ELK 安裝教學|ELK 8.x 版完整安裝一次到位

瀏覽人次: 6287

elasticsearch logo

ELK 在 8.x 版之後,都預設會以開啟安全性安裝的方式進行,所以比起 7.x
版,會多了一些設定,所以如果是從 7.x
版升級上來的,可能需要多注意憑證相關的安全性設置,像是 Logstash、ES
Client、Beats 等等。

下載最新版本 ELK 8.3.3 安裝包

下載 rpm 檔,並透過 rpm 檔進行安裝:

### Elasticsearch 下載 $ sudo wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.3.3-amd64.deb 
### Logstash 下載 $ sudo wget https://artifacts.elastic.co/downloads/logstash/logstash-8.3.3-amd64.deb
### Kibana 下載 $ sudo wget https://artifacts.elastic.co/downloads/kibana/kibana-8.3.3-amd64.deb
$ dpkg -i elasticsearch-8.3.3-amd64.deb 
$ dpkg -i logstash-8.3.3-amd64.deb
$ dpkg -i kibana-8.3.3-amd64.deb

Elasticsearch 設定

8.x 版的 ES 在安裝後,會出現以下的訊息,建議直接使用 ES
幫忙產生的亂數密碼,或是透過訊息上的指令,另行更改之。

--------------------------- Security autoconfiguration information ------------------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : PeGGS9D*JOt8S3=Tt57*

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

-------------------------------------------------------------------------------------------------

修改 Elasticsearch 的 YML

$ vi /etc/elasticsearch/elasticsearch.yml

### 不同的集群使用不同的 cluster.name
cluster.name: bimap

### 默認是主機名
node.name: ${HOSTNAME}

### 根據路徑修改 可以多個
### 如在data下需新建
path.data: ["/data/es"] 

bootstrap.memory_lock: true
network.host: ${IP}

### 根據主機,可以連接多台,此處以單機模式做演示:
discovery.type: single-node

啟動 Elasticsearch

$ systemctl start elasticsearch
$ systemctl enable elasticsearch
$ systemctl status elasticsearch

驗證是否成功啟動

curl -k -u elastic:${你的密碼} "https://localhost:9200"
{
  "name" : "cluster-test1",
  "cluster_name" : "ELK8-cluster",
  "cluster_uuid" : "mJ6d920ORiytWGZxnYHhlA",
  "version" : {
    "number" : "8.3.3",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "801fed82df74dbe537f89b71b098ccaff88d2c56",
    "build_date" : "2022-07-23T19:30:09.227964828Z",
    "build_snapshot" : false,
    "lucene_version" : "9.2.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Kibana 設定

修改 kibana 權限

chown -R kibana. /etc/kibana

設定 Kibana yml 檔

$ vi /etc/kibana/kibana.yml

server.port: 5601
server.host: "0.0.0.0"
server.publicBaseUrl: "http://0.0.0.0:5601"

啟動 Kibana

$ systemctl start kibana
$ systemctl enable kibana
$ systemctl status kibana

取得 Elasticsearch Token

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

開啟 Kibana 介面

開啟瀏覽器,網址列輸入:localhost:5601.。

理論上會直接跳出以下畫面,貼上 Elasticsearch Token 即可。

kibana input token

此時會需要回到 Server 產生驗證碼,並回填到 UI 上,例如:

/usr/share/kibana/bin/kibana-verification-code

## 
#Your verification code is:  139 477

kibana 開啟 https 設定

###產生https憑證 
/usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem 
###複製憑證至正確位置
cp /usr/share/elasticsearch/elastic-stack-ca.zip /etc/kibana
cd /etc/kibana 
unzip elastic-stack-ca.zip 
###複製 ES https 以修改權限
cp /etc/elasticsearch/certs/http_ca.crt /etc/kibana/ca  
### 修改權限 
chown -R kibana. /etc/kibana/ca 

編輯 kibana.yml

server.publicBaseUrl: "https://0.0.0.0:5601"
### 開啟 SSL 
server.ssl.enabled: true 
### SSL 文件位置 
server.ssl.certificate: /etc/kibana/ca/ca.crt 
### SSL 文件位置 
server.ssl.key: /etc/kibana/ca/ca.key 

Logstash 設定

調整 logstash 的 jvm.options,最大 4G

$ vi /etc/logstash/jvm.options
-Xms4g
-Xmx4g

編輯 logstash.service

$ vi /lib/systemd/system/logstash.service

User=root
Group=root

重新載入 Services

systemctl daemon-reload

啟動 Logstash

$ systemctl start logstash
### 可以手動啟 (資料太大recover)
### curl -XGET "http://localhost:9200/_cat/recovery?v"
$ systemctl enable logstash
$ systemctl status logstash

滖動式升級 Elasticsearch Node

如何最佳化 Elasticsearch 效能



有任何問題,或是想看新主題?

聯絡我們

快速跳轉目錄

✦ 集先鋒 Bimap – 企業建置高速穩定的海量日誌分析平台✦

集中不同的結構化資料和非結構化日誌,並進行關聯性的大數據整合,客製化儀表版、自訂事件告警、機器學習等等,以滿足各種大數據的應用場景和解決方案。