以下是 ELK(Elasticsearch、Logstash、Kibana)的详细安装步骤:

1. 环境准备

系统要求

  • 操作系统:openEuler 22.03 LTS
  • 内存:至少 4GB(推荐 8GB+)
  • 硬盘:至少 20GB 可用空间
  • Java:OpenJDK 11 或 17
  • IP: 192.168.20.166

安装 Java

# 安装 OpenJDK 17
sudo dnf install java-17-openjdk java-17-openjdk-devel -y

# 验证安装
java -version

创建 ELK 用户

# 创建 elk 用户组和用户
sudo groupadd elk
sudo useradd -g elk elk
sudo passwd elk

2. 安装 Elasticsearch

下载并安装

分别下载 9.20的版本

https://www.elastic.co/downloads/elasticsearch
https://www.elastic.co/downloads/logstash
https://www.elastic.co/downloads/kibana

安装 Elasticsearch

解压,把这几个文件复制到/opt/elk目录下

  mkdir -p /opt/elk
  mv ~/*.tar.gz /opt/elk

配置 Elasticsearch

# 备份原始配置
sudo cp /etc/elasticsearch/elasticsearch.yml /etc/elasticsearch/elasticsearch.yml.bak

# 编辑配置文件
sudo tee /etc/elasticsearch/elasticsearch.yml << EOF
cluster.name: my-elk-cluster
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
EOF

# 设置目录权限
sudo chown -R elasticsearch:elasticsearch /etc/elasticsearch
sudo chown -R elasticsearch:elasticsearch /var/lib/elasticsearch
sudo chown -R elasticsearch:elasticsearch /var/log/elasticsearch

启动 Elasticsearch

# 启用并启动服务
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch

# 检查状态
sudo systemctl status elasticsearch

# 查看日志
sudo journalctl -u elasticsearch -f

设置 Elasticsearch 密码

# 等待 Elasticsearch 启动后执行
sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic -i

3. 安装 Logstash

安装 Logstash

sudo dnf install logstash -y

配置 Logstash

# 创建配置文件目录
sudo mkdir -p /etc/logstash/conf.d

# 创建输入配置文件
sudo tee /etc/logstash/conf.d/01-input.conf << EOF
input {
  beats {
    port => 5044
  }
  tcp {
    port => 5000
    codec => json
  }
}
EOF

# 创建过滤器配置文件
sudo tee /etc/logstash/conf.d/02-filter.conf << EOF
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}
EOF

# 创建输出配置文件
sudo tee /etc/logstash/conf.d/03-output.conf << EOF
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "logstash-%{+YYYY.MM.dd}"
    user => "elastic"
    password => "您设置的密码"
  }
  stdout {
    codec => rubydebug
  }
}
EOF

# 设置权限
sudo chown -R logstash:logstash /etc/logstash

启动 Logstash

sudo systemctl enable logstash
sudo systemctl start logstash
sudo systemctl status logstash

4. 安装 Kibana

安装 Kibana

sudo dnf install kibana -y

配置 Kibana

# 备份原始配置
sudo cp /etc/kibana/kibana.yml /etc/kibana/kibana.yml.bak

# 编辑配置文件
sudo tee /etc/kibana/kibana.yml << EOF
server.port: 5601
server.host: "0.0.0.0"
server.name: "kibana-server"
elasticsearch.hosts: ["http://localhost:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "您设置的密码"
logging.dest: /var/log/kibana/kibana.log
i18n.locale: "zh-CN"
EOF

# 创建日志目录并设置权限
sudo mkdir -p /var/log/kibana
sudo chown -R kibana:kibana /etc/kibana
sudo chown -R kibana:kibana /var/log/kibana

启动 Kibana

sudo systemctl enable kibana
sudo systemctl start kibana
sudo systemctl status kibana

5. 安装 Filebeat(可选)

安装 Filebeat

sudo dnf install filebeat -y

配置 Filebeat

# 编辑配置文件
sudo tee /etc/filebeat/filebeat.yml << EOF
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
    - /var/log/messages
    - /var/log/secure

output.logstash:
  hosts: ["localhost:5044"]
EOF

# 启动 Filebeat
sudo systemctl enable filebeat
sudo systemctl start filebeat

6. 防火墙配置

# 开放必要端口
sudo firewall-cmd --permanent --add-port=9200/tcp  # Elasticsearch
sudo firewall-cmd --permanent --add-port=5601/tcp  # Kibana
sudo firewall-cmd --permanent --add-port=5044/tcp  # Logstash
sudo firewall-cmd --permanent --add-port=5000/tcp  # Logstash TCP
sudo firewall-cmd --reload

7. 验证安装

检查 Elasticsearch

curl -X GET "localhost:9200" -u elastic:您的密码

检查服务状态

sudo systemctl status elasticsearch
sudo systemctl status logstash
sudo systemctl status kibana

访问 Kibana

在浏览器中访问:http://服务器IP:5601

  • 用户名:elastic
  • 密码:您设置的密码

8. 常见问题解决

内存不足问题

# 编辑 JVM 选项
sudo nano /etc/elasticsearch/jvm.options

# 修改内存设置(根据实际情况调整)
-Xms1g
-Xmx1g

文件描述符限制

# 编辑 limits.conf
sudo tee -a /etc/security/limits.conf << EOF
elasticsearch - nofile 65536
elasticsearch - memlock unlimited
EOF

重新启动所有服务

sudo systemctl restart elasticsearch logstash kibana

这样就完成了 ELK 套件的完整安装。您可以通过 Kibana 界面来管理和查看日志数据。

作者:严锋  创建时间:2025-10-29 13:14
最后编辑:严锋  更新时间:2025-11-04 14:01