsearch]# 
[root@es1 elasticsearch]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y


Enter password for [elastic]: 
Reenter password for [elastic]: 
Enter password for [apm_system]: 
Reenter password for [apm_system]: 
Enter password for [kibana_system]: 
Reenter password for [kibana_system]: 
Enter password for [logstash_system]: 
Reenter password for [logstash_system]: 
Enter password for [beats_system]: 
Reenter password for [beats_system]: 
Enter password for [remote_monitoring_user]: 
Reenter password for [remote_monitoring_user]: 
Changed password for user [apm_system]
Changed password for user [kibana_system]
Changed password for user [kibana]
Changed password for user [logstash_system]
Changed password for user [beats_system]
Changed password for user [remote_monitoring_user]
Changed password for user [elastic]

#查看节点 输入上次初始化后的密码
[root@es1 elasticsearch]# !curl
curl http://192.168.1.149:9200/_cat/nodes?v -u elastic
Enter host password for user 'elastic':
ip            heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
192.168.1.149           29          94   4    0.12    0.18     0.28 dilmrt    -      es1
192.168.1.145           33          66  10    0.20    0.36     0.23 dilmrt    *      es2
192.168.1.147           28          66  12    0.17    0.24     0.17 dilmrt    -      es3

kibana安装

#kibana 配置 
[root@es1 elasticsearch]# cat /etc/kibana/kibana.yml |egrep -v '^#'|grep -v '^$'
server.port: 5601 	#监听端口
server.host: "192.168.1.149"		#ip地址
server.name: "es1"		#域名
elasticsearch.hosts: ["http://192.168.1.149:9200"]	#es地址
kibana.index: ".kibana"
elasticsearch.username: "elastic"	#xpack账户
elasticsearch.password: "shanyao"	#xpack密码

#启动kibana
systemctl start kibana
systemctl enable kibana
#查看端口
[root@es1 elasticsearch]# netstat -antup|grep 5601
tcp        0      0 192.168.1.149:5601      0.0.0.0:*               LISTEN      16737/node      

#没起来可以查看es日志

logstash安装

#安装jdk
yum install java-1.8.0-openjdk -y
yum install logstash-7.9.3.rpm -y 
#主配置文件存在于/etc/logstash/     logstash-sample.conf 过滤的文件模板    logstash.yml主配置文件 命令在/usr/share/logstash/bin/ 下
[root@es1 ~]# ls /etc/logstash/
conf.d/               jvm.options           log4j2.properties     logstash-sample.conf  logstash.yml          pipelines.yml         startup.options    
#配置
[root@es1 ~]# cat /etc/logstash/logstash.yml |egrep -v '^$|^#'
path.data: /var/lib/logstash      
pipeline.ordered: auto
path.logs: /var/log/logstash
xpack.monitoring.enabled: enable    #开启xpack
xpack.monitoring.elasticsearch.username: "elastic"   #用户名
xpack.monitoring.elasticsearch.password: "shanyao"	#密码
xpack.monitoring.elasticsearch.hosts: ["https://es1:9200", "https://es2:9200"]   #监听的es

#过滤文件模板
[root@es1 ~]# cat /etc/logstash/logstash-sample.conf |egrep -v '^$|^#'
input {
  beats {
    port => 5044
  }
}
output {
  elasticsearch {
    hosts => ["http://192.168.1.149:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "shanyao"
  }
}


#查询服务
[root@es1 ~]# !net
netstat -antup|grep 5044
tcp6       0      0 :::5044                 :::*                    LISTEN      21903/java