ELK-Stack 6.x 爬坑之旅

# yum install -y java

# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.2.4.rpm

# wget https://artifacts.elastic.co/downloads/kibana/kibana-6.2.4-x86_64.rpm

# wget https://artifacts.elastic.co/downloads/logstash/logstash-6.2.4.rpm

在启动之间还需要设置几个东西：

https://www.elastic.co/guide/en/elasticsearch/reference/5.6/file-descriptors.html

https://www.elastic.co/guide/en/elasticsearch/reference/5.6/max-number-of-threads.html

# ulimit -a

core file size          (blocks, -c) 0

data seg size           (kbytes, -d) unlimited

scheduling priority             (-e) 0

file size               (blocks, -f) unlimited

pending signals                 (-i) 15101

max locked memory       (kbytes, -l) 64

max memory size         (kbytes, -m) unlimited

open files                      (-n) 65536

pipe size            (512 bytes, -p) 8

POSIX message queues     (bytes, -q) 819200

real-time priority              (-r) 0

stack size              (kbytes, -s) 8192

cpu time               (seconds, -t) unlimited

max user processes              (-u) 15101

virtual memory          (kbytes, -v) unlimited

file locks                      (-x) unlimited

# tail /etc/security/limits.conf    //在文末添加

elasticsearch    soft    memlock        unlimited

elasticsearch    hard    memlock        unlimited

*        soft    nofile        65536

*        hard    nofile        65536

或者使用：

# ulimit -u 2048

# ulimit -n 65536

https://www.elastic.co/guide/en/elasticsearch/reference/5.6/vm-max-map-count.html

# sysctl -w vm.max_map_count=262144

https://www.elastic.co/guide/en/elasticsearch/reference/5.6/heap-size.html

这两个选项已经是默认的了，保持原状即可

# egrep '^-Xm'  /etc/elasticsearch/jvm.options

-Xms2g

-Xmx2g

接下来安装x-pack：

# /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack

# /usr/share/kibana/bin/kibana-plugin install x-pack

# /usr/share/logstash/bin/logstash-plugin install x-pack

# grep '^[a-Z]' /etc/elasticsearch/elasticsearch.yml

cluster.name: EsForTest

node.name: EsForTestnode01

path.data: /data-es

path.logs: /var/log/elasticsearch/

network.host: 10.138.0.2

# bootstrap.memory_lock: true        //坑1、生产环境保持5G以上，把这个打开，如果内存比较小就别开这个，不然会报错

http.port: 9200

http.cors.enabled: true

http.cors.allow-origin: "*"

之后设置密码：

# /usr/share/elasticsearch/bin/x-pack/setup-passwords interactive

然后就报错了：

坑2、Your Kibana index is out of date, reset it or use the X-Pack upgrade assistant.

既然是index有关，那就看看索引吧：

# curl -u elastic:Admin~123 -XGET 'http://10.138.0.2:9200/_cat/indices'                       

red    open  .kibana                           UwLM3JabQw69XZA-SaiEag 1 0     1  0    230b    230b                             

有个red状态的.kibana，由于是升级来的，把这个删了：

# curl -u elastic:Admin~123 -XDELETE 'http://10.138.0.2:9200/.kibana'

# systemctl restart kibana

正常了

接下来装logstash的x-pack，然后配置文件：

# /usr/share/logstash/bin/logstash-plugin install x-pack

# grep '^[a-Z]' /etc/logstash/logstash.yml

path.data: /var/lib/logstash

path.config: /etc/logstash/conf.d

path.logs: /var/log/logstash

xpack.monitoring.enabled: true

xpack.monitoring.elasticsearch.url: "http://10.138.0.2:9200"

xpack.monitoring.elasticsearch.username: "logstash_system"

xpack.monitoring.elasticsearch.password: "Admin~123"

坑3：

WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults

解决方法如下：

# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/test-5.x.conf --path.settings=/etc/logstash

# cat /etc/logstash/conf.d/test-5.x.conf

# Author:Timor

# Date:20180621

# Mail:timor@networkws.com

# Usage: Build for test elk-5.x

 

input{

    stdin{}

}

filter{ }

output{

    elasticsearch {

        hosts => ["10.138.0.2:9200"]

        index => "system-log-%{+YYYY.MM.DD}"

        user => 'elastic'

        password => 'Admin~123'

    }

}

坑4、在kibana发现看不到新建的索引：

# curl -u elastic:Admin~123 -XGET 'http://10.138.0.2:9200/_cat/indices'

yellow open  system-log-2018.07.186            eKDJE9eCTUWUUXikmgdZ8A 5 1     2  0  10.6kb  10.6kb

       close .watcher-history-6-2018.07.04     mdqzUgxzRb6Ys_D4TdmQCQ                             

坑5、点monitor的时候会显示需要license，按照网站提示下载了一个json的license文件，然后加载，报错：

# curl -XPUT 'http://10.138.0.2:9200/_xpack/license?acknowledge=true' -u elastic:Admin~123 -d @/packets/kid-shen-372fc75b-e60e-4b14-8853-d9846334c9c3-v5.json

{"error":"Content-Type header [application/x-www-form-urlencoded] is not supported","status":406}

解决方法：

# curl -XPUT 'http://10.138.0.2:9200/_xpack/license?acknowledge=true' -u elastic:Admin~123 -d @/packets/kid-shen-372fc75b-e60e-4b14-8853-d9846334c9c3-v5.json -H 'Content-Type: application/json'

然后再汇过去看kibana的索引：

出来了，应该是license导致的。所以，license很重要。

接下来创建索引，业务正常：

坑6、[2018-07-11T02:25:12,247][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"SG200-2018.07.11", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x9232dbf>], :response=>{"index"=>{"_index"=>"SG200-2018.07.11", "_type"=>"doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"invalid_index_name_exception", "reason"=>"Invalid index name [SG200-2018.07.11], must be lowercase", "index_uuid"=>"_na_", "index"=>"SG200-2018.07.11"}}}}

解决方法：

# cat /etc/logstash/conf.d/collect-log-cisco-SG200-test.conf

...

    elasticsearch{

        hosts => ["104.196.229.34:9200"]

        index => "cisco-%{+YYYY.MM.dd}"        //必须用小写

    }