elasticsearch+logstach+kibana 7.5.1 ubuntu本地安装说明

说明

该安装说明，是针对ubuntu 18.04安装 elk7.5.1

问：现在ai那么流行，为什么还要写这些？

答：纯属爱好，希望帮组需要的人

相关安装包

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.5.1-linux-x86_64.tar.gz

wget https://artifacts.elastic.co/downloads/logstash/logstash-7.5.1.tar.gz

wget https://artifacts.elastic.co/downloads/kibana/kibana-7.5.1-linux-x86_64.tar.gz

elasticsearch的安装

sudo tar -zxvf elasticsearch-7.5.1-linux-x86_64.tar.gz  
sudo tar -zxvf kibana-7.5.1-linux-x86_64.tar.gz  
sudo tar -zxvf logstash-7.5.1.tar.gz
sudo mkdir /data/elasticsearch-data
sudo mkdir /data/elasticsearch-data/data
sudo mkdir /data/elasticsearch-data/logs

cd /data/elk/elasticsearch-7.5.1/config

修改elasticsearch的配置文件elasticsearch.yml

sudo nano elasticsearch.yml

# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: can-elasticeseatch
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: es-node0
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /data/elasticsearch-data/data
#
# Path to log files:
#
path.logs: /data/elasticsearch-data/log


# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 0.0.0.0
#
# Set a custom port for HTTP:
#
http.port: 9200
#
# For more information, consult the network module documentation.
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
cluster.initial_master_nodes: ["es-node0"]

其中说明

network.host: 0.0.0.0: 所有IP都可以进行访问

注意：

正式环境需要配置 账号密码

报错

OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.

sudo nano jvm.options

## GC configuration
#-XX:+UseConcMarkSweepGC
#-XX:CMSInitiatingOccupancyFraction=75
#-XX:+UseCMSInitiatingOccupancyOnly
-XX:+UseG1GC
-XX:G1ReservePercent=25

提示:

sudo ./elasticsearch
[2026-01-15T10:15:08,386][WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [es-node0] uncaught exception in thread [main]

需要创建用户

sudo adduser es

密码 es123456

授权文件夹

sudo chown -R es:es /data/elk/elasticsearch-7.5.1
sudo chown -R es:es /data/elasticsearch-data

访问：http://192.168.64.127:9200/ 显示以下内容

{
  "name" : "es-node0",
  "cluster_name" : "can-elasticeseatch",
  "cluster_uuid" : "UKpPLIrGRkCcrPEG0pU8rg",
  "version" : {
    "number" : "7.5.1",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "3ae9ac9a93c95bd0cdc054951cf95d88e1e18d96",
    "build_date" : "2019-12-16T22:57:37.835892Z",
    "build_snapshot" : false,
    "lucene_version" : "8.3.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

设置elasticsearch开机自启动

在/etc/init.d目录下新建文件elasticsearch

#!/bin/bash
# chkconfig: - 59 75 description: elasticsearch daemon.
ES="elasticsearch" 
ES_HOME=/data/elk/elasticsearch-7.5.1 
ES_USER=es 
EXEC="${ES_HOME}/bin/elasticsearch" 
PID_FILE="${ES_HOME}/pid" 

isEsRunning () { 
  if [ -f $PID_FILE ]; then 
    PID=$(cat $PID_FILE) 
    if ps -p $PID > /dev/null 2>&1; then 
      return 1 
    else 
      return 0 
    fi 
  else 
    return 0 
  fi
}

case "$1" in 
   start) 
    isEsRunning 
    if [ 1 == $? ]; then 
      echo "$ES is already running!" 
    else 
      echo "starting $ES..." 
      #su ${ES_USER} <<EOF
      #$EXEC -d -p $PID_FILE >> /var/log/elasticsearch.log 2>&1，修改为免密
      sudo -u es $EXEC -d -p $PID_FILE >> /var/log/elasticsearch.log 2>&1
      exit
EOF
    fi
    ;;
    stop) 
      if [ ! -r $PID_FILE ]; then 
        echo "$ES is not running!" 
      else 
        echo "stopping..." 
        PID=$(cat $PID_FILE) 
        kill -15 $PID 
        sleep 5
        if ps -p $PID > /dev/null 2>&1; then 
          echo "Elasticsearch did not stop gracefully, forcing termination."
          kill -9 $PID 
        fi 
        rm -f $PID_FILE 
        echo "$ES stopped" 
      fi
      ;;
    restart) 
        $0 stop 
        if [ $? -ne 0 ]; then 
          echo "Failed to stop $ES, aborting restart."
          exit 1 
        fi 
        $0 start 
        ;;
    *) 
      echo "please use start,stop,restart as the first argument."
      ;;
esac

