Linux安装EFK日志分析系统
目标:能够实现采集指定路径日志到es,用kibana实现日志分析
单es节点集群规划:
| 主机名 | IP 地址 | 组件 |
|---|---|---|
| a1 | 192.168.1.111 | Kibana + elasticsearch |
| a2 | 192.168.1.112 | Fluentd |
| a3 | 192.168.1.103 | Fluentd |
1、安装Elasticsearch
1.1添加 Elastic 仓库并安装 Elasticsearch
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearchcat > /etc/yum.repos.d/elastic.repo <<EOF
[elasticsearch-8.x]
name=Elasticsearch repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
#安装elasticsearch
yum install -y elasticsearch
1.2用户配置
ES不能使用root用户来启动,必须使用普通用户来安装启动。我们必须创建一个es专门的用户
#新建es用户并设置密码
useradd es
passwd es
#将es用户加入elasticsearch组
usermod -G elasticsearch es
#es用户设置为可用sudo等命令
vim /etc/sudoers 末尾添加
#es ALL=(ALL) NOPASSWD: ALL
es ALL=(ALL) ALL
#保存退出后出来生效
source /etc/sudoers
#解决问题1:es用户执行以下命令解除打开文件数据的限制:
vim /etc/security/limits.conf末尾添加
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
问题错误信息描述:
max file descriptors [4096] for elasticsearch process likely too low, increase to at least [65536]
#解决问题2:修改es用户可以创建的最大线程数
vim /etc/security/limits.d/20-nproc.conf
* soft nproc 1024#修改为
* soft nproc 4096
问题错误信息描述:
max number of threads [1024] for user [es] likely too low, increase to at least [4096]
#解决问题3:es用户调大虚拟内存
vim /etc/sysctl.conf末尾添加
vm.max_map_count=262144
错误信息描述:
max virtual memory areas vm.max_map_count [65530] likely too low, increase to at least [262144]
**
1.3 配置Elasticsearch(/etc/elasticsearch/elasticsearch.yml)
cat > /etc/elasticsearch/elasticsearch.yml <<EOF
#集群名称, 处于同一个集群所有节点,该名称必须相同
cluster.name: efk-cluster
# 节点名称. 两台机器名字必须都不一样
node.name: a1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
# 网络绑定,这里我绑定 0.0.0.0,支持外网访问
network.host: 0.0.0.0
# 设置对外服务的http端口,默认为9200
http.port: 9200
#single-node单节点集群
discovery.type: single-node
xpack.security.enabled: true
# 支持跨域访问
http.cors.enabled: true
http.cors.allow-origin: "*"
EOF
#编辑/etc/elasticsearch/jvm.options将注释内容修改
vim /etc/elasticsearch/jvm.options
-Xms2g
-Xmx2g
1.4启动Elasticsearch
#切换es用户
su es
#启动
systemctl start elasticsearch
#开机自启
systemctl enable elasticsearch
如果报错
#查看es日志(efk-cluster是配置文件定义的集群名)
cat /var/log/elasticsearch/efk-cluster.log | tail -n 50
如果出现org.elasticsearch.ElasticsearchSecurityException: invalid configuration for xpack.security.transport.ssl - [xpack.security.transport.ssl.enabled] is not set, but the following settings have been configured in elasticsearch.yml : [xpack.security.transport.ssl.keystore.secure_password,xpack.security.transport.ssl.truststore.secure_password]
