• 由于資源有限，所以我暫時(shí)將elk部署在同一臺主機(jī)，生產(chǎn)環(huán)境可以部署在多臺主機(jī)上，只需要多臺主機(jī)可以相互連通

elk原理

下載資源

elastic中文官網(wǎng)

環(huán)境準(zhǔn)備

# 關(guān)閉防火墻和selinux [root@VM-0-17-centos ~]# systemctl stop firewalld [root@VM-0-17-centos ~]# systemctl disable firewalld [root@VM-0-17-centos ~]# vim /etc/sysconfig/selinux SELINUX=disabled [root@VM-0-17-centos ~]# getenforce Disabled # 下載軟件包 [root@VM-0-17-centos ~]# mkdir /elk [root@VM-0-17-centos ~]# cd /elk [root@VM-0-17-centos elk]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.0-linux-x86_64.tar.gz # 下載極其慢，建議下載國內(nèi)鏡像站華為云等的elasticsearch## 可以執(zhí)行以下命令： [root@VM-0-17-centos elk]# wget https://mirrors.huaweicloud.com/elasticsearch/7.8.0/elasticsearch-7.8.0-linux-x86_64.tar.gz [root@VM-0-17-centos elk]# wget https://mirrors.huaweicloud.com/kibana/7.8.0/kibana-7.8.0-linux-x86_64.tar.gz [root@VM-0-17-centos elk]# wget https://mirrors.huaweicloud.com/logstash/7.8.0/logstash-7.8.0.tar.gz [root@VM-0-17-centos elk]# wget https://mirrors.huaweicloud.com/filebeat/7.8.0/filebeat-7.8.0-linux-x86_64.tar.gz[root@VM-0-17-centos elk]# ls elasticsearch-7.9.0-linux-x86_64.tar.gz kibana-7.9.0-linux-x86_64.tar.gz filebeat-7.9.0-linux-x86_64.tar.gz logstash-7.9.0.tar.gz

安裝部署 Elasticsearch

# 解壓軟件包 [root@VM-0-17-centos elk]# tar -xf elasticsearch-7.9.0-linux-x86_64.tar.gz -C /usr/local/ [root@VM-0-17-centos elk]# cd /usr/local/elasticsearch-7.9.0/# 修改yml格式的配置文件 [root@VM-0-17-centos elasticsearch-7.9.0]# vim config/elasticsearch.yml 23 node.name: node-1 # 節(jié)點(diǎn)名稱 33 path.data: /DATA/elasticsearch/esdata 37 path.logs: /DATA/elasticsearch/eslogs 43 bootstrap.memory_lock: true 44 bootstrap.system_call_filter: false 55 network.host: 0.0.0.0 # 允許外部ip訪問 60 http.port: 9200 61 http.cors.enabled: true 62 http.cors.allow-origin: "*" 63 xpack.security.enabled: false 64 xpack.monitoring.enabled: true 65 xpack.monitoring.collection.cluster.stats.timeout: 10s 66 indices.memory.index_buffer_size: 30% 67 indices.recovery.max_bytes_per_sec: 10000mb 68 indices.fielddata.cache.size: 30% 69 indices.breaker.fielddata.limit: 35% 70 indices.breaker.request.limit: 20% 71 indices.breaker.total.limit: 55% 72 cluster.initial_master_nodes: ["node-1"] # 設(shè)置集群初始主節(jié)點(diǎn)# 新建用戶并賦權(quán) ES為了安全考慮不允許使用root用戶啟動ElasticSearch，所以需要新建一個(gè)普通用戶啟動程序。 [root@VM-0-17-centos ~]# useradd es # 創(chuàng)建es用戶 [root@VM-0-17-centos ~]# passwd es # 給es用戶設(shè)置密碼，此處密碼為es Changing password for user es. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully.# 將對應(yīng)的文件夾的權(quán)限賦給es用戶 [root@VM-0-17-centos ~]# chown -R es /usr/local/elasticsearch-7.9.0/ [root@VM-0-17-centos ~]# mkdir -p /DATA/elasticsearch/{esdata,eslogs} [root@VM-0-17-centos ~]# chown -R es /DATA/elasticsearch# 在es用戶下啟動 [root@VM-0-17-centos ~]# su - es Last failed login: Wed Sep 2 02:22:39 CST 2020 from 106.52.119.75 on ssh:notty There were 8 failed login attempts since the last successful login. [es@VM-0-17-centos ~]$ cd /usr/local/elasticsearch-7.9.0/ [es@VM-0-17-centos elasticsearch-7.9.0]$ ./bin/elasticsearch -d # 在后臺啟動 [root@VM-0-17-centos ~]# ss -nutlp | grep 9200 tcp LISTEN 0 128 [::]:9200 [::]:* users:(("java",pid=32065,fd=249))