保存退出，并在/etc/init.d/下赋予执行权限

chmod +x elasticsearch

添加到开机启动任务

cd /etc/init.d

chkconfig elasticsearch on

直接启动

./elasticsearch start

case "$1" in 
   start) 
    isEsRunning 
    if [ 1 == $? ]; then 
      echo "$ES is already running!" 
    else 
      echo "starting $ES..." 
      sudo ${ES_USER} $EXEC -d -p $PID_FILE >> /var/log/elasticsearch.log 2>&1
      exit
EOF

方法 2：使用 sudo 配置免密

如果你的系统支持 sudo，可以通过配置 sudoers 文件来允许特定用户无密码执行特定命令。

配置步骤

编辑 sudoers 文件：

sudo visudo

添加以下行（假设 es 用户需要无密码运行 Elasticsearch）：

es ALL=(ALL) NOPASSWD: /path/to/elasticsearch/bin/elasticsearch

修改脚本，使用 sudo 而不是 su：

sudo -u es EXEC -d -p PID_FILE >> /var/log/elasticsearch.log 2>&1

sudo visudo

#es ALL=(ALL) NOPASSWD: /data/elk/logstash-7.5.1/bin/elasticsearch

es ALL=(ALL) NOPASSWD: /bin/systemctl enable elasticsearch

sudo nano /etc/systemd/system/elasticsearch.service

sudo nano /var/run/elasticsearch/elasticsearch.pid

sudo chmod 777 /var/run/elasticsearch/elasticsearch.pid

sudo chown -R es:es /var/run/elasticsearch/elasticsearch.pid

[Unit]
Description=Elasticsearch
After=network.target
# 可选：如果有kibana，加这个依赖，先启动ES再启动kibana
# Before=kibana.service

[Service]
# 核心修正1：7.x版本ES+systemd，固定用 Type=simple 即可，不要用forking
Type=simple
# 核心修正2：删除 -d 后台参数，ES会以前台模式运行，由systemd托管，最稳定
ExecStart=/data/elk/elasticsearch-7.5.1/bin/elasticsearch
# 核心修正3：正确的停止命令，无需手动指定kill，systemd默认的停止逻辑足够
User=es
Group=es
# 异常退出自动重启，生产必备
Restart=on-failure
# ES硬性要求的文件句柄数限制，必须保留
LimitNOFILE=65536
# ES硬性要求的进程数限制，必须保留
LimitNPROC=4096
# 可选：ES是内存密集型应用，给足够的启动等待时间，避免误判启动超时
TimeoutStartSec=600
# 可选：停止等待时间
TimeoutStopSec=60

[Install]
WantedBy=multi-user.target

systemctl start elasticsearch

如果我设置为开机自启动，则

systemctl enable elasticsearch

logstach的安装

1、 新建持久化目录

sudo mkdir -p /data/logstash-data/plugin-data

2、修改 logstash.yml

cd /data/elk/logstash-7.5.1/config

sudo nano logstash.yml

# ------------ Data path ------------------
#
# Which directory should be used by logstash and its plugins
# for any persistent needs. Defaults to LOGSTASH_HOME/data
#
path.data: /data/logstash-data/plugin-data


config.reload.automatic: true
#
# How often to check if the pipeline configuration has changed (in seconds)
#
config.reload.interval: 10s


# ------------ Metrics Settings --------------
#
# Bind address for the metrics REST endpoint
#
http.host: "192.168.64.127"

# ------------ Debugging Settings --------------
#
# Options for log.level:
#   * fatal
#   * error
#   * warn
#   * info (default)
#   * debug
#   * trace
#
# log.level: info
path.logs: /data/logstash-data/logs

cd /data/elk/logstash-7.5.1/bin/

./logstash-plugin install logstash-integration-jdbc

sudo chown -R es:es /data/logstash-data

sudo mkdir -p /data/logstash-data/logs

./logstash -f logstash.conf

nohup ./logstash -f logstash.conf >/dev/null 2>&1 &

http://192.168.64.127:9600/

{"host":"czchen-ThinkBook-14-G3-ITL","version":"7.5.1","http_address":"192.168.64.127:9600","id":"c54cb690-6551-4483-90cc-4ada8e8517bb","name":"czchen-ThinkBook-14-G3-ITL","ephemeral_id":"31c7d592-b840-4588-b798-5893ad80c4c3","status":"green","snapshot":false,"pipeline":{"workers":8,"batch_size":125,"batch_delay":50},"build_date":"2019-12-17T00:50:06+00:00","build_sha":"d53447fe455823a76caf8b4c5c40e83e210ba771","build_snapshot":false}

