【elkb】linux麒麟v10安装ELKB 8.8.X版本（ARM架构）

下载软件

相关版本信息

• elasticsearch：8.8.1
• kibana：8.8.1
• logstash：8.8.1
• filebeat：8.8.1

下载地址

https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.8.1-linux-aarch64.tar.gz

https://artifacts.elastic.co/downloads/kibana/kibana-8.8.1-linux-aarch64.tar.gz

https://artifacts.elastic.co/downloads/logstash/logstash-8.8.1-linux-aarch64.tar.gz

https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.8.1-linux-arm64.tar.gz

安装elasticsearch

创建目录

#放安装软件的位置
mkdir -pv /software

#安装elasticsearch目录
mkdir -pv /usr/local/elasticsearch

#安装kibana目录
mkdir -pv /usr/local/kibana

解压elasticsearch

tar -zxvf elasticsearch-8.8.1-linux-aarch64.tar.gz -C /usr/local/elasticsearch/

进入目录

cd /usr/local/elasticsearch/

新建elasticsearch用户

useradd elasticsearch

分配所属权限

chown -R elasticsearch:elasticsearch  elasticsearch-8.8.1/

切换用户

su elasticsearch

进入启动目录

cd elasticsearch-8.8.1/bin

切换到elasticsearch用户

su elasticsearch

前台启动

./elasticsearch

输出下面信息就是启动完成

记录下面信息

下面信息有默认的elastic用户和启动kibana用的token信息

后台启动

用 ctrl+c 停止前台启动的ES。切换后台启动。

 ./elasticsearch -d -p pid

查看启动信息

ps -ef | grep elasticsearch

安装kibana

解压kibana

tar -zxvf kibana-8.8.1-linux-aarch64.tar.gz -C /usr/local/kibana/

进入目录

cd /usr/local/kibana/

新建kibana用户

useradd kibana 

授权kibana

chown -R kibana:kibana kibana-8.8.1/

进入kibana目录 和切换kibana用户

cd /usr/local/kibana/kibana-8.8.1/

su kibana

cd bin/

启动kibana

前台启动

./kibana

后台启动

nohup sh kibana >/dev/null 2>&1 &

访问页面

网址： http://localhost:5601/?code=843761

填写code

启动URL中的：code=843761

填写es启动生成的token

提示下面信息就是安装成功

输入上面的elastic账号和密码

安装logstash

创建logstash文件目录

mkdir -pv /usr/local/logstash

解压lagstash

tar -zxvf logstash-8.8.1-linux-aarch64.tar.gz -C /usr/local/logstash/

创建访问证书目录

mkdir -pv /usr/local/logstash/logstash-8.8.1/config/certs

获取访问elastic访问配置

下面的http_ca.crt放到上面创建的目录

移动证书到创建的目录

mv http_ca.crt /usr/local/logstash/logstash-8.8.1/config/

创建配置logstash-pipeline.conf

cd /usr/local/elasticsearch/elasticsearch-8.8.1/config

mv logstash-sample.conf logstash-pipeline.conf

编辑配置

vim logstash-pipeline.conf

具体配置如下

input {
    beats {
        port => "5044"
    }
}
# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }

filter {
    if [fields][logtype] == "java-app" {

        mutate { add_field => { "[logsource]" => "%{[fields][logsource]}" } }

        grok {
            match => { "message" => "^%{TIMESTAMP_ISO8601:log_timestamp}\s+\[%{DATA:thread}\]\s+\[%{DATA:trace_id}\]\s+\[%{DATA:logger_name}\]\s+\[%{DATA:log_level}\]:\s+%{GREEDYDATA:log_content}"}
        }
    } else if [fields][logtype] == "nginx" {
        grok {
            match => { "message" => "%{COMBINEDAPACHELOG}" }
        }
        date {
            match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss SSS" ]
        } 
    }
}

output {
    if [fields][logtype] == "java-app" {
        if [fields][logenv] == "jyy-prod" {
            elasticsearch {
                hosts => [ "https://192.168.3.1:9200" ]
                ssl_certificate_authorities => "config/certs/http_ca.crt"
                user => "elastic"
                password => "FiTw@1234"
                index => "prod-log-java-%{+YYYY.MM.dd}"
            }
        }  else if [fields][logtype] == "nginx" {
			elasticsearch {
				hosts => [ "https://192.168.3.1:9200" ]
				ssl_certificate_authorities => "config/certs/http_ca.crt"
				user => "elastic"
				password => "FiTw@1234"
				index => "log-nginx%{+YYYY.MM.dd}"
			}
    }
  }
}

启动logstash

cd /usr/local/elasticsearch/elasticsearch-8.8.1/bin

校验文件

./logstash -f ./config/logstash-pipeline.conf --config.test_and_exit

前台启动

./logstash -f ./config/logstash-pipeline.conf --config.reload.automatic

配置系统系统

./system-install  

编辑logstash.service

vim /etc/systemd/system/logstash.service

在ExecStart=/usr/local/logstash/logstash-8.8.1/bin/logstash "--path.settings" "/etc/logstash"  后面增加：

"-f" "/usr/local/logstash/logstash-8.8.1/config/logstash-pipeline.conf"

编辑完成的项目

ExecStart=/usr/local/logstash/logstash-8.8.1/bin/logstash "--path.settings" "/etc/logstash"  "-f" "/usr/local/logstash/logstash-8.8.1/config/logstash-pipeline.conf"

查看和修改状态

systemctl status logstash

systemctl enable logstash

加载和重启

systemctl daemon-reload

systemctl start logstash

安装filebeat

创建文件夹

mkdir -pv /usr/local/filebeat

解压filebeat

cd /software

tar -zxvf filebeat-8.8.1-linux-arm64.tar.gz -C /usr/local/filebeat/

重命名文件夹

cd /usr/local/filebeat/
mv filebeat-8.8.1-linux-arm64/ filebeat-8.8.1
cd filebeat-8.8.1

配置filebeat.yml

主要配置项：

• filebeat.inputs:
• output.logstash:

vim filebeat.yml

filebeat.inputs配置

示例：

filebeat.inputs:
- type: filestream
  id: java-demo
  paths:
   - /workspace/java/demo/log/*.log
  fields:
    logsource: java-demo
    logtype: java-app
    logenv: dev
  parsers:
    - multiline:
        type: pattern
        pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
        negate: true
        match: after

output.logstash配置

示例：

output.logstash:
  # The Logstash hosts
  hosts: ["192.168.3.1:5044"]

检查配置文件

./filebeat test config -c  filebeat.yml 

启动filebeat

前台启动

./filebeat -e -c filebeat.yml -d "publish"

后台启动

nohup ./filebeat -e -c filebeat.yml > /dev/null 2>&1 &