防火墻策略

[root@VM-0-17-centos ~]# firewall-cmd --permanent --add-port=9200/tcp success [root@VM-0-17-centos ~]# firewall-cmd --permanent --add-port=9200/udp success [root@VM-0-17-centos ~]# firewall-cmd --reload success

報(bào)錯解決

------------------------------------------------------------------------------------------------------------ ERROR: [3] bootstrap checks failed [1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65535] [2]: max number of threads [3795] for user [es] is too low, increase to at least [4096] [3]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144] [4]:什么都不報(bào)，在執(zhí)行啟動之后迅速failed [5]:error: OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00000000e0000000, 536870912, 0) failed; error='Not enough space' (errno=12) [6]:failed to obtain node locks [7]:memory locking requested for elasticsearch process but memory is not locked解決： 需切換到root用戶解決錯誤：# 切換到 root 用戶 [es@localhost elasticsearch-7.8.0]$ su root[1] 和 [2] 的解決方法： # 修改 /etc/security/limits.conf 文件 [root@VM-0-17-centos ~]# vim /etc/security/limits.conf # 添加以下四行 * soft nofile 65536 * hard nofile 131072 * soft nproc 2048 * hard nproc 4096[3] 的解決方法： # 修改 /etc/sysctl.conf 文件 [root@VM-0-17-centos ~]# vim /etc/sysctl.conf # 添加下面一行 vm.max_map_count=655360# 執(zhí)行命令 [root@VM-0-17-centos ~]# sysctl -p net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 net.ipv4.conf.all.promote_secondaries = 1 net.ipv4.conf.default.promote_secondaries = 1 net.ipv6.neigh.default.gc_thresh3 = 4096 net.ipv4.neigh.default.gc_thresh3 = 4096 kernel.softlockup_panic = 1 kernel.sysrq = 1 net.ipv6.conf.all.disable_ipv6 = 0 net.ipv6.conf.default.disable_ipv6 = 0 net.ipv6.conf.lo.disable_ipv6 = 0 kernel.numa_balancing = 0 kernel.shmmax = 68719476736 kernel.printk = 5 vm.max_map_count = 655360 切換到用戶 es 重新啟動程序就可以了。[4]的解決辦法： 原本執(zhí)行： [es@VM-0-17-centos ~]$ cd /usr/local/elasticsearch-7.9.0/bin/ [es@VM-0-17-centos bin]$ ./elasticsearch Killed# 虛擬機(jī)占用堆內(nèi)存大小問題 # 做集群的時(shí)候可能內(nèi)存不夠， vim jvm.options，生產(chǎn)環(huán)境下仍要有1G 解決： [es@VM-0-17-centos bin]$ cd .. [es@VM-0-17-centos elasticsearch-7.9.0]$ vim config/jvm.options22 -Xms512m23 -Xmx512m[5]的解決辦法： # 創(chuàng)建交換空間 [root@VM-0-17-centos ~]# free -mtotal used free shared buff/cache available Mem: 1838 1389 88 1 360 293 Swap: 0 0 0 [root@VM-0-17-centos ~]# dd if=/dev/zero of=swapfile bs=1024 count=5000000 # count=空間大小 of空間名字 5000000+0 records in 5000000+0 records out 5120000000 bytes (5.1 GB) copied, 45.4506 s, 113 MB/s [root@VM-0-17-centos ~]# mkswap swapfile # 將swapfile設(shè)置為swap空間 Setting up swapspace version 1, size = 4999996 KiB no label, UUID=9bbf462e-0101-47ae-9ffb-6118c2615427 [root@VM-0-17-centos ~]# swapon swapfile # 啟用交換空間，這個(gè)操作有點(diǎn)類似于mount操作 swapon: /root/swapfile: insecure permissions 0644, 0600 suggested. [root@VM-0-17-centos ~]# free -m # 使用free命令查看swap空間大小是否發(fā)生變化total used free shared buff/cache available Mem: 1838 1286 68 0 482 392 Swap: 4882 0 4882[6]的解決辦法： # 可以簡單理解為綁定節(jié)點(diǎn)失敗 解決： [root@VM-0-17-centos ~]# ps aux | grep elastic # 查看進(jìn)程 [root@VM-0-17-centos ~]# kill -9 29109 [es@VM-0-17-centos ~]$ cd /usr/local/elasticsearch-7.9.0/bin/ [es@VM-0-17-centos bin]$ ./elasticsearch -d[7]的解決辦法： [root@VM-0-17-centos ~]# vim /etc/systemd/system.conf最下方添加 DefaultLimitNOFILE=65536 DefaultLimitNPROC=32000 DefaultLimitMEMLOCK=infinity