就是xpack.security.transport.ssl 的配置无效 - [xpack.security.transport.ssl.enabled] 未设置,但已在 elasticsearch.yml 中配置了以下设置
解决方法:之前安装了缓存设置的 ElasticSearch,尝试使用以下命令重置安全设置
rm /etc/elasticsearch/elasticsearch.keystore
/usr/share/elasticsearch/bin/elasticsearch-keystore create
1.5查看密码(记录用户密码)
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
会得到如下用户和密码,保存记录
| 用户名 | 密码 |
|---|---|
elastic | To0wR2hSaPLsKFBbOyHl |
kibana_system | NueXLxMBkbZFkL7stbP9 |
kibana | NueXLxMBkbZFkL7stbP9 |
apm_system | AfcXVRt1b9hdDflfNSbP |
logstash_system | Y9TaPbMxXB2BTpqWbIOB |
beats_system | hgMyPYqsxvKgAqghOEMm |
remote_monitoring_user | s65gIUsT97jdisnfcS2E |
#如果不是第一次启动,重置密码
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic --batch
2、 安装Kibana
yum install -y kibana
2.1配置Kibana(/etc/kibana/kibana.yml)
#下面的用户密码都拿上面记录的
cat > /etc/kibana/kibana.yml <<EOF
server.host: "0.0.0.0"
server.port: 5601
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "NueXLxMBkbZFkL7stbP9"
EOF
2.2启动Kibana
#启动
systemctl start kibana
#开机自启
systemctl enable kibana
在a1 和 a2 安装 Fluentd
3、安装td-agent(Fluentd官方发行版)
curl -L https://toolbelt.treasuredata.com/sh/install-redhat-td-agent4.sh | sh
yum install -y td-agent
3.1配置Fluentd(/etc/td-agent/td-agent.conf)
cat > /etc/td-agent/td-agent.conf <<EOF
# 收集系统日志
#<source>
# @type tail
# path /var/log/messages
# pos_file /var/log/td-agent/messages.pos
# tag system.messages
# format syslog
#</source># 采集 /data/logs/TALogs/xjp_official 目录下的日志
<source>@type tailpath /data/logs/TALogs/xjp_official/log.*_0 # 匹配 log.YYYY-MM-DD_0 格式的文件pos_file /var/log/td-agent/xjp_official.postag xjp_officialformat json #json格式time_key #根据日志中的time进行解析time_format %Y-%m-%d %H:%M:%S.%L# 按 mtime(修改时间)排序,false优先读取最新文件,true旧数据也读取#read_from_head falseread_from_head true
</source># 输出到Elasticsearch
<match **>@type elasticsearchhost 192.168.1.111 # es-kibana节点IPport 9200user elasticpassword "To0wR2hSaPLsKFBbOyHl"logstash_format truelogstash_prefix fluentdinclude_tag_key truetag_key @log_name
</match>
EOF
#保证采集路径td-agent有权限访问,下列的都是方法,可采用
#添加其他用户可访问/var/log/messages
chmod o+r /var/log/messages
#td-agent用户添加到master组
usermod -G master td-agent
#将/data/logs/TALogs/xjp_official/赋权给td-agent和组
chown -R td-agent:td-agent /data/logs/TALogs/xjp_official/
3.2启动Fluentd
#启动
systemctl start td-agent
#开机自启
systemctl enable td-agent#查看Fluentd日志验证是否传输成功
tail -n 20 /var/log/td-agent/td-agent.log
4、访问 Kibana
打开浏览器访问 http://192.168.1.11:5601,使用 elastic 用户和密码登录。并访问dev tools
检索#account_id为250000001311的日志文件
操作备忘
1、(删除现有数据重新传输到es)无需操作!!
