ELK 的坑实在太多了,自己在物理机(多台)逐渐摸索的,安装最新版本的记录
ELK安装:
版本: 8.9.0
准备:
更新apt:
命令行 apt-get update
命令行 apt-get upgrade
命令行 apt-get install unzip
JDK安装:
- 1查看JDK版本: 命令行 apt search openjdk
- 2安装JDK: 命令行 apt install openjdk-21-jdk -y (找一个最高的来安装)
创建ELK目录:
命令行 mkdir -p /iscsi/elk
命令行 mkdir -p /iscsi/elk/elasticsearch
命令行 mkdir -p /iscsi/elk/elasticsearch/data
命令行 mkdir -p /iscsi/elk/elasticsearch/logs
命令行 mkdir -p /iscsi/elk/elasticsearch/plugins
命令行 mkdir -p /iscsi/elk/kibana
命令行 mkdir -p /iscsi/elk/kibana/config
命令行 mkdir -p /iscsi/elk/kibana/data
命令行 mkdir -p /iscsi/elk/kibana/logs
命令行 mkdir -p /iscsi/elk/logstash
命令行 mkdir -p /iscsi/elk/logstash/config
命令行 mkdir -p /iscsi/elk/logstash/logs
命令行 mkdir -p /iscsi/elk/logstash/pipeline
文件夹提权:
命令行 chmod 777 -R /iscsi/elk/*
创建用户和组:
1查看用户: 命令行 cat /etc/passwd
2查看组: 命令行 cat /etc/group
3修改原来uid为1000的用户: 命令行 usermod -u 1001 tonywoo
4新建elasticsearch 用户: 命令行 useradd -u 1000 -g root elasticsearch ??useradd -u 1000 -g tonywoo elasticsearch
6新建组: 命令行 groupadd elasticsearch
5修改elasticsearch 用户密码: 命令行 passwd elasticsearch
设置目录权限:
1设置目录拥有者: 命令行 chown -R elasticsearch:root /iscsi/elk/elasticsearch/
2设置目录拥有组: 命令行 chgrp -R 0 /iscsi/elk/elasticsearch
3备注: /iscsi/elk/elasticsearch 下的子目录的拥有者都要设置为 elasticsearch 这个用户
内存设置:
- 1查看用户内存权限: 命令行 sysctl -a|grep vm.max_map_count
- 2设置用户内存权限: 命令行 vim /etc/sysctl.conf
- 3禁止内存与硬盘交换: vm.swappiness=1
- 4配置最大映射数量: vm.max_map_count=262144
- 5使配置生效: 退出vim,命令行 sysctl -p
修改打开文件数:
- 1进入文件: 命令行 vim /etc/security/limits.conf
- 2追加内容:
`
# elasticsearch是用户,也可以使用*代替所有用户)
elasticsearch soft nofile 65536
elasticsearch hard nofile 65536
#内存锁定交换
soft memlock unlimited
hard memlock unlimited
`
查看docker网络: 命令行 docker network list
开始:
新建docker-compose文件: 命令行 touch /iscsi/elk/docker-compose-elk.yml
修改docker-compose文件如下:
`
version: '3.7'
services:
elasticsearch:
image: elasticsearch:8.9.0
container_name: elasticsearch
hostname: elasticsearch
restart: "no"
volumes:
- /etc/localtime:/etc/localtime
#- /iscsi/elk/elasticsearch/data:/usr/share/elasticsearch/data:rw
#- /iscsi/elk/elasticsearch/config:/usr/share/elasticsearch/config:rw
#- /iscsi/elk/elasticsearch/logs:/usr/share/elasticsearch/logs:rw
#- /iscsi/elk/elasticsearch/plugins:/usr/share/elasticsearch/plugins:rw
environment:
- TZ="Asia/Shanghai"
- ES_JAVA_OPTS=-Xms512m -Xmx512m
- discovery.type=single-node
ports:
- "9200:9200"
- "9300:9300"
networks:
elastic:
ipv4_address: 172.99.0.2
aliases:
- elasticsearch
kibana:
image: kibana:8.9.0
container_name: kibana
hostname: kibana
restart: "no"
volumes:
- /etc/localtime:/etc/localtime
#- /iscsi/elk/kibana/data:/usr/share/kibana/data:rw
#- /iscsi/elk/kibana/config:/usr/share/kibana/config:rw
#- /iscsi/elk/kibana/logs:/usr/share/kibana/logs:rw
ports:
- 5601:5601
depends_on:
- elasticsearch
networks:
elastic:
ipv4_address: 172.99.0.3
aliases:
- kibana
logstash:
image: logstash:8.9.0
container_name: logstash
hostname: logstash
restart: "no"
volumes:
- /etc/localtime:/etc/localtime
#- /iscsi/elk/logstash/config:/usr/share/logstash/config:rw
#- /iscsi/elk/logstash/logs:/usr/share/logstash/logs:rw
#- /iscsi/elk/logstash/pipeline:/usr/share/logstash/pipeline:rw
