一 概述:
ELK(Elasticsearch、Logstash、Kibana)是一组开源工具,用于实时地处理和可视化大规模日志数据。ELK 可以帮助开发者、系统管理员和数据分析师实时监控应用程序、分析日志数据并提供有关系统状态和用户行为的有用见解。本文旨在提供一个针对 CentOS 云主机的 ELK 8.10 一键部署脚本。该脚本将自动安装和配置 Elasticsearch、Logstash 和 Kibana,并使其能够协同工作。
二 背景:
ELK 作为一种流行的日志管理和分析解决方案,广泛应用于各个领域。它的强大功能和灵活性使其成为许多组织和个人首选的工具之一。然而,部署和配置 ELK 可能会涉及一些复杂的步骤和配置,尤其是对于没有经验的用户来说。因此,提供一个一键部署脚本可以简化整个过程,使用户能够快速搭建和配置一个完整的 ELK 环境。
三 注意事项
- 主机类型CentOS类型,内存尽可能保持在8G,安装版本为最新ELK 8.10.2
四 测试
将脚步内容保持问文件,在linux系统授权并执行
安装完成可以看到es登陆信息,使用ip:端口登陆kibana
es安装完成日志在/opt/elkworkdir/install_es.log
使用命令:/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
生成链接token
之后生成校验码。
等待完成安装
查看索引,目前filebeat开启了检索elk主机 /var/log/*.log 日志
查看日志
五 脚本内容
bash
#!/bin/bash
# Mail:kaliarch
# Data:2023/11/06
# AutoInstall ELK scripts
#############Software Version##########
# elasticsearch:5.4.1
# logstash:
# filebeat:
# kibana:
#######################################
clear
echo "##########################################"
echo "# Auto Install ELK. ##"
echo "# Press Ctrl + C to cancel ##"
echo "# Any key to continue ##"
echo "##########################################"
# read -p
elk_version="8.10.2"
es_user="esadminxxxxx"
es_pwd="xxzxxxxxxxxxzzxx"
es_root_user="elastic"
es_root_pwd=""
software_dir="/opt/elkworkdir"
install_es_log=install_es.log
sys_version=`cat /etc/redhat-release |awk '{print $4}'|cut -d. -f1`
IP=`ip addr|grep "inet "|grep -v 127.0.0.1|awk '{print $2}'|cut -d/ -f1`
sys_mem=`free -m|grep Mem:|awk '{print $2}'|awk '{sum+=$1} END {print sum/1024}'|cut -d. -f1`
#wget software
wget_fun() {
if [ ! -d ${software_dir} ];then
mkdir -p ${software_dir} && cd ${software_dir}
else
cd ${software_dir}
fi
clear
}
#initial system:install java wget;set hostname;disable firewalld
init_sys() {
[ -f /etc/init.d/functions ] && . /etc/init.d/functions
[ "${sys_version}" != "7" ] && echo "Error:This Scripts Support Centos7.xx" && exit 1
[ $(id -u) != "0" ] && echo "Error: You must be root to run this script" && exit 1
sed -i "s/SELINUX=enforcing/SELINUX=disabled/" /etc/selinux/config
setenforce 0
yum install -y wget net-tools perl-Digest-SHA
hostnamectl set-hostname elk-server
systemctl stop firewalld
cat >>/etc/security/limits.conf<<EOF
* soft nofile 65536
* hard nofile 65536
* soft nproc 65536
* hard nproc 65536
EOF
echo vm.max_map_count=262144>> /etc/sysctl.conf
echo "fs.file-max = 1000000" >> /etc/sysctl.conf
sysctl -p
}
#install elasticsearch
install_elasticsearch() {
cd $software_dir
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
if [ ! -f elasticsearch-${elk_version}-x86_64.rpm ] && [ ! -f elasticsearch-${elk_version}-x86_64.rpm.sha512 ];then
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${elk_version}-x86_64.rpm
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-${elk_version}-x86_64.rpm.sha512
shasum -a 512 -c elasticsearch-${elk_version}-x86_64.rpm.sha512
fi
shasum -a 512 -c elasticsearch-${elk_version}-x86_64.rpm.sha512
sudo rpm --install elasticsearch-${elk_version}-x86_64.rpm > ${software_dir}/${install_es_log}
# configuration
cat >/etc/elasticsearch/elasticsearch.yml<<EOF
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
discovery.type: single-node
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
http.host: 0.0.0.0
EOF
# run service
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo /bin/systemctl start elasticsearch.service
# useradd
# /usr/share/elasticsearch/bin/elasticsearch-users useradd ${es_user} -p ${es_pwd} -r superuser
# get elastic user password
es_root_pwd=$(grep -i "The generated password for the elastic built-in superuser is" ${software_dir}/${install_es_log} | awk -F": " '{print $2}')