瀏覽器訪問

安裝部署kibana

[root@VM-0-17-centos ~]# cd /elk/ [root@VM-0-17-centos elk]# ls elasticsearch-7.9.0-linux-x86_64.tar.gz kibana-7.9.0-linux-x86_64.tar.gz filebeat-7.9.0-linux-x86_64.tar.gz logstash-7.9.0.tar.gz [root@VM-0-17-centos elk]# tar -xf kibana-7.9.0-linux-x86_64.tar.gz -C /usr/local/ [root@VM-0-17-centos elk]# cd /usr/local/kibana-7.9.0-linux-x86_64/ [root@VM-0-17-centos kibana-7.9.0-linux-x86_64]# vim config/kibana.yml 2 server.port: 5601 # 服務(wù)端口7 server.host: "0.0.0.0" # 服務(wù)器的ip，此處為本機(jī)28 elasticsearch.hosts: ["http://localhost:9200"] # Elasticsearch 服務(wù)地址 115 i18n.locale: "zh-CN"# 授權(quán)并切換用戶 給 es 用戶授予 kibana 目錄的權(quán)限。 [root@VM-0-17-centos ~]# chown -R es /usr/local/kibana-7.9.0-linux-x86_64/ [root@VM-0-17-centos ~]# su - es# 啟動 Kibana 注意：啟動 Kibana 之前需要先啟動 Elasticsearch需要先配置防火墻打開5601端口： [root@VM-0-17-centos ~]# firewall-cmd --permanent --add-port=5601/tcp success [root@VM-0-17-centos ~]# firewall-cmd --permanent --add-port=5601/udp success [root@VM-0-17-centos ~]# firewall-cmd --reload success# 啟動kibana [es@VM-0-17-centos ~]$ cd /usr/local/kibana-7.9.0-linux-x86_64/ [es@VM-0-17-centos kibana-7.9.0-linux-x86_64]$ ./bin/kibana # 前臺啟動 [es@VM-0-17-centos kibana-7.9.0-linux-x86_64]$ nohup ./bin/kibana & # 后臺啟動 [1] 3284 [es@VM-0-17-centos kibana-7.9.0-linux-x86_64]$ nohup: ignoring input and appending output to ‘nohup.out’ # 出現(xiàn)此行代表忽略輸入輸出，將信息化信息記錄到nohup.out文件中。敲擊回車，就退出了nohup.out當(dāng)前的界面，進(jìn)入正常的命令行[root@VM-0-17-centos ~]# ss -nutlp | grep 5601 # 查看端口 tcp LISTEN 0 128 *:5601 *:* users:(("node",pid=3284,fd=18))

