日志收集Day001

1.ElasticSearch

作用：日志存储和检索

2.单点部署Elasticsearch与基础配置

rpm -ivh elasticsearch-7.17.5-x86_64.rpm

查看配置文件yy /etc/elasticsearch/elasticsearch.yml（这里yy做了别名，过滤掉空行和注释行）

yy /etc/elasticsearch/elasticsearch.yml，结果如下

path.data: /var/lib/elasticsearch      数据所在位置
path.logs: /var/log/elasticsearch     日志所在位置

修改配置yy /etc/elasticsearch/elasticsearch.yml，加入：

network.host: 0.0.0.0

discovery.seed_hosts: ["10.0.0.101"]

启动：systemctl enable --now elasticsearch.service

3.集群部署

1.将安装包分发到各个节点

scp -r elasticsearch-7.17.5-x86_64.rpm 10.0.0.103:~

scp -r elasticsearch-7.17.5-x86_64.rpm 10.0.0.102:~

2.各个节点安装Elasticsearch

rpm -ivh elasticsearch-7.17.5-x86_64.rpm

3.单点部署的节点数据清空

systemctl stop elasticsearch.service
rm -rf /var/lib/elasticsearch/* /var/log/elasticsearch/* /tmp/*

4.修改配置文件

vim /etc/elasticsearch/elasticsearch.yml 
...
# 指定ES集群的名称
cluster.name: lxc
# ES服务监听对外暴露服务的地址
network.host: 0.0.0.0
# 指定ES集群的节点IP
discovery.seed_hosts: ["10.0.0.101","10.0.0.102","10.0.0.103"]
# 指定参与master选举的节点
cluster.initial_master_nodes: ["10.0.0.101","10.0.0.102","10.0.0.103"]

5.分发配置文件

scp /etc/elasticsearch/elasticsearch.yml 10.0.0.103:/etc/elasticsearch/

scp /etc/elasticsearch/elasticsearch.yml 10.0.0.102:/etc/elasticsearch/

6.所有节点启动elasticsearch

systemctl enable --now elasticsearch

7.验证ES集群节点是否正常工作

curl 10.0.0.102:9200/_cat/nodes

带星号为主节点

4.使用oraclejdk管理es服务

解压JDK软件包
tar xf jdk-8u291-linux-x64.tar.gz -C /sortwares/

配置系统环境变量
vim /etc/profile.d/jdk.sh

#!/bin/bash
export JAVA_HOME=/sortwares/jdk1.8.0_291
export PATH=$PATH:$JAVA_HOME/bin

加载环境变量
source /etc/profile.d/jdk.sh

systemd启动脚本配置系统环境变量
vim /usr/lib/systemd/system/elasticsearch.service

Environment=ES_JAVA_HOME=/sortwares/jdk1.8.0_291

重新加载systemd

systemctl daemon-reload

重新启动es

systemctl restart elasticsearch.service

5.修改es环境的堆内存

vim /etc/elasticsearch/jvm.options

添加：

-Xms256m
-Xmx256m
重新启动之后

jmap -heap `ps -ef|grep elastic|grep jdk1.8.0_291|awk '{print $2}'`|grep MaxHeapSize

说明修改成功