ports:
- 5044:5044
- 9066:9066
- 21068:21068
- "5000:5000/tcp"
- "5000:5000/udp"
depends_on:
- elasticsearch
networks:
elastic:
ipv4_address: 172.99.0.4
aliases:
- logstash
##自定义网络
networks:
elastic:
ipam:
driver: default
config:
- subnet: 172.99.0.0/16
`
上面带有#号 的后面要解除
首次启动: /iscsi/elk下执行 命令行 docker-compose -f docker-compose-elk.yml up -d
复制容器内目录到宿主机:
命令行 docker cp elasticsearch:/usr/share/elasticsearch/config /iscsi/elk/elasticsearch/
命令行 docker cp kibana:/usr/share/kibana/config /iscsi/elk/kibana/
命令行 docker cp logstash:/usr/share/logstash/config /iscsi/elk/logstash/
命令行 docker cp logstash:/usr/share/logstash/pipeline /iscsi/elk/logstash/
命令行 chmod 777 -R /iscsi/elk/kibana/*
命令行 chmod 777 -R /iscsi/elk/logstash/*
命令行 chown -R elasticsearch:root /iscsi/elk/elasticsearch/config/
命令行 chown -R elasticsearch:root /iscsi/elk/elasticsearch/config/certs/
修改elasticsearch的jvm文件:
打开 /iscsi/elk/elasticsearch/config/jvm.options添加下面两项
命令行 vim /iscsi/elk/elasticsearch/config/jvm.options
`
-Xms512m
-Xmx512m
`
修改logstash的jvm文件:
打开 /iscsi/elk/logstash/config/jvm.options添加下面两项
命令行 vim /iscsi/elk/logstash/config/jvm.options 修改如下
#-Xms1g 改为 -Xms512m
#-Xmx1g 改为 -Xmx512m
放开注释: 放开docker-compose-elk.yml文件内挂载数据卷的注释
命令行 cd /iscsi/elk
命令行 docker-compose -f docker-compose-elk.yml stop
命令行 docker-compose -f docker-compose-elk.yml rm
命令行 docker-compose -f docker-compose-elk.yml up -d
配置SSL:
设置目录拥有者:
命令行 chown -R elasticsearch:root /iscsi/elk/elasticsearch/config/*
命令行 chown -R elasticsearch:root /iscsi/elk/elasticsearch/config/certs/*
进入elasticsearch容器:
命令行 docker exec -it elasticsearch /bin/bash
生成elastic-stack-ca.p12文件:
命令行 ./bin/elasticsearch-certutil ca
需要在 `Enter password for elastic-stack-ca.p12:` 哪里设置密码
生成elastic-certificates.p12:
命令行 ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
`Enter password for CA(elastic-stack-ca.p12):`后输入 elastic-stack-ca.p12设置的密码
复制文件到config文件夹:
命令行 mv elastic-certificates.p12 config/certs/
命令行 mv elastic-stack-ca.p12 ./config/
备注 开放了docker-compose-elk.yml的注释复制文件到config宿主机文件夹会同时改变;elastic-stack-ca.p12文件后续也需要用到
设置文件拥有权:
退出容器
命令行 chmod 777 /iscsi/elk/elasticsearch/*
命令行 chmod 777 /iscsi/elk/elasticsearch/config/*
命令行 chmod 777 /iscsi/elk/elasticsearch/config/certs/*
命令行 chown -R elasticsearch:root /iscsi/elk/elasticsearch/*
设置elasticsearch.yml配置文件:
命令行 vim /iscsi/elk/elasticsearch/config/elasticsearch.yml
修改为如下
`
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/elastic-certificates.p12
truststore.path: certs/elastic-certificates.p12
`
修改密码:
如果certificate设置了密码,需要执行一下两个命令
退回到容器根目录
命令行 ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
命令行 ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
备注 这个密码就是 elastic-certificates.p12 文件设置的密码
重启elasticsearch容器:
docker restart elasticsearch
配置elasticsearch和kibana开启https访问:
进入elasticsearch容器:
命令行 docker exec -it elasticsearch /bin/bash
生成elasticsearch-ssl-http.zip:
命令行 ./bin/elasticsearch-certutil http
操作如下
## Elasticsearch HTTP Certificate Utility
The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
This tool will ask you a number of questions in order to generate the right
set of files for your needs.