设置logstach开机自启动

增加免密脚本

sudo visudo

#es ALL=(ALL) NOPASSWD: /data/elk/logstash-7.5.1/bin/logstash

es ALL=(ALL) NOPASSWD: /bin/systemctl enable logstash

sudo nano /etc/systemd/system/logstash.service

[Unit] 
Description=logstash
 
[Service] 
Type=simple 
User=es 
Group=es 
ExecStart=/data/elk/logstash-7.5.1/bin/logstash -f /data/elk/logstash-7.5.1/bin/sqlserver.conf 
Restart=always
 
[Install]
WantedBy=multi-user.target

优化

[Unit]
Description=Logstash 7.5.1 - Data Pipeline for Elasticsearch
Documentation=https://www.elastic.co/guide/en/logstash/current/index.html
# 核心依赖：必须等Elasticsearch启动成功后，再启动Logstash
# 解决：Logstash启动后连不上ES导致的启动失败/反复重启问题
After=network.target elasticsearch.service
# 强依赖：ES服务启动失败，Logstash就不启动
Requires=elasticsearch.service

[Service]
# 保留你正确的Type=simple，7.x版本前台运行最稳定，不做修改
Type=simple
# 保留你所有原始配置：运行用户、启动命令、配置文件路径，完全不变
User=es
Group=es
ExecStart=/data/elk/logstash-7.5.1/bin/logstash -f /data/elk/logstash-7.5.1/bin/sqlserver.conf
# 保留你需要的 异常自动重启
Restart=always

# ============ 以下是核心优化项 ============
# 1. 优化重启策略：失败后延迟重启(3秒)，避免无限高频重启占满系统资源
RestartSec=3s
# 2. 增加启动超时时间(5分钟)，logstash加载插件/初始化慢，默认90秒容易误判超时
TimeoutStartSec=300
# 3. 优雅停止服务，等待数据处理完成再退出，不丢失采集的数据
TimeoutStopSec=60
# 4. 追加ES/ELK通用的系统资源限制，和ES/Kibana保持一致，防止句柄数/进程数不足报错
LimitNOFILE=65536
LimitNPROC=4096
# 5. 仅杀死主进程，不杀死子进程，适配logstash的进程模型，避免强制杀进程导致异常
KillMode=process
# 6. 优雅终止信号，匹配logstash的退出逻辑，安全停止
KillSignal=SIGTERM
# 7. 配置日志重定向，所有日志统一交由systemd托管，journalctl查看无遗漏
StandardOutput=journal+console
StandardError=journal+console

[Install]
# 保留你原始的开机自启依赖，不变
WantedBy=multi-user.target

systemctl start logstash

如果我设置为开机自启动，则

sudo systemctl daemon-reload && sudo systemctl enable logstash && sudo systemctl start logstash

systemctl enable logstash

kibana的安装

修改内容

cd /data/elk/kibana-7.5.1-linux-x86_64/config

sudo nano kibana.yml

# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "0.0.0.0"

# The URLs of the Elasticsearch instances to use for all your queries.
elasticsearch.hosts: ["http://192.168.64.127:9200"]

i18n.locale: "zh-CN"

sudo chown -R es:es /data/elk/kibana-7.5.1-linux-x86_64

./bin/kibana --allow-root

nohup ./bin/kibana --allow-root >/dev/null 2>&1 &

管理 --- 索引模式 --- 选择自己的索引的默认

sudo visudo

#es ALL=(ALL) NOPASSWD: /data/elk/logstash-7.5.1/bin/logstash

es ALL=(ALL) NOPASSWD: /bin/systemctl enable kibana

sudo nano /etc/systemd/system/kibana.service

[Unit]
Description=Kibana For Elasticsearch 7.5.1
Documentation=https://www.elastic.co
# 核心依赖：必须在 elasticsearch 启动成功后，再启动 kibana，完美解决依赖顺序问题
After=network.target elasticsearch.service
# 强制依赖ES，ES启动失败则Kibana不启动
Requires=elasticsearch.service

[Service]
# Kibana和ES/Logstash一样，7.x版本推荐Type=simple，前台运行由systemd托管最稳定
Type=simple
# kibana的启动命令，无任何多余参数，路径和你的ELK目录保持一致
ExecStart=/data/elk/kibana-7.5.1-linux-x86_64/bin/kibana
# 运行用户/用户组 和你的ES、Logstash完全一致：es:es，统一权限规范，避免权限混乱
User=es
Group=es
# 异常崩溃/退出 自动重启，生产环境必备
Restart=on-failure
# kibana启动比ES慢，给足启动超时时间，避免systemd误判启动失败
TimeoutStartSec=300
# 优雅停止服务
TimeoutStopSec=60
# 限制文件句柄数，和ES保持一致的配置
LimitNOFILE=65536
LimitNPROC=4096

[Install]
# 开机自启依赖，和你的ES/LS完全一致，无任何区别
WantedBy=multi-user.target