操作系统：centos7.6

ELK版本：7.10.2

下载地址：

ElasticSearch：https://www.elastic.co/cn/downloads/past-releases/elasticsearch-7-10-2

LogStach：https://www.elastic.co/cn/downloads/past-releases/logstash-7-10-2

Kinbana：https://www.elastic.co/cn/downloads/past-releases/kibana-7-10-2

filebeats：https://www.elastic.co/cn/downloads/past-releases/filebeat-7-10-2

可试用rpm包安装，也可以使用tar包安装，此次为rpm包安装

1、首先关闭防火墙和selinux

2、安装elasticsearch服务

[root@localhost elk]# systemctl  stop firewalld
[root@localhost elk]# setenforce 0
[root@localhost elk]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
#SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@localhost elk]# rpm -ivh elasticsearch-7.10.2-x86_64.rpm
[root@localhost elk]# rpm -ivh kibana-7.10.2-x86_64.rpm
[root@localhost elk]# rpm -ivh logstash-7.10.2-x86_64.rpm
[root@localhost elk]# rpm -ivh filebeat-7.10.2-x86_64.rpm

[root@localhost elk]# systemctl daemon-reload
[root@localhost elk]# systemctl enable elasticsearch.service
Created symlink from /etc/systemd/system/multi-user.target.wants/elasticsearch.service to /usr/lib/systemd/system/elasticsearch.service.
[root@localhost elk]# systemctl start elasticsearch.service
[root@localhost elk]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      8441/X
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      7040/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6467/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      6469/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      6896/master
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      17277/java
tcp6       0      0 ::1:9200                :::*                    LISTEN      17277/java
tcp6       0      0 :::6000                 :::*                    LISTEN      8441/X
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      17277/java
tcp6       0      0 ::1:9300                :::*                    LISTEN      17277/java
tcp6       0      0 :::22                   :::*                    LISTEN      6467/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      6469/cupsd
tcp6       0      0 ::1:25                  :::*                    LISTEN      6896/master
[root@localhost day1]#[root@localhost elasticsearch]# cat /etc/elasticsearch/elasticsearch.yml

cluster.name: elk-app                     #服务名称
node.name: node-1                               #此节点名称
network.host: 0.0.0.0                           #默认向所有IP开放
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200                                   #默认监听端口

配置完之后，启动elasticsearch报错

[root@localhost ~]# systemctl start elasticsearch
Job for elasticsearch.service failed because the control process exited with error code. See "systemctl status elasticsearch.service" and "journalctl -xe" for details
[root@localhost elk]# systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
   Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Mon 2021-03-22 20:01:08 CST; 5s ago
     Docs: https://www.elastic.co
  Process: 18126 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet (code=exited, status=78)
 Main PID: 18126 (code=exited, status=78)

Mar 22 20:00:59 localhost.localdomain systemd[1]: Starting Elasticsearch...
Mar 22 20:01:07 localhost.localdomain systemd-entrypoint[18126]: ERROR: [1] bootstrap checks failed
Mar 22 20:01:07 localhost.localdomain systemd-entrypoint[18126]: [1]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, d...configured
Mar 22 20:01:07 localhost.localdomain systemd-entrypoint[18126]: ERROR: Elasticsearch did not exit normally - check the logs at /var/log/elasticsearch/elk-app.log
Mar 22 20:01:08 localhost.localdomain systemd[1]: elasticsearch.service: main process exited, code=exited, status=78/n/a
Mar 22 20:01:08 localhost.localdomain systemd[1]: Failed to start Elasticsearch.
Mar 22 20:01:08 localhost.localdomain systemd[1]: Unit elasticsearch.service entered failed state.
Mar 22 20:01:08 localhost.localdomain systemd[1]: elasticsearch.service failed.
Hint: Some lines were ellipsized, use -l to show in full.