## Do you wish to generate a Certificate Signing Request (CSR)?
A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).
If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.
## 生成CSR 输入n
Generate a CSR? [y/N]n
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.
If you do not have an existing CA, one will be generated for you.
## 是否使用存在的ca 输入y(在基础配置时生成了)
Use an existing CA? [y/N]y
## What is the path to your CA?
Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
## 输入ca文件的地址
CA Path: /usr/share/elasticsearch/config/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
## 输入文件设置的密码
Password for elastic-stack-ca.p12:
## How long should your certificates be valid?
Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.
Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.
You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
## 设置过期时间
For how long should your certificate be valid? [5y] 10y
## Do you wish to generate one certificate per node?
If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.
Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.
If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.
However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.
## 是否为每一个节点生成证书 输入n
Generate a certificate per node? [y/N]n
## Which hostnames will be used to connect to your nodes?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
## 节点的hostname,设置为elasticsearch,敲两次回车
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
elasticsearch
You entered the following hostnames.
- elasticsearch
## 配置是否正确
Is this correct [Y/n]y
## Which IP addresses will be used to connect to your nodes?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
## 节点的ip(可以在宿主机通过命令docker inspect elasticsearch查看),设置为172.99.0.2,敲两次回车
Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
172.99.0.2
You entered the following IP addresses.
- 172.99.0.2
## 配置是否正确
Is this correct [Y/n]y
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: elasticsearch
Subject DN: CN=elasticsearch
Key Size: 2048
## 是否更改任意项
Do you wish to change any of these options? [y/N]n
## What password do you want for your private key(s)?
Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.
If you wish to use a blank password, simply press <enter> at the prompt below.
## 输入生成文件的密码(可不设置,设置需要在后面进行配置)
Provide a password for the "http.p12" file: [<ENTER> for none]
## 再次输入生成文件的密码
Repeat password to confirm:
## Where should we save the generated files?
A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.
These files will be included in a single zip archive.
## 生成压缩文件的地址和名称,直接敲回车即可
What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]
移动elasticsearch-ssl-http.zip压缩包:
命令行 mv elasticsearch-ssl-http.zip ./config/
解压文件:
退出容器
命令行 unzip /iscsi/elk/elasticsearch/config/elasticsearch-ssl-http.zip
解压后会在原目录下新增两个目录分别是 elasticsearch 和 kibana
命令行 mv /iscsi/elk/elasticsearch/config/elasticsearch/http.p12 /iscsi/elk/elasticsearch/config/certs/
复制elasticsearch-ca.pem到kibana的config文件夹内:
命令行 cp /iscsi/elk/elasticsearch/config/kibana/elasticsearch-ca.pem /iscsi/elk/kibana/config/
删除文件夹:
命令行 rm -rf /iscsi/elk/elasticsearch/certs/kibana
文件提权:
命令行 chmod 777 /iscsi/elk/elasticsearch/config/certs/http.p12
设置http密码:
命令行 docker exec -it elasticsearch /bin/bash
命令行 ./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
退出容器
重启elasticsearch容器:
命令行 docker restart elasticsearch
