ELK经典架构之Elasticsearch

版本选择

elasticsearch-5.6.15.tar.gz

Elasticsearch三机集群搭建

ELK1机（ip:10.10.61.205）

Elasticsearch安装

第1、2、3步类似Logstash安装。

4. 配置elasticsearch.yml

   
   
   

   elasticsearch.yml详情，如下代码块：

#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
# 集群名
 cluster.name: elk
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
# 节点名
 node.name: elk1
#
# Add custom attributes to the node:
# 指定节点的部落属性，这是一个比集群更大的范围。
 node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
# 这一部分是关于数据和日志的存放路径的，这两个设置十分重要，因为比如要进行版本升级，如果程序与数据分离，将非常容易实现。程序的崩溃也不影响数据。
# 如果不配置这两项，这两个目录将在ES的主目录下创建。
#path.data: /path/to/data
#
# Path to log files:
#
#path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#启动后是否锁定内存，提高ES的性能。
 bootstrap.memory_lock: false
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
# 本机地址
 network.host: 10.10.61.205
#
# Set a custom port for HTTP:
# http端口
 http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
 discovery.zen.ping.unicast.hosts: ["10.10.61.205", "10.10.61.158","10.10.61.238"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
# 为防止"脑裂"，此处数值填(集群主机数量/2+1) 
 discovery.zen.minimum_master_nodes: 2
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true

ELK2机（ip:10.10.61.158）

在ELK1机配置基础上修改node.name、network.host两处即可。

ELK3机（ip:10.10.61.238）

在ELK1机配置基础上修改node.name、network.host两处即可。

5. Elasticsearch集群运行
   1. ELK1机Elasticsearch前台启动
      ./elasticsearch
      
      异常1现象：
      [WARN ][o.e.b.ElasticsearchUncaughtExceptionHandler] [elk1] uncaught exception in thread [main]
      org.elasticsearch.bootstrap.StartupException: java.lang.RuntimeException: can not run elasticsearch as root
      
      异常1原因：
      Elasticsearch只能使用非root用户启动。
      异常1解决：
      创建用户
      adduser elk1
passwd elk1
      系统会判断密码强度，不过可以强行忽略。
      
      异常2现象：
      main ERROR Could not register mbeans java.security.AccessControlException: access denied ("javax.management.MBeanTrustPermission" "register")
      
      异常2原因：
      当前用户不是Elasticsearch文件夹的拥有者。
      异常2解决：
      将Elasticsearch文件夹的拥有者改为当前用户。
      chown -R elk1 /usr/elasticsearch-5.6.15/
      
      异常3现象
      ERROR: [2] bootstrap checks failed
      [1]: max file descriptors [4096] for elasticsearch process is too low, increase to at least [65536]。
      [2]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]。
      异常3原因
      [1]:对于elasticsearch进程，max文件描述符[4096]过低，至少增加到[65536]。
      [2]:最大虚拟内存区域vm.max_map_count[65530]太低，至少增加到[262144]。
      异常3解决
      [1]
      vim /etc/security/limits.conf
      
      limits.conf末尾添加下面代码块中内容：

* hard nofile 131072
* soft nproc 2048
* hard nproc 4096

[2]
当前环境设置
sysctl -w vm.max_map_count=262144

设置查询
sysctl -a|grep vm.max_map_count

写入配置
vim /etc/sysctl.conf

sysctl.conf文末添加如下代码块:
vm.max_map_count=262144

ELK1机Elasticsearch前台启动成功

2. ELK1机Elasticsearch前台停止
   按组合键ctrl+c即可停止Elasticsearch运行。
3. ELK1机Elasticsearch后台启动
   ./elasticsearch -d
   
4. ELK1机Elasticsearch进程查询
   ps -ef|grep elasticsearch
   
5. ELK1机Elasticsearch后台停止
   kill -9 14377
   14377为上步查询出的pid。
6. ELK2机、ELK3机同ELK1机方式运行
7. 获取集群中节点列表
   10.10.61.205:9200/_cat/nodes?v
   
8. 集群健康检查
   curl '10.10.61.205:9200/_cat/health?v'
   
9. 获取ElasticSearch索引
   curl '10.10.61.205:9200/_cat/indices?v'
   
10. 查看ELK集群中cluster的状态
    10.10.61.205.9200/_cluster/stats