#es查看已有的日志
curl -u elastic:"To0wR2hSaPLsKFBbOyHl" -X GET "http://192.168.1.111:9200/_cat/indices/fluentd-*?v"
#es删除已有日志
curl -u elastic:"To0wR2hSaPLsKFBbOyHl" -X DELETE "http://192.168.1.111:9200/fluentd-2025.05.27"
# Fluentd删除 pos 文件
rm -f /var/log/td-agent/xjp_official.pos
#重启Fluentd
systemctl restart td-agent
2、查看日志
#查看es日志
cat /var/log/elasticsearch/efk-cluster.log | tail -n 50
#查看Fluentd日志
tail -n 30 /var/log/td-agent/td-agent.log
kibana查询语句
#单条件查询语句
GET fluentd*/_search
{"query": {"term": {"#account_id": "250000001311"}},"size": 100
}
#多条件查询语句
GET fluentd-*/_search
{"query": {"bool": {"must": [{ "term": { "properties.num": 20 }},{ "term": { "properties.num_before": 37 }},{ "term": { "properties.num_after": 57 }},{ "term": { "properties.item_id.keyword": "SkinSuperBoxKey" }},{ "match": { "#account_id": "250000001311" }}]}}
}
配置多elasticsearch节点,例如配置三台elasticsearch服务器(如需)
1、多es节点操作(各节点都需)
vim /etc/hosts末尾添加主机配置相互通信
192.168.1.111 a1
192.168.1.112 a2
192.168.1.113 a3
2、es配置文件修改(各节点都需,并修改node.name即可,discovery.seed_hosts和cluster.initial_master_nodes根据实际情况修改)
cat > /etc/elasticsearch/elasticsearch.yml <<EOF
#集群名称, 处于同一个集群所有节点,该名称必须相同
cluster.name: efk-cluster
# 节点名称. 两台机器名字必须都不一样
node.name: a1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
# 网络绑定,这里我绑定 0.0.0.0,支持外网访问
network.host: 0.0.0.0
# 设置对外服务的http端口,默认为9200
http.port: 9200
#TCP9300配置节点间相互通信
transport.port: 9300
# 集群发现
discovery.seed_hosts: ["192.168.1.111","192.168.1.112","192.168.1.113"]
cluster.initial_master_nodes: ["a1","a2","a3"]
# 支持跨域访问
http.cors.enabled: true
http.cors.allow-origin: "*"
EOF
多节点集群证书部署(如需)
1、生成ca证书
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --out elastic-stack-ca.p12 --pass "root"
2、随便一个目录/test/编写一个node.yaml文件
vim /test/node.yaml
instances:- name: a1dns: [a1]ip: [192.168.1.111]- name: a2dns: [a2]ip: [192.168.1.112]- name: a3dns: [a3]ip: [192.168.1.113]- name: a4dns: [a4]ip: [192.168.1.114]
3、使用ca签发多节点证书
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --ca-pass "root" --in /test/node.yaml --multiple --out certs.zip --pass "root"
4、解压复制到各个节点
#某个节点操作即可,我这里是a1服务器
unzip certs.zip -d /usr/share/elasticsearch/
cp /usr/share/elasticsearch/a1/a1.p12 -d /etc/elasticsearch/certs/
scp /usr/share/elasticsearch/a2/a2.p12 root@192.168.1.112:/etc/elasticsearch/certs/
scp /usr/share/elasticsearch/a3/a3.p12 root@192.168.1.113:/etc/elasticsearch/certs/
#文件给用户elasticsearch权限(每个节点都要)
chown -R elasticsearch:elasticsearch /etc/elasticsearch/certs/
5、配置文件修改
vim /etc/elasticsearch/elasticsearch.yml末尾添加
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/a1.p12
xpack.security.transport.ssl.keystore.password: root
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/a2.p12
xpack.security.transport.ssl.truststore.password: root
6、重启测试
su es
systemctl restart elasticsearch
浏览器访问:192.168.1.111:9200
7、后续扩容新es节点,只需要将yaml文件中的旧节点去掉,然后添加新的节点去生成证书即可
8、查看证书有效期(根据实际情况修改一下自己的/usr/share/elasticsearch/a1/a1.p12)
openssl pkcs12 -in /usr/share/elasticsearch/a1/a1.p12 -clcerts -nokeys -passin pass:"root" | openssl x509 -noout -dates
#得到结果生效时间:2025 年 5 月 28 日 07:28:46 GMT 过期时间:2028 年 5 月 27 日 07:28:46 GMT
MAC verified OK
notBefore=May 28 07:28:46 2025 GMT
notAfter=May 27 07:28:46 2028 GMT