设置elastic用户的密码:
进入容器: 命令行 docker exec -it elasticsearch /bin/bash
设置密码: ./bin/elasticsearch-reset-password -u elastic -i
设置kibana_system密码:
命令行 ./bin/elasticsearch-reset-password -u kibana_system -i
生成kibana用https访问的公钥和私钥:
命令行 ./bin/elasticsearch-certutil csr -name kibana-server
备注 生成csr-bundle.zip文件夹
复制csr-bundle.zip到kibana:
退出容器
命令行 docker cp elasticsearch:/usr/share/elasticsearch/csr-bundle.zip /iscsi/elk/kibana/
解压csr-bundle.zip:
命令行 cd /iscsi/elk/kibana/
命令行 unzip /iscsi/elk/kibana/csr-bundle.zip
备注 解压后会生成 kibana-server 文件夹
移动文件到kibana的配置目录:
命令行 mv /iscsi/elk/kibana/kibana-server/* /iscsi/elk/kibana/config/
命令行 rm -rf /iscsi/elk/kibana/kibana-server
生成kibana-server.crt文件:
命令行 cd /iscsi/elk/kibana/config
命令行 openssl x509 -req -days 3650 -in kibana-server.csr -signkey kibana-server.key -out kibana-server.crt
文件提权:
命令行 chmod 777 elasticsearch-ca.pem kibana-server.csr kibana-server.key kibana-server.crt
修改kibana.yml文件:
命令行 vim /iscsi/elk/kibana/config/kibana.yml
最终文件为
`
#
# ** THIS IS AN AUTO-GENERATED FILE **
#
# Default Kibana configuration for docker target
server.host: "0.0.0.0"
server.shutdownTimeout: "5s"
elasticsearch.hosts: [ "https:/172.99.0.2:9200" ]
monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/elasticsearch-ca.pem"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "tonglian@126.com"
server.ssl.certificate: "/usr/share/kibana/config/kibana-server.crt"
server.ssl.key: "/usr/share/kibana/config/kibana-server.key"
server.ssl.enabled: true
# 设置中文访问
i18n.locale: "zh-CN"
`
重启kiban:
命令行 docker restart kibana
配置logstash:
设置logstash_system密码:
命令行 docker exec -it elasticsearch /bin/bash
命令行 ./bin/elasticsearch-reset-password -u logstash_system -i
生成logstash.pem文件:
退出容器
命令行 openssl pkcs12 -in elasticsearch/config/certs/elastic-certificates.p12 -cacerts -nokeys -chain -out logstash.pem
移动logstash.pem文件到logstash配置文件目录下:
命令行 mv /iscsi/elk/elasticsearch/config/certs/logstash.pem /iscsi/elk/logstash/config/
提权logstash.pem:
命令行 chmod 777 /iscsi/elk/logstash/config/logstash.pem
配置logstash.yml文件:
命令行 vim /iscsi/elk/logstash/config/logstash.yml
最终文件
`
http.host: "0.0.0.0"
xpack.monitoring.elasticsearch.hosts: [ "https://172.99.0.2:9200" ]
#你的ca.pem 的所在路径
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/usr/share/logstash/config/logstash.pem"
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
# 探嗅 es节点,设置为 false
xpack.monitoring.elasticsearch.sniffing: false
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "tonglian@126.com"
`
配置logstash.conf文件:
命令行 vim /iscsi/elk/logstash/pipeline/logstash.conf
最终文件
`
input {
tcp {
port => 21068
codec => json_lines
}
}
output {
elasticsearch {
hosts => ["https://172.99.0.2:9200"]
index => "tonywoo-%{+YYYY.MM.dd}"
user => "elastic"
password => "tonglian@126.com"
ssl_enabled => true
ssl_certificate_authorities => ["/usr/share/logstash/config/logstash.pem"]
}
}
`
重启logstash:
docker restart logstash
设置自动启动:
`
cat > /etc/systemd/system/docker-compose-elk.service << EOF
[Unit]
Description=Docker Compose Application Service
Requires=docker.service
After=docker.service
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/iscsi/elk/
ExecStart=/iscsi/elk/docker-compose -f docker-compose-elk.yml up -d
ExecStop=/iscsi/elk/docker-compose -f docker-compose-elk.yml up down
TimeoutStartSec=0
[Install]
WantedBy=multi-user.target
`
回车
命令行 ctrl+d