查看日志后，报错
[root@localhost elasticsearch]# tail -f elasticsearch.log
[2021-03-22T20:05:28,381][INFO ][o.e.e.NodeEnvironment    ] [node-1] heap size [1gb], compressed ordinary object pointers [true]
[2021-03-22T20:05:28,443][INFO ][o.e.n.Node               ] [node-1] node name [node-1], node ID [pEnOkoa9TTyPoOsX3WUuNw], cluster name [elk-cambricon], roles [transform, master, remote_cluster_client, data, ml, data_content, data_hot, data_warm, data_cold, ingest]
[2021-03-22T20:05:30,874][INFO ][o.e.x.m.p.l.CppLogMessageHandler] [node-1] [controller/19084] [Main.cc@114] controller (64 bit): Version 7.10.2 (Build 40a3af639d4698) Copyright (c) 2021 Elasticsearch BV
[2021-03-22T20:05:31,414][INFO ][o.e.x.s.a.s.FileRolesStore] [node-1] parsed [0] roles from file [/etc/elasticsearch/roles.yml]
[2021-03-22T20:05:32,125][INFO ][o.e.t.NettyAllocator     ] [node-1] creating NettyAllocator with the following configs: [name=unpooled, suggested_max_allocation_size=256kb, factors={es.unsafe.use_unpooled_allocator=null, g1gc_enabled=true, g1gc_region_size=1mb, heap_size=1gb}]
[2021-03-22T20:05:32,171][INFO ][o.e.d.DiscoveryModule    ] [node-1] using discovery type [zen] and seed hosts providers [settings]
[2021-03-22T20:05:32,481][WARN ][o.e.g.DanglingIndicesState] [node-1] gateway.auto_import_dangling_indices is disabled, dangling indices will not be automatically detected or imported and must be managed manually
[2021-03-22T20:05:32,780][INFO ][o.e.n.Node               ] [node-1] initialized
[2021-03-22T20:05:32,780][INFO ][o.e.n.Node               ] [node-1] starting ...
[2021-03-22T20:05:32,861][INFO ][o.e.t.TransportService   ] [node-1] publish_address {172.16.132.50:9300}, bound_addresses {[::]:9300}
[2021-03-22T20:05:33,027][INFO ][o.e.b.BootstrapChecks    ] [node-1] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2021-03-22T20:05:33,053][ERROR][o.e.b.Bootstrap          ] [node-1] node validation exception
[1] bootstrap checks failed
[1]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured
[2021-03-22T20:05:33,055][INFO ][o.e.n.Node               ] [node-1] stopping ...
[2021-03-22T20:05:33,065][INFO ][o.e.n.Node               ] [node-1] stopped
[2021-03-22T20:05:33,066][INFO ][o.e.n.Node               ] [node-1] closing ...
[2021-03-22T20:05:33,077][INFO ][o.e.n.Node               ] [node-1] closed
[2021-03-22T20:05:33,079][INFO ][o.e.x.m.p.NativeController] [node-1] Native controller process has stopped - no new native processes can be started

主要报错是这一句：bootstrap checks failed
[1]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured

需要修改配置文件

[root@localhost elasticsearch]# vim /etc/elasticsearch/elasticsearch.yml
cluster.name: elk-app
node.name: node-1
network.host: 0.0.0.0
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
http.port: 9200


# --------------------------------- Discovery ----------------------------------

#
cluster.initial_master_nodes: ["node-1"]            #此处为添加的一行，node-1是上方node.name设置的值



[root@localhost ~]# systemctl start elasticsearch     #重新启动服务，没有问题
[root@localhost ~]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd
tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      8441/X
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      7040/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6467/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      6469/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      6896/master
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd
tcp6       0      0 :::9200                 :::*                    LISTEN      19699/java
tcp6       0      0 :::6000                 :::*                    LISTEN      8441/X
tcp6       0      0 :::9300                 :::*                    LISTEN      19699/java
tcp6       0      0 :::22                   :::*                    LISTEN      6467/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      6469/cupsd
tcp6       0      0 ::1:25                  :::*                    LISTEN      6896/master 

通过web端访问，IP+9200端口

elasticsearch安装完毕

3、配置filebeats

[root@localhost ~]# vim /etc/filebeat/filebeat.yml
filebeat.inputs:


- type: log

  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log



- type: filestream

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log



filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s


setup.template.settings:
  index.number_of_shards: 1




setup.kibana:



output.logstash:                            #这里是直接连接logstash，如果是连接elasticsearch的话，设置如下
   The Logstash hosts
  hosts: ["172.16.132.50:5044"]

#output.elasticsearch:
#  # Array of hosts to connect to.
#  hosts: ["172.16.132.50:9200"]


processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~



[root@localhost ~]# systemctl start filebeat
[root@localhost ~]# systemctl enable filebeat
Created symlink from /etc/systemd/system/multi-user.target.wants/filebeat.service to /usr/lib/systemd/system/filebeat.service.

4、配置logstash

[root@localhost ~]# vim /etc/logstash/logstash-sample.conf
input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["http://172.16.132.50:9200"]
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
  }
}

[root@localhost ~]# systemctl start logstash.service
[root@localhost ~]# systemctl enable logstash.service
Created symlink from /etc/systemd/system/multi-user.target.wants/logstash.service to /etc/systemd/system/logstash.service.

5、配置kibana，从web端访问

[root@localhost ~]# vim /etc/kibana/kibana.yml
server.port: 5601

server.host: "172.16.132.50"

elasticsearch.hosts: ["http://172.16.132.50:9200"]
[root@localhost ~]# systemctl start kibana
[root@localhost ~]# systemctl enable kibana
Created symlink from /etc/systemd/system/multi-user.target.wants/kibana.service to /etc/systemd/system/kibana.service.

基本配置环境已配置完毕