【话不多说】

1.话不多说，直接开干，多次搭建，准确无误

下载不了，请到官网下载！！！

wget artifacts.elastic.co/downloads/e…
wget artifacts.elastic.co/downloads/k…
wget artifacts.elastic.co/downloads/b…
wget artifacts.elastic.co/downloads/l…

tar -xzvf elasticsearch-6.7.2.tar.gz -C /usr/local/
tar -xzvf kibana-6.7.2-linux-x86_64.tar.gz -C /usr/local/
tar -xzvf filebeat-6.7.2-linux-x86_64.tar.gz -C /usr/local/
tar -xzvf logstash-6.7.2.tar.gz -C /usr/local/

首先安装jdk环境
#############################################################

rpm -ivh jdk-8u202-linux-x64.rpm
pid="sed -i '/export JAVA_HOME/d' /etc/profile"
eval $pid
pid="sed -i '/export CLASSPATH/d' /etc/profile"
eval $pid
cat >> /etc/profile <<EOF
export JAVA_HOME=/usr/java/jdk1.8.0_152
export CLASSPATH=%JAVA_HOME%/lib:%JAVA_HOME%/jre/lib
export PATH=\$PATH:\$JAVA_HOME/bin
EOF
source /etc/profile
java -version
复制代码

#############################################################
#给elasticsearch用户授权
groupadd elasticsearch
useradd elasticsearch -g elasticsearch
chown -R elasticsearch.elasticsearch /usr/local/elasticsearch-6.7.2
chown -R elasticsearch.elasticsearch /usr/local/kibana-6.7.2-linux-x86_64/config
chown -R elasticsearch.elasticsearch /usr/local/filebeat-6.7.2-linux-x86_64
hostnamectl set-hostname elk-server
systemctl stop firewalld.service
systemctl disable firewalld.service

cat >> /etc/security/limits.conf << EOF
* soft nofile 65536
* hard nofile 131072
* soft nproc 2048
* hard nproc 4096
EOF

cat >> /etc/sysctl.conf << EOF
vm.max_map_count=655360 
EOF
复制代码

sysctl -p

su – elasticsearch

/usr/local/elasticsearch-6.7.2/bin/elasticsearch -d

vi /usr/local/elasticsearch-6.7.2/config/elasticsearch.yml 修改network:0.0.0.0

curl http://127.0.0.1:9200

vi /usr/local/logstash-6.7.2/config/logstash.yml

需要root创建给elasticsearch用户权限

#################################################

path.data: /data/logstash/data

path.logs: /data/logstash/logs

#################################################

vi /usr/local/logstash-6.7.2/default.conf

#################################################

input {
  beats {
    host => "192.168.244.200"
    port => 5044
    codec => plain {
          charset => "UTF-8"
    }
  }
}

output {
  elasticsearch {
    hosts => "127.0.0.1:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}
复制代码

##########################################
根据自己需要更改

vi /usr/local/logstash-6.7.2/config/jvm.options       # 修改jvm内存 1g
vi /usr/local/elasticsearch-6.7.2/config/jvm.options  # 修改jvm内存 1g
nohup /usr/local/logstash-6.7.2/bin/logstash -f /usr/local/logstash-6.7.2/default.conf --config.reload.automatic > logstash.log 2>&1 &
vi /usr/local/kibana-6.7.2-linux-x86_64/config/kibana.yml
复制代码

############################################

server.port: 5601
server.host: "192.168.2.207"  云服务器0.0.0.0
elasticsearch.url: "http://localhost:9200"
复制代码

############################################

nohup /usr/local/kibana-6.7.2-linux-x86_64/bin/kibana > kibana.log 2>&1 &
复制代码

#// 通过filebeat收集日志，发送到logstash（生产一般在这里配置log的地址）

vi /usr/local/filebeat-6.7.2-linux-x86_64/filebeat.yml
复制代码

############################################

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
output.logstash:
  hosts: ["localhost:5044"]
 注释掉output.elasticsearch
复制代码

############################################

nohup /usr/local/filebeat-6.7.2-linux-x86_64/filebeat -e -c /usr/local/filebeat-6.7.2-linux-x86_64/filebeat.yml -d "publish" > filebeat.log 2>&1 &
复制代码

#最后，多看看su – elasticsearch里面的3个日志报错。

1，一般没出日志都是filebeat没配置好logstash，或是elsasearch、logstash状态有问题，或是配置文件错误导致

2，一般日志找不到有可能是时间戳无法分隔的问题

3，Docker目录位置：- /var/new_lib/docker/containers//-json.log

4，服务器时间与真实时间不一致

时间修正：root 用户

#######################
yum install -y ntpdate
yes | cp -f /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
ntpdate us.pool.ntp.org
crontab -l >/tmp/crontab.bak
echo "*/10 * * * * /usr/sbin/ntpdate us.pool.ntp.org | logger -t NTP" >> /tmp/crontab.bak
crontab /tmp/crontab.bak
#######################
复制代码

参考网址：