瀏覽器訪問

安裝部署logstash

[root@VM-0-17-centos ~]# mkdir /DATA/logstash [root@VM-0-17-centos ~]# chown -R es /DATA/logstash [root@VM-0-17-centos ~]# cd /elk/ [root@VM-0-17-centos elk]# tar -xf logstash-7.9.0.tar.gz -C /usr/local/ [root@VM-0-17-centos elk]# cd /usr/local/logstash-7.9.0/ [root@VM-0-17-centos logstash-7.9.0]# vim config/logstash.yml28 path.data: /DATA/logstash73 path.config: /usr/local/logstash-7.9.0/config/* 118 http.host: "0.0.0.0" 241 path.logs: /usr/local/logstash-7.9.0/log[root@VM-0-17-centos logstash-7.9.0]# cp config/logstash-sample.conf config/logstash-es.conf [root@VM-0-17-centos logstash-7.9.0]# vim config/logstash-es.conf input { # input輸入源配置tcp { # 使用tcp輸入源port => 9601 # 服務(wù)器監(jiān)聽端口9061接收日志，默認(rèn)ip localhostcodec => json_lines # 使用json解析日志 需要安裝json解析插件} }output { # output 數(shù)據(jù)輸出配置elasticsearch { # 使用elasticsearch接收hosts => ["http://localhost:9200"] # 集群地址 多個(gè)用逗號隔開#user => "elastic" #password => "changeme"}stdout {codec => rubydebug # 輸出到命令窗口} }# 安裝插件 由于國內(nèi)無法訪問默認(rèn)的gem source，需要將gem source改為國內(nèi)的源。 [root@VM-0-17-centos logstash-7.9.0]vim Gemfile source "https://ruby.taobao.org" # 如果報(bào)錯Could not fetch specs from http://ruby.taobao.org/，則將源改成如下： source "https://gems.ruby-china.com/"[root@VM-0-17-centos logstash-7.9.0]# ./bin/logstash-plugin install --no-verify logstash-codec-json_lines OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N Installing logstash-codec-json_lines Installation successful# 啟動 [root@VM-0-17-centos logstash-7.9.0]# nohup ./bin/logstash -f ./config/logstash-es.conf & # 后臺啟動 [1] 8206 [root@VM-0-17-centos logstash-7.9.0]# nohup: ignoring input and appending output to ‘nohup.out’ nohup: ignoring input and appending output to ‘nohup.out’ [root@VM-0-17-centos logstash-7.9.0]# cd config/ [root@VM-0-17-centos config]# vim test.conf input {beats {port => 5044} }output{stdout {codec => rubydebug} }[root@VM-0-17-centos config]# cd - /usr/local/logstash-7.9.0 [root@VM-0-17-centos logstash-7.9.0]# ./bin/logstash -f config/test.conf [root@VM-0-17-centos logstash-7.9.0]# cd bin [root@VM-0-17-centos bin]# ./logstash -f /usr/local/logstash-7.9.0/config/test.conf --path.data=/logdata/filebeat & [1] 25582成功部署后logstash就能成功輸出日志信息了------------------------------------------------------------------------------------------------------------ 其他相關(guān)操作：測試filebeat啟動后，查看相關(guān)輸出信息： ./filebeat -e -c filebeat.yml -d "publish"后臺方式啟動filebeat： ./filebeat -e -c filebeat.yml >/dev/null 2>&1 & 將所有標(biāo)準(zhǔn)輸出及標(biāo)準(zhǔn)錯誤輸出到/dev/null空設(shè)備，即沒有任何輸出 ./filebeat -e -c filebeat.yml > filebeat.log &停止filebeat：查找進(jìn)程ID并kill掉： ps -ef |grep filebeat<br>kill -9 進(jìn)程號

安裝filebeat

注釋：在inputs中配置了兩個(gè)目錄的.log文件，在output中也配置了兩個(gè)會在es中產(chǎn)生的index

[root@VM-0-17-centos ~]# cd /elk/ [root@VM-0-17-centos elk]# tar -xf filebeat-7.9.0-linux-x86_64.tar.gz -C /usr/local/ [root@VM-0-17-centos elk]# cd /usr/local/filebeat-7.9.0-linux-x86_64/ [root@VM-0-17-centos filebeat-7.9.0-linux-x86_64]# vim filebeat.yml 15 filebeat.inputs:16 - type: log17 enabled: true18 paths:19 - /usr/local/nginx/logs/*.log 146 # ---------------------------- Elasticsearch Output ---------------------------- 147 #output.elasticsearch: 148 # Array of hosts to connect to. 149 # hosts: ["localhost:9200"] 159 # ------------------------------ Logstash Output ------------------------------- 160 output.logstash: 161 # The Logstash hosts 162 hosts: ["localhost:5044"][root@VM-0-17-centos filebeat-7.9.0-linux-x86_64]# nohup ./filebeat -e -c filebeat.yml & [1] 11733 [root@VM-0-17-centos filebeat-7.9.0-linux-x86_64]# nohup: ignoring input and appending output to ‘nohup.out’[root@VM-0-17-centos filebeat-7.9.0-linux-x86_64]# ps -elf | grep filebeat 0 S root 11733 7222 0 80 0 - 228233 futex_ 09:06 pts/0 00:00:00 ./filebeat -e -c filebeat.yml 0 S root 12434 7222 0 80 0 - 28203 pipe_w 09:09 pts/0 00:00:00 grep --color=auto filebeat13 # ============================== Filebeat inputs ===============================14 15 filebeat.inputs:16 - type: log17 enabled: true18 paths:19 - /var/log/test.log20 multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Exception|^Caused by'21 multiline.negate: false22 max_lines: 2023 multiline.match: after24 document_type: "osquery"25 tags: ["osquery"]26 fields:27 type: 'osquery'28 29 - type: log30 enabled: true31 paths:32 - /var/log/ida/ida-restful-api/*.log33 multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Exception|^Caused by'34 multiline.negate: false35 max_lines: 2036 multiline.match: after37 document_type: "restful"38 tags: ["restful"]39 fields:40 type: 'restful'123 # ---------------------------- Elasticsearch Output ---------------------------- 124 output.elasticsearch: 125 hosts: ["localhost:9200"] 126 indices: 127 - index: "osquery-%{+yyyy.MM.dd}" 128 when.equals: 129 fields.type: "osquery" 130 - index: "restful-%{+yyyy.MM.dd}" 131 when.equals: 132 fields.type: "restful"

