ELK8.10 CentOS云主机一键部署脚本

一 概述：

ELK（Elasticsearch、Logstash、Kibana）是一组开源工具，用于实时地处理和可视化大规模日志数据。ELK 可以帮助开发者、系统管理员和数据分析师实时监控应用程序、分析日志数据并提供有关系统状态和用户行为的有用见解。本文旨在提供一个针对 CentOS 云主机的 ELK 8.10 一键部署脚本。该脚本将自动安装和配置 Elasticsearch、Logstash 和 Kibana，并使其能够协同工作。

二 背景：

ELK 作为一种流行的日志管理和分析解决方案，广泛应用于各个领域。它的强大功能和灵活性使其成为许多组织和个人首选的工具之一。然而，部署和配置 ELK 可能会涉及一些复杂的步骤和配置，尤其是对于没有经验的用户来说。因此，提供一个一键部署脚本可以简化整个过程，使用户能够快速搭建和配置一个完整的 ELK 环境。

三 注意事项

• 主机类型CentOS类型，内存尽可能保持在8G，安装版本为最新ELK 8.10.2

四 测试

将脚步内容保持问文件，在linux系统授权并执行

安装完成可以看到es登陆信息，使用ip:端口登陆kibana

es安装完成日志在/opt/elkworkdir/install_es.log

使用命令：/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

生成链接token

之后生成校验码。

等待完成安装

查看索引，目前filebeat开启了检索elk主机 /var/log/*.log 日志

查看日志

五 脚本内容

#!/bin/bash
# Mail:kaliarch
# Data:2023/11/06
# AutoInstall ELK scripts
#############Software Version##########
# elasticsearch:5.4.1
# logstash:
# filebeat:
# kibana:
#######################################

clear
echo "##########################################"
echo "#       Auto Install ELK.               ##"
echo "#       Press Ctrl + C to cancel        ##"
echo "#       Any key to continue             ##"
echo "##########################################"
# read -p 
elk_version="8.10.2"
es_user="esadminxxxxx"
es_pwd="xxzxxxxxxxxxzzxx"
es_root_user="elastic"
es_root_pwd=""

software_dir="/opt/elkworkdir"
install_es_log=install_es.log
sys_version=`cat /etc/redhat-release |awk '{print $4}'|cut -d. -f1`
IP=`ip addr|grep "inet "|grep -v 127.0.0.1|awk '{print $2}'|cut -d/ -f1`
sys_mem=`free -m|grep Mem:|awk '{print $2}'|awk '{sum+=$1} END {print sum/1024}'|cut -d. -f1`

#wget software
wget_fun() {
if [ ! -d ${software_dir} ];then
    mkdir -p ${software_dir} && cd ${software_dir}
else
    cd ${software_dir}
fi
clear
}

#initial system:install java wget;set hostname;disable firewalld
init_sys() {
[ -f /etc/init.d/functions ] && . /etc/init.d/functions
[ "${sys_version}" != "7" ] && echo "Error:This Scripts Support Centos7.xx" && exit 1
[ $(id -u) != "0" ] && echo "Error: You must be root to run this script" && exit 1
sed -i "s/SELINUX=enforcing/SELINUX=disabled/"  /etc/selinux/config
setenforce 0
yum install -y wget net-tools perl-Digest-SHA
hostnamectl set-hostname elk-server          
systemctl stop firewalld
cat >>/etc/security/limits.conf<<EOF
* soft nofile 65536 
* hard nofile 65536 
* soft nproc 65536 
* hard nproc 65536
EOF

echo vm.max_map_count=262144>> /etc/sysctl.conf
echo "fs.file-max = 1000000" >> /etc/sysctl.conf
sysctl -p

}

#install elasticsearch
install_elasticsearch() {

cd $software_dir
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
if [ ! -f elasticsearch-${elk_version}-x86_64.rpm ] && [ ! -f elasticsearch-${elk_version}-x86_64.rpm.sha512 ];then
    wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${elk_version}-x86_64.rpm
    wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${elk_version}-x86_64.rpm.sha512
    shasum -a 512 -c elasticsearch-${elk_version}-x86_64.rpm.sha512 
fi
shasum -a 512 -c elasticsearch-${elk_version}-x86_64.rpm.sha512
sudo rpm --install elasticsearch-${elk_version}-x86_64.rpm > ${software_dir}/${install_es_log}

