安装elasticsearch
创建目录
bash
#放安装软件的位置
mkdir -pv /software
#安装elasticsearch目录
mkdir -pv /usr/local/elasticsearch
#安装kibana目录
mkdir -pv /usr/local/kibana
解压elasticsearch
bash
tar -zxvf elasticsearch-8.8.1-linux-aarch64.tar.gz -C /usr/local/elasticsearch/
进入目录
bash
cd /usr/local/elasticsearch/
新建elasticsearch用户
bash
useradd elasticsearch
分配所属权限
bash
chown -R elasticsearch:elasticsearch elasticsearch-8.8.1/切换用户
bash
su elasticsearch
进入启动目录
bash
cd elasticsearch-8.8.1/bin切换到elasticsearch用户
bash
su elasticsearch
前台启动
bash
./elasticsearch
输出下面信息就是启动完成
记录下面信息
下面信息有默认的elastic用户和启动kibana用的token信息
后台启动
用 ctrl+c 停止前台启动的ES。切换后台启动。
bash
./elasticsearch -d -p pid
查看启动信息
bash
ps -ef | grep elasticsearch
安装kibana
解压kibana
bash
tar -zxvf kibana-8.8.1-linux-aarch64.tar.gz -C /usr/local/kibana/
进入目录
bash
cd /usr/local/kibana/
新建kibana用户
bash
useradd kibana 
授权kibana
bash
chown -R kibana:kibana kibana-8.8.1/进入kibana目录 和切换kibana用户
bash
cd /usr/local/kibana/kibana-8.8.1/
su kibana
cd bin/
启动kibana
前台启动
bash
./kibana后台启动
bash
nohup sh kibana >/dev/null 2>&1 &
访问页面
网址: http://localhost:5601/?code=843761
填写code
启动URL中的:code=843761
填写es启动生成的token
提示下面信息就是安装成功
输入上面的elastic账号和密码
安装logstash
创建logstash文件目录
bash
mkdir -pv /usr/local/logstash
解压lagstash
bash
tar -zxvf logstash-8.8.1-linux-aarch64.tar.gz -C /usr/local/logstash/创建访问证书目录
bash
mkdir -pv /usr/local/logstash/logstash-8.8.1/config/certs
获取访问elastic访问配置
下面的http_ca.crt放到上面创建的目录
移动证书到创建的目录
bash
mv http_ca.crt /usr/local/logstash/logstash-8.8.1/config/
创建配置logstash-pipeline.conf
bash
cd /usr/local/elasticsearch/elasticsearch-8.8.1/config
mv logstash-sample.conf logstash-pipeline.conf
编辑配置
bash
vim logstash-pipeline.conf具体配置如下
java
input {
beats {
port => "5044"
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }
filter {
if [fields][logtype] == "java-app" {
mutate { add_field => { "[logsource]" => "%{[fields][logsource]}" } }
grok {
match => { "message" => "^%{TIMESTAMP_ISO8601:log_timestamp}\s+\[%{DATA:thread}\]\s+\[%{DATA:trace_id}\]\s+\[%{DATA:logger_name}\]\s+\[%{DATA:log_level}\]:\s+%{GREEDYDATA:log_content}"}
}
} else if [fields][logtype] == "nginx" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss SSS" ]
}
}
}
output {
if [fields][logtype] == "java-app" {
if [fields][logenv] == "jyy-prod" {
elasticsearch {
hosts => [ "https://192.168.0.1:9200" ]
ssl_certificate_authorities => "config/certs/http_ca.crt"
user => "elastic"
password => "FiTw@1234"
index => "prod-log-java-%{+YYYY.MM.dd}"
}
} else if [fields][logtype] == "nginx" {
elasticsearch {
hosts => [ "https://192.168.0.1:9200" ]
ssl_certificate_authorities => "config/certs/http_ca.crt"
user => "elastic"
password => "FiTw@1234"
index => "log-nginx%{+YYYY.MM.dd}"
}
}
}
}启动logstash
java
cd /usr/local/elasticsearch/elasticsearch-8.8.1/bin校验文件
java
./logstash -f ./config/logstash-pipeline.conf --config.test_and_exit
前台启动
java
./logstash -f ./config/logstash-pipeline.conf --config.reload.automatic
配置系统系统
java
./system-install 
编辑logstash.service
java
vim /etc/systemd/system/logstash.service在ExecStart=/usr/local/logstash/logstash-8.8.1/bin/logstash "--path.settings" "/etc/logstash" 后面增加:
java
"-f" "/usr/local/logstash/logstash-8.8.1/config/logstash-pipeline.conf"编辑完成的项目
java
ExecStart=/usr/local/logstash/logstash-8.8.1/bin/logstash "--path.settings" "/etc/logstash" "-f" "/usr/local/logstash/logstash-8.8.1/config/logstash-pipeline.conf"查看和修改状态
java
systemctl status logstash
systemctl enable logstash
加载和重启
java
systemctl daemon-reload
systemctl start logstash