安裝elasticsearch-head插件

# 安裝nodejs [root@VM-0-17-centos ~]# wget https://npm.taobao.org/mirrors/node/latest-v7.x/node-v7.9.0.tar.gz [root@VM-0-17-centos ~]# tar -xf node-v7.9.0.tar.gz [root@VM-0-17-centos ~]# cd node-v7.9.0/ [root@VM-0-17-centos node-v7.9.0]# ./configure --prefix=/usr/local/node [root@VM-0-17-centos node-v7.9.0]# make && make install [root@VM-0-17-centos ~]# vim /etc/profile export NODE_HOME=/usr/local/node export PATH=$PATH:$NODE_HOME/bin:$PATH export NODE_PATH=$NODE_HOME/lib/node_modules:$PATH [root@VM-0-17-centos ~]# source /etc/profile [root@VM-0-17-centos node-v7.9.0]# node -v v7.9.0 [root@VM-0-17-centos node-v7.9.0]# npm -v 4.2.0# 下載elasticsearch-head [root@VM-0-17-centos ~]# git clone https://github.com/mobz/elasticsearch-head.git [root@VM-0-17-centos ~]# cd elasticsearch-head/ [root@VM-0-17-centos elasticsearch-head]# npm install [root@VM-0-17-centos elasticsearch-head]# vim Gruntfile.js 97 hostname: '0.0.0.0',# 修改es主機(jī)地址 [root@VM-0-17-centos elasticsearch-head]# vim ./_site/app.js 4371 init: function(parent) { 4372 this._super(); 4373 this.prefs = services.Preferences.instance(); 4374 this.base_uri = this.config.base_uri || this.prefs.get("app-base_uri") || "http://localhost:9200"; # 修改為es主機(jī)的地址，此處我是本機(jī)，所以不做修改# 后臺啟動 [root@VM-0-17-centos elasticsearch-head]# nohup ./node_modules/grunt/bin/grunt server & [1] 743 [root@VM-0-17-centos elasticsearch-head]# nohup: ignoring input and appending output to ‘nohup.out’

訪問瀏覽器

排錯

# 如果訪問頁面出現(xiàn)集群健康值：未連接，可以進(jìn)行如下操作 [root@VM-0-17-centos ~]# vim /usr/local/elasticsearch-7.9.0/config/elasticsearch.yml # 在文件的末尾添加 http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE http.cors.allow-headers: "X-Requested-With, Content-Type, Content-Length, X-User" [es@VM-0-17-centos ~]$ /usr/local/elasticsearch-7.9.0/bin/elasticsearch -d # 后臺重啟或者最簡單的辦法，把es的ip由localhost改為ip本機(jī)