# configuration
cat >/etc/elasticsearch/elasticsearch.yml<<EOF
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
discovery.type: single-node
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
http.host: 0.0.0.0
EOF

# run service
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo /bin/systemctl start elasticsearch.service

# useradd 
# /usr/share/elasticsearch/bin/elasticsearch-users useradd ${es_user} -p ${es_pwd} -r superuser

# get elastic user password
es_root_pwd=$(grep -i "The generated password for the elastic built-in superuser is" ${software_dir}/${install_es_log} | awk -F": " '{print $2}')

# check es
sleep 5

# check listen  
netstat -lntup |grep java
# check service
systemctl status elasticsearch

# curl check
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u ${es_root_user}:${es_root_pwd} https://localhost:9200

}

#install kibana
install_kibana() {
cd $software_dir
if [ ! -f kibana-${elk_version}-x86_64.rpm ] && [ ! -f kibana-${elk_version}-x86_64.rpm.sha512 ];then
    wget https://artifacts.elastic.co/downloads/kibana/kibana-${elk_version}-x86_64.rpm
    wget https://artifacts.elastic.co/downloads/kibana/kibana-${elk_version}-x86_64.rpm.sha512
    shasum -a 512 -c kibana-${elk_version}-x86_64.rpm.sha512 
fi
shasum -a 512 -c kibana-${elk_version}-x86_64.rpm.sha512 
sudo rpm --install kibana-${elk_version}-x86_64.rpm
echo "server.host: 0.0.0.0" >> /etc/kibana/kibana.yml

# 设置kibana开机自启动
sudo /bin/systemctl start kibana.service
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable kibana.service
}

#install logstash
install_logstash() {
cd $software_dir
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
cat > /etc/yum.repos.d/logstash.repo <<EOF
[logstash-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

yum -y install logstash.x86_64

# 配置开机自启动
cat > /etc/logstash/conf.d/logstash-filebeat.conf <<EOF
input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => ["https://127.0.0.1:9200"]
    #index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    index => "logstash-%{+YYYY.MM.dd}"
    ssl_certificate_verification => false
    user => "${es_root_user}"
    password => "${es_root_pwd}"
  }
}
EOF

systemctl enable logstash
systemctl start logstash
}

#install filebeat
install_filebeat() {
cd $software_dir
if [ ! -f filebeat-${elk_version}-x86_64.rpm ];then
    curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${elk_version}-x86_64.rpm
fi
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${elk_version}-x86_64.rpm
sudo rpm -vi filebeat-${elk_version}-x86_64.rpm

cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
cat >/etc/filebeat/filebeat.yml<<\EOF
filebeat.inputs:
- type: filestream
  id: my-filestream-id
  enabled: true
  paths:
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.logstash:
  hosts: ["localhost:5044"]
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
EOF

# 开机自启动
systemctl enable filebeat
systemctl start filebeat

}

check() {
port=$1
program=$2
check_port=`netstat -lntup|grep ${port}|wc -l`
check_program=`ps -ef|grep ${program}|grep -v grep|wc -l`
if [ $check_port -gt 0 ] && [ $check_program -gt 0 ];then
        action "${program} run is ok!" /bin/true
else
        action "${program} run is error!" /bin/false
fi
}

main() {
init_sys
wget_fun
install_elasticsearch
install_filebeat
install_logstash
install_kibana
echo -e "\033[32m Checking Elasticsearch...\033[0m"
check :9200 "elasticsearch"
echo -e "\033[32m Checking Logstash...\033[0m"
check ":9600" "logstash"
echo -e "\033[32m Checking Kibana...\033[0m"
check ":5601" "kibana"
action "ELK install is success!" /bin/true

echo -e "\033[32m Kibana URL: http://$IP:5601 \033[0m"
echo -e "\033[32m Elastic Username: ${es_root_user} \033[0m"
echo -e "\033[32m Elastic Password: ${es_root_pwd} \033[0m"

echo -e "\033[32m Please see below context to config kibana \033[0m"
echo -e "\033[36m ElasticStack Install log File:${software_dir}/${install_es_log} \033[0m"
}
main

六 注意事项

该脚本目前仅支持centos系统，未添加过多异常处理，kibana显示失败为kibana启动较慢，检测的时候还未启动，遇到异常可以重置系统重新安装。