Build ELK log platform for Linux - Recommend a unified version to avoid errors nowhere to start

Small knowledge, big challenge! This article is participating in the creation activity of “Essential Tips for Programmers”.

www.elastic.co/cn/download… You can download historical versions of each of the following software

E:elasticsearch

groupadd elsearch                  Create the elsearch group

useradd elsearch -g elsearch -p elasticsearch  Create a new elsearch user

chown -R elsearch:elsearch  ./elasticsearch    Select elsearch group for elasticSearchHttp.cors.allow-origin: host: 127.0.0.1"*"Toggle the elsearch user to start: / elasticSearch -xmx2g -xms2g -des.index.storage. type=memory -d or nohup./ elasticSearch -xmx2g -xms2g -Des.index.storage.type=memory > /dev/null 2>&1 &Copy the code

Max virtual Memory areas vm. Max \_map\_count \[65530\] is too low, Increase to at least [262144] because OS vm. Max \_map\_count is set too small

Solution 1:

sysctl -w vm.max_map_count=262144

[root @ localhost elasticsearch – 6.1.2] # sysctl -a | grep “vm. Max_map_count” vm. Max_map_count = 262144

Solution 2 (recommended) : Permanent change

Switch to user root and back up the original configuration

[root@localhost elasticsearch-6.1.2]# cd /etc [root@localhost etc]# cp sysctl.conf sysctl.conf.bak

Edit sysctl.conf and add the following content

[root@localhost etc]# vim sysctl.conf # elasticsearch config start vm.max_map_count=262144 # elasticsearch config end
Copy the code

Max file descriptors \[4096\] for ElasticSearch process is too low, increase to at least \[65536\] We need to switch to user root and do the following:

Do a configuration backup first

[root@localhost elasticsearch-6.1.2]# CD /etc/security/ [root@localhost security]# cp limits.conf limits.conf.bak # elasticsearch config start * soft nofile 65536 * hard nofile 131072 * soft nproc 2048 * hard nproc 4096 # elasticsearch Config end Run the./bin/elasticsearch command to check whether the specified IP address has been configured and elasticsearch starts normally.Copy the code

2, L:logstash

Modify the configuration file: logstash/config

        type= >"log" # custom

        path => "/logs/*.log" # can be an absolute path

        start_position => "beginning"

if [type] = ="log"{ = type = type = type

  elasticsearch { Configure the elasticSearch service address and IP address

    index => "log-%{+YYYY.MM.dd}"Tips: Start nohup./logstash -f.. /config/logstash.conf > /dev/null 2>&1 & path =>"/var/log/nginx/access.log"  

        type= >"nginx-node3"  

        start_position => "beginning"  

        stat_interval => "2"  

        codec => "json"  

        path => "/var/log/messages"  

        type= >"nginx-node"  

        start_position => "beginning"  

        stat_interval => "2"  

    if [type] = ="nginx-node3" {  

        elasticsearch {  

            hosts => ["192.168.0.131:9200"]  

            index => "logstash-nginx-accesslog-node3-%{+YYYY.MM.dd}"  

    if [type] = ="nginx-node" {  

        elasticsearch {  

            hosts => ["192.168.0.131:9200"]  

            index => "logstash-system-log-node3-%{+YYYY.MM.dd}"  
Copy the code

3, K:kibana

ElasticSearch address and bind address are available for external access. If the port is occupied, you need to change the port number.

Server. port: 5601 # Default port, can be changed to any unused port number

Server. Host: “127.0.0.1” # This configuration can be turned off by default, or set to 0.0.0.0

Hosts: [“http://127.0.0.1:9200”] #kibana

Kibana should not be run as root. Use –allow-root to continue. Therefore, you need to set the –allow-root parameter when using root to start

Enable: kibana -p 25601 > /dev/null 2>&1 & -p Specifies the service port

Linux environment configuration service port, startup, occasionally have occupied the port, but the netstat ano | grep port to see is not very clear, need to know is which services occupy the port, Lsof – I: 8000 (yum install lsof) then ps – ef | grep pid

The curl - L - O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.3-x86_64.rpm sudo RPM - vi Filebeat 6.4.3 - x86_64. RPM

bin/elasticsearch-plugin install ingest-geoip bin/elasticsearch-plugin install ingest-user-agent

[root@iZwz9drblb61bve070evy3Z logs]# whereis filebeat

filebeat: /usr/bin/filebeat /etc/filebeat /usr/share/filebeat

[root@iZwz9drblbx61bve070evy3Z logs]#

Configure filebeat.yml in kibana

output.elasticsearch: hosts: [“<es_url>”] username: “elastic” password: “” setup.kibana: host: “<kibana_url>”

Where is the password of the elastic user, <es_url> is the URL of Elasticsearch, and <kibana_url> is the URL of Kibana.

Paths for logging that requires monitor, enable: true

Modules is also enabled. Nginx. yml in modules.d is disabled after fileBeat Modules enable nginx.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Build ELK log platform for Linux – Recommend a unified version to avoid errors nowhere to start

E:elasticsearch

Solution 1:

Solution 2 (recommended) : Permanent change

2, L:logstash

3, K:kibana

Build ELK log platform for Linux – Recommend a unified version to avoid errors nowhere to start

E:elasticsearch

Solution 1:

Solution 2 (recommended) : Permanent change

2, L:logstash

3, K:kibana

Related Posts

Brief Analysis of three authentication and authorization methods (Session, Token, JWT)

Locking is a good practice in the event of concurrency

Linux Shell position parameter variable