# 集群健康值為yellow狀態(tài)的解決辦法 正常情況下，Elasticsearch 集群健康狀態(tài)分為三種： green 最健康得狀態(tài)，說明所有的分片包括備份都可用; 這種情況Elasticsearch集群所有的主分片和副本分片都已分配, Elasticsearch集群是 100% 可用的。 yellow 基本的分片可用，但是備份不可用（或者是沒有備份）; 這種情況Elasticsearch集群所有的主分片已經(jīng)分片了，但至少還有一個(gè)副本是缺失的。不會有數(shù)據(jù)丟失，所以搜索結(jié)果依然是完整的。不過，你的高可用性在某種程度上被弱化。如果 更多的 分片消失，你就會丟數(shù)據(jù)了。把 yellow 想象成一個(gè)需要及時(shí)調(diào)查的警告。 red 部分的分片可用，表明分片有一部分損壞。此時(shí)執(zhí)行查詢部分?jǐn)?shù)據(jù)仍然可以查到，遇到這種情況，還是趕快解決比較好; 這種情況Elasticsearch集群至少一個(gè)主分片（以及它的全部副本）都在缺失中。這意味著你在缺少數(shù)據(jù)：搜索只能返回部分?jǐn)?shù)據(jù)，而分配到這個(gè)分片上的寫入請求會返回一個(gè)異常。Elasticsearch 集群不健康時(shí)的排查思路 -> 首先確保 es 主節(jié)點(diǎn)最先啟動，隨后啟動數(shù)據(jù)節(jié)點(diǎn); -> 允許 selinux（非必要），關(guān)閉 iptables; -> 確保數(shù)據(jù)節(jié)點(diǎn)的elasticsearch配置文件正確; -> 系統(tǒng)最大打開文件描述符數(shù)是否夠用; -> elasticsearch設(shè)置的內(nèi)存是否夠用 ("ES_HEAP_SIZE"內(nèi)存設(shè)置 和 "indices.fielddata.cache.size"上限設(shè)置); -> elasticsearch的索引數(shù)量暴增 , 刪除一部分索引(尤其是不需要的索引);[root@VM-0-17-centos ~]# curl http://localhost:9200/_cluster/health?pretty {"cluster_name" : "elasticsearch", # 集群名"status" : "yellow", # 集群健康狀態(tài)，正常的話是“green”，缺少副本分片為“yellow”，缺少主分片為“red”"timed_out" : false, "number_of_nodes" : 1, # 集群節(jié)點(diǎn)數(shù)"number_of_data_nodes" : 1, # 數(shù)據(jù)節(jié)點(diǎn)數(shù)"active_primary_shards" : 1, # 主分片數(shù)"active_shards" : 1, # 可用的分片數(shù)"relocating_shards" : 0, # 正在遷移的分片數(shù)"initializing_shards" : 0, # 正在初始化的分片數(shù)"unassigned_shards" : 1, # 未分配的分片，但在集群中存在"delayed_unassigned_shards" : 0, # 延時(shí)待分配到具體節(jié)點(diǎn)上的分片數(shù)"number_of_pending_tasks" : 0, # 待處理的任務(wù)數(shù)，指主節(jié)點(diǎn)創(chuàng)建索引并分配"number_of_in_flight_fetch" : 0, "task_max_waiting_in_queue_millis" : 0,"active_shards_percent_as_number" : 50.0 # 可用分片數(shù)占總分片的比例 } [root@VM-0-17-centos ~]# curl -XGET http://localhost:9200/_cat/indices\?v health status index uuid pri rep docs.count docs.deleted store.size pri.store.size yellow open .kibana ixYbdO9ARHmTtCx6FgaP2Q 1 1 2 0 8.2kb 8.2kb解決辦法： 添加請求頭 [root@VM-0-17-centos ~]# curl -H "Content-Type: application/json" -XPUT localhost:9200/_settings -d '{"index" : {"number_of_replicas" : 0}}' {"acknowledged":true} [root@VM-0-17-centos ~]# curl -XGET http://localhost:9200/_cat/indices\?v health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open .kibana ixYbdO9ARHmTtCx6FgaP2Q 1 0 2 0 8.2kb 8.2kb [root@VM-0-17-centos ~]# curl http://localhost:9200/_cluster/health?pretty {"cluster_name" : "elasticsearch","status" : "green","timed_out" : false,"number_of_nodes" : 1,"number_of_data_nodes" : 1,"active_primary_shards" : 1,"active_shards" : 1,"relocating_shards" : 0,"initializing_shards" : 0,"unassigned_shards" : 0,"delayed_unassigned_shards" : 0,"number_of_pending_tasks" : 0,"number_of_in_flight_fetch" : 0,"task_max_waiting_in_queue_millis" : 0,"active_shards_percent_as_number" : 100.0 }

