1.下载安装包
# 创建安装目录
mkdir -p /home/elk
cd /home/elk
# 下载各组件(选择自带JDK的版本)
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.0-linux-x86_64.tar.gz
wget https://artifacts.elastic.co/downloads/kibana/kibana-7.17.0-linux-x86_64.tar.gz
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.17.0-linux-x86_64.tar.gz
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.0-linux-x86_64.tar.gz
# 解压
tar -zxvf elasticsearch-7.17.0-linux-x86_64.tar.gz
tar -zxvf kibana-7.17.0-linux-x86_64.tar.gz
tar -zxvf logstash-7.17.0-linux-x86_64.tar.gz
tar -zxvf filebeat-7.17.0-linux-x86_64.tar.gz2.Elasticsearch 配置
# 创建elasticsearch用户
useradd elasticsearch
passwd elasticsearch
# 更改目录所有者
chown -R elasticsearch:elasticsearch /home/elk/elasticsearch-7.17.0
# 打开目录
cd /home/elk/elasticsearch-7.17.0
# 修改文件
vim config/elasticsearch.yml
# 网络配置
network.host: 0.0.0.0
http.port: 9200
# 节点配置
cluster.name: my-elk-cluster
node.name: node-1
node.roles: [ master, data ]
# 内存锁定
bootstrap.memory_lock: true
# 发现配置
discovery.type: single-node
# 安全配置(生产环境建议开启)
xpack.security.enabled: false
# 按上面信息修改完后输入:wq!保存退出
# 编辑系统限制
vi /etc/security/limits.conf
# 添加以下内容
elasticsearch soft nofile 65536
elasticsearch hard nofile 65536
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
# 编辑sysctl配置
vi /etc/sysctl.conf
# 添加
vm.max_map_count=262144
# 生效配置
sysctl -p
su - elasticsearch
cd /home/elk/elasticsearch-7.17.0
# 使用自带的JDK启动
./bin/elasticsearch -d3.logstash配置
mkdir -p /home/elk/logstash-7.17.0/conf.d
vb
`vim /home/elk/logstash-7.17.0/conf.d/filebeat-to-es.conf`input {
beats {
port => 5044
host => "0.0.0.0"
}
}
filter {
# 如果有Grok解析需求,可以在这里添加
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel} %{GREEDYDATA:message}" }
}
# 日期解析
date {
match => [ "timestamp", "ISO8601" ]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logs-%{+YYYY.MM.dd}"
}
# 可选:同时输出到控制台用于调试
stdout {
codec => rubydebug
}
}
cd /home/elk/logstash-7.17.0
# 使用自带JDK启动
./bin/logstash -f conf.d/filebeat-to-es.conf --config.reload.automatic &4.Filebeat 配置
cd /home/elk/filebeat-7.17.0-linux-x86_64
vi filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
- /var/log/messages
- /var/log/secure
# 添加你的应用日志路径
- /path/to/your/app/*.log
# 输出到Logstash
output.logstash:
hosts: ["localhost:5044"]
# 设置Filebeat自身日志
logging.level: info
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644
cd /home/elk/filebeat-7.17.0-linux-x86_64
# 测试配置
./filebeat test config
# 启动Filebeat
./filebeat &5.kibana配置
cd /home/elk/kibana-7.17.0-linux-x86_64
vi config/kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]
# 可选:中文化
i18n.locale: "zh-CN"
# 创建kibana用户
useradd kibana
passwd kibana
# 更改目录所有者
chown -R kibana:kibana /home/elk/kibana-7.17.0-linux-x86_64
cd /home/elk/kibana-7.17.0-linux-x86_64
# 使用自带JDK启动
./bin/kibana &6.创建脚本
1.启动脚本
# 创建日志目录
sudo mkdir -p /var/log/kibana
# 赋予 kibana 用户读写权限
sudo chown -R kibana:kibana /var/log/kibana
vim /home/elk/start_elk.sh
#!/bin/bash
echo "Starting ELK Stack..."
# 启动Elasticsearch(-d 后台启动,日志默认在 logs/ 目录)
su - elasticsearch -c "cd /home/elk/elasticsearch-7.17.0 && ./bin/elasticsearch -d"
sleep 30 # 等待ES初始化(视服务器性能可调整时间)
# 启动Logstash(日志重定向到 logstash.log)
cd /home/elk/logstash-7.17.0
nohup ./bin/logstash -f conf.d/filebeat-to-es.conf --config.reload.automatic > logstash.log 2>&1 &
sleep 10
# 启动Filebeat(日志重定向到 filebeat.log)
cd /home/elk/filebeat-7.17.0-linux-x86_64
nohup ./filebeat > filebeat.log 2>&1 &
sleep 10
# 启动Kibana(修正参数,日志重定向到 kibana.log)
su - kibana -c "cd /home/elk/kibana-7.17.0-linux-x86_64 && nohup ./bin/kibana > /var/log/kibana/kibana.log 2>&1 &"
echo "ELK Stack started successfully! Check component logs for details."2.停止脚本
vim /home/elk/stop_elk.sh
#!/bin/bash
echo "Stopping ELK Stack..."
# 函数:安全停止进程(先尝试正常终止,失败再强制)
stop_process() {
local name=$1
local pid=$(ps aux | grep -E "$name" | grep -v grep | awk '{print $2}')
if [ -n "$pid" ]; then
echo "Stopping $name (PID: $pid)..."
# 先发送 SIGTERM(15)正常终止
kill $pid >/dev/null 2>&1
# 等待5秒,检查是否终止
sleep 5
# 若仍存在,发送 SIGKILL(9)强制终止
if ps -p $pid >/dev/null; then
echo "$name did not stop gracefully, forcing termination..."
kill -9 $pid >/dev/null 2>&1
fi
# 最终检查
if ps -p $pid >/dev/null; then
echo "Failed to stop $name"
return 1
else
echo "$name stopped"
fi
else
echo "$name is not running"
fi
}
# 按顺序停止组件(数据流入 → 展示 → 存储)
stop_process "filebeat"
stop_process "logstash"
stop_process "kibana"
stop_process "elasticsearch"
echo "ELK Stack stop process completed!"3.设置脚本权限
chmod +x /home/elk/start_elk.sh
chmod +x /home/elk/stop_elk.sh4.开放端口
开放9022,5601,5044端口
7.验证部署
# 检查Elasticsearch
curl http://localhost:9200
# 检查索引
curl http://localhost:9200/_cat/indices?v
# 检查进程
ps aux | grep -e elasticsearch -e logstash -e kibana -e filebeat
# 访问页面
http://your_ip:5601