# check es
sleep 5
# check listen
netstat -lntup |grep java
# check service
systemctl status elasticsearch
# curl check
curl --cacert /etc/elasticsearch/certs/http_ca.crt -u ${es_root_user}:${es_root_pwd} https://localhost:9200
}
#install kibana
install_kibana() {
cd $software_dir
if [ ! -f kibana-${elk_version}-x86_64.rpm ] && [ ! -f kibana-${elk_version}-x86_64.rpm.sha512 ];then
wget https://artifacts.elastic.co/downloads/kibana/kibana-${elk_version}-x86_64.rpm
wget https://artifacts.elastic.co/downloads/kibana/kibana-${elk_version}-x86_64.rpm.sha512
shasum -a 512 -c kibana-${elk_version}-x86_64.rpm.sha512
fi
shasum -a 512 -c kibana-${elk_version}-x86_64.rpm.sha512
sudo rpm --install kibana-${elk_version}-x86_64.rpm
echo "server.host: 0.0.0.0" >> /etc/kibana/kibana.yml
# 设置kibana开机自启动
sudo /bin/systemctl start kibana.service
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable kibana.service
}
#install logstash
install_logstash() {
cd $software_dir
sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
cat > /etc/yum.repos.d/logstash.repo <<EOF
[logstash-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
yum -y install logstash.x86_64
# 配置开机自启动
cat > /etc/logstash/conf.d/logstash-filebeat.conf <<EOF
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["https://127.0.0.1:9200"]
#index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
index => "logstash-%{+YYYY.MM.dd}"
ssl_certificate_verification => false
user => "${es_root_user}"
password => "${es_root_pwd}"
}
}
EOF
systemctl enable logstash
systemctl start logstash
}
#install filebeat
install_filebeat() {
cd $software_dir
if [ ! -f filebeat-${elk_version}-x86_64.rpm ];then
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${elk_version}-x86_64.rpm
fi
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-${elk_version}-x86_64.rpm
sudo rpm -vi filebeat-${elk_version}-x86_64.rpm
cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
cat >/etc/filebeat/filebeat.yml<<\EOF
filebeat.inputs:
- type: filestream
id: my-filestream-id
enabled: true
paths:
- /var/log/*.log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.logstash:
hosts: ["localhost:5044"]
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
EOF
# 开机自启动
systemctl enable filebeat
systemctl start filebeat
}
check() {
port=$1
program=$2
check_port=`netstat -lntup|grep ${port}|wc -l`
check_program=`ps -ef|grep ${program}|grep -v grep|wc -l`
if [ $check_port -gt 0 ] && [ $check_program -gt 0 ];then
action "${program} run is ok!" /bin/true
else
action "${program} run is error!" /bin/false
fi
}
main() {
init_sys
wget_fun
install_elasticsearch
install_filebeat
install_logstash
install_kibana
echo -e "\033[32m Checking Elasticsearch...\033[0m"
check :9200 "elasticsearch"
echo -e "\033[32m Checking Logstash...\033[0m"
check ":9600" "logstash"
echo -e "\033[32m Checking Kibana...\033[0m"
check ":5601" "kibana"
action "ELK install is success!" /bin/true
echo -e "\033[32m Kibana URL: http://$IP:5601 \033[0m"
echo -e "\033[32m Elastic Username: ${es_root_user} \033[0m"
echo -e "\033[32m Elastic Password: ${es_root_pwd} \033[0m"
echo -e "\033[32m Please see below context to config kibana \033[0m"
echo -e "\033[36m ElasticStack Install log File:${software_dir}/${install_es_log} \033[0m"
}
main
六 注意事项
该脚本目前仅支持centos系统,未添加过多异常处理,kibana显示失败为kibana启动较慢,检测的时候还未启动,遇到异常可以重置系统重新安装。