# 如果curl訪問9200端口可以訪問但9100端口無法訪問，可以進(jìn)行如下操作： [root@VM-0-17-centos ~]# curl -get localhost:9200 {"name" : "node-1","cluster_name" : "elasticsearch","cluster_uuid" : "yaYvP4NyQiSX-jIBPCLvaA","version" : {"number" : "7.9.0","build_flavor" : "default","build_type" : "tar","build_hash" : "a479a2a7fce0389512d6a9361301708b92dff667","build_date" : "2020-08-11T21:36:48.204330Z","build_snapshot" : false,"lucene_version" : "8.6.0","minimum_wire_compatibility_version" : "6.8.0","minimum_index_compatibility_version" : "6.0.0-beta1"},"tagline" : "You Know, for Search" } [root@VM-0-17-centos ~]# curl http://localhost:9200/_cluster/health?pretty {"cluster_name" : "elasticsearch","status" : "green","timed_out" : false,"number_of_nodes" : 1,"number_of_data_nodes" : 1,"active_primary_shards" : 9,"active_shards" : 9,"relocating_shards" : 0,"initializing_shards" : 0,"unassigned_shards" : 0,"delayed_unassigned_shards" : 0,"number_of_pending_tasks" : 0,"number_of_in_flight_fetch" : 0,"task_max_waiting_in_queue_millis" : 0,"active_shards_percent_as_number" : 100.0 }但在瀏覽器訪問ip:9100被拒絕，解決： [root@VM-0-17-centos ~]# vim /usr/local/elasticsearch-7.9.0/config/elasticsearch.yml network.host: 172.17.0.17 # 將此行改為本機(jī)的ip，如果是云服務(wù)器，建議改成云服務(wù)器的內(nèi)網(wǎng)ip，否則可能會出現(xiàn)Cannot assign requested address [es@VM-0-17-centos ~]$ /usr/local/elasticsearch-7.9.0/bin/elasticsearch -d # 重啟 [root@VM-0-17-centos ~]# ss -nutlp | grep 9200 tcp LISTEN 0 128 [::ffff:172.17.0.17]:9200 [::]:* users:(("java",pid=9558,fd=251))也可能會出現(xiàn)如下問題： [root@VM-0-17-centos elasticsearch-head]# nohup ./node_modules/grunt/bin/grunt server & [4] 14409 [root@VM-0-17-centos elasticsearch-head]# nohup: ignoring input and appending output to ‘nohup.out’ [Exit]....... /root/node_modules/chalk/source/index.js:106...styles,^^^ SyntaxError: Unexpected token ...at createScript (vm.js:53:10)at Object.runInThisContext (vm.js:95:10)at Module._compile (module.js:543:28)at Object.Module._extensions..js (module.js:580:10)at Module.load (module.js:488:32)at tryModuleLoad (module.js:447:12)at Function.Module._load (module.js:439:3)at Module.require (module.js:498:17)at require (internal/module.js:20:19)at Object.<anonymous> (/root/node_modules/grunt-legacy-log-utils/index.js:12:13)解決辦法： 其實(shí)這是因?yàn)閚pm和node的版本比較低的原因 進(jìn)行如下的操作： [root@VM-0-17-centos ~]# npm uninstall npm -g # 卸載npm [root@VM-0-17-centos ~]# yum install gcc gcc-c++ # 安裝gcc [root@VM-0-17-centos ~]# wget https://npm.taobao.org/mirrors/node/v10.14.1/node-v10.14.1-linux-x64.tar.gz # 下載高版本的node [root@VM-0-17-centos ~]# tar -xvf node-v10.14.1-linux-x64.tar.gz # 解壓 [root@VM-0-17-centos ~]# mv node-v10.14.1-linux-x64 /usr/local/node [root@VM-0-17-centos ~]# vim /etc/profile export NODE_HOME=/usr/local/node export PATH=$PATH:$NODE_HOME/bin:$PATH export NODE_PATH=$NODE_HOME/lib/node_modules:$PATH [root@VM-0-17-centos ~]# source /etc/profile [root@VM-0-17-centos ~]# ls /usr/local/node bin CHANGELOG.md include lib LICENSE README.md share [root@VM-0-17-centos ~]# source /etc/profile [root@VM-0-17-centos ~]# node -v v10.14.1 [root@VM-0-17-centos ~]# npm -v 6.4.1

瀏覽器訪問

成功！！

總結(jié)

以上是生活随笔為你收集整理的搭建elasticsearch+kibana+logstash+filebeat的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。