1. JAVA安装

• JAVA下载
  http://java.oracle.com

• java环境变量配置
  编辑/etc/profile 或者 ~./bash_profile 添加以下配置

export PATH
export JAVA_HOME=/usr/java/jdk1.8.0_144/
export PATH=$JAVA_HOME/bin:$PATH
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib

---

2. ELK下载

• 官网
  https://www.elastic.co/cn/products/

• 历史版本在这里
  https://www.elastic.co/downloads/past-releases

• ES下载(6.4.2)
  https://www.elastic.co/downloads/past-releases/elasticsearch-6-4-2

• Logstash下载(6.4.2)
  https://www.elastic.co/downloads/past-releases/logstash-6-4-2

• Kinaba下载(6.4.2)
  https://www.elastic.co/downloads/past-releases/kibana-6-4-2

---

3. ES安装

• 上传

mkdir -p /opt/elk/soft
上传 elasticsearch-6.4.2.tar.gz

• 解压

cd /opt/elk/soft
tar zxvf elasticsearch-6.4.2.tar.gz /opt/elk/
ls -l /opt/elk/

• 创建用户（必需）

groupadd elasticsearch
useradd elasticsearch -g elasticsearch -p elasticsearch
cd /opt/elk/
chown -R elasticsearch.elasticsearch ./elasticsearch-6.4.2/

/etc/security/limit.conf

elasticsearch   soft    nofile  65536
elasticsearch   hard    nofile  65536
elasticsearch   hard    nproc   4096
elasticsearch   soft    nproc   4096

• 配置
  创建data目录

mkdir -p /log/es/es6/
cd /log
chown -R elasticsearch.elasticsearch ./es

编辑配置文件

[root@elksrv01 config]# cat elasticsearch.yml  | grep -v  ^#  |grep -v ^$
cluster.name: apiins
node.name: node0
path.data: /log/es/es6/data
path.logs: /log/es/es6/log
bootstrap.memory_lock: false
bootstrap.system_call_filter: false
network.host: 172.10.5.3
http.port: 9200

• 启动,关闭,重启脚本

[root@elksrv01 init.d]# cat elasticsearch
#!/bin/sh
#chkconfig: 2345 80 05
#description: elasticsearch
 
export JAVA_HOME=/usr/java/jdk1.8.0_144
export JAVA_BIN=/usr/java/jdk1.8.0_144/bin
export PATH=$PATH:$JAVA_HOME/bin
export CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
export JAVA_HOME JAVA_BIN PATH CLASSPATH
 
case "$1" in
start)
    su elasticsearch<<!
    cd /opt/elk/elasticsearch-6.4.2
    ./bin/elasticsearch -d
!
    echo "elasticsearch startup"
    ;;  
stop)
    es_pid=`ps aux|grep elasticsearch | grep -v 'grep elasticsearch' | awk '{print $2}'`
    kill -9 $es_pid
    echo "elasticsearch stopped"
    ;;  
restart)
    es_pid=`ps aux|grep elasticsearch | grep -v 'grep elasticsearch' | awk '{print $2}'`
    kill -9 $es_pid
    echo "elasticsearch stopped"
    su elasticsearch<<!
    cd /opt/elk/elasticsearch-6.4.2
    ./bin/elasticsearch -d
!
    echo "elasticsearch startup"
    ;;  
*)
    echo "start|stop|restart"
    ;;  
esac
 
exit $?

• 验证
  浏览器访问http://172.10.5.3:9200/
  返回

{
  "name" : "node0",
  "cluster_name" : "apiins",
  "cluster_uuid" : "LxLnkqDBQm2NBXvHS3PZ4g",
  "version" : {
    "number" : "6.4.2",
    "build_flavor" : "default",
    "build_type" : "tar",
    "build_hash" : "04711c2",
    "build_date" : "2018-09-26T13:34:09.098244Z",
    "build_snapshot" : false,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}

• 问题

---

4. Logstash安装

• 上传

• 解压

• 配置

• 启动

  • screen命令

• 验证

5. Kinaba安装

• 上传
• 解压
• 配置
• 启动
• 验证

6. nginx日志分析

• nginx日志配置
• filebeat配置
• Logstash配置
• GeoIP
• Kinaba展示
• 效果图

7. syslog日志分析

• syslog.conf配置
• Logstash配置
• 验证