centos7 配置es单机，使用xpack控制权限

环境以及相关内核, 安装java包.

[root@gz3_elk_001 /]# cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core)[root@gz3_elk_001 /]# yum -y install java[root@gz3_elk_001 /]# echo "vm.max_map_count=262144" >> /etc/sysctl.conf[root@gz3_elk_001 /]#  sysctl -p

这里不用源码安装，是为了方便不写启动服务
如果用源码安装的话，可以把服务修改成相对应的目录跟用户就可以

下载

[root@gz3_elk_001 /]# cd /usr/local/src[root@gz3_elk_001 /]# wget https://artifacts.elastic.co/downloads/kibana/kibana-7.4.2-x86_64.rpm[root@gz3_elk_001 /]# wget https://artifacts.elastic.co/downloads/logstash/logstash-7.4.2.rpm[root@gz3_elk_001 /]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.4.2-x86_64.rpm

安装并设置开机启动服务

[root@gz3_elk_001 /]# cd /usr/local/src[root@gz3_elk_001 /]# rpm -ivh elasticsearch-7.4.2-x86_64.rpm [root@gz3_elk_001 /]# yum -y install logstash-7.4.2.rpm[root@gz3_elk_001 /]# rpm -ivh kibana-7.4.2-x86_64.rpm [root@gz3_elk_001 /]# systemctl enable elasticsearch.service kibana.service logstash.service 

一，配置elasticsearch

生成密钥

[root@gz3_elk_001 /]# cd /usr/share/elasticsearch/bin/[root@gz3_elk_001 /]# ./elasticsearch-certutil cert -out /etc/elasticsearch/elastic-certificates.p12 -pass ""

此处有坑，得修改文件权限

[root@gz3_elk_001 /]# chown elasticsearch:elasticsearch /etc/elasticsearch/elastic-certificates.p12 

修改配置

[root@gz3_elk_001 /]# cp elasticsearch.yml  elasticsearch.ymlback[root@gz3_elk_001 /]# cd /etc/elasticsearch[root@gz3_elk_001 /]# cat elasticsearch.yml|grep -v "#"cluster.name: elknode.name: node-1node.master: truenode.data: truepath.data: /data/elasticsearchpath.logs: /var/log/elasticsearchnetwork.host: 192.168.3.44http.port: 9200discovery.seed_hosts: ["192.168.3.44"]cluster.initial_master_nodes: ["192.168.3.44"]

此处还有一个坑，还得修改权限

 [root@gz3_elk_001 /]# chown elasticsearch:elasticsearch /data/elasticsearch

测试启动

[root@gz3_elk_001 /]# systemctl restart elasticsearch.service[root@gz3_elk_001 /]# systemctl status elasticsearch.service

如果启动出错，到/var/log/elasticsearch/下看日志

以为系统强调安全性，所以需要配置xpack,修改elasticsearch.yml配置，开启xpack

[root@gz3_elk_001 /]# cat /etc/elasticsearch/elasticsearch.yml|grep -v "#"cluster.name: elknode.name: node-1node.master: truenode.data: truepath.data: /data/elasticsearchpath.logs: /var/log/elasticsearchnetwork.host: 192.168.3.44http.port: 9200discovery.seed_hosts: ["192.168.3.44"]cluster.initial_master_nodes: ["192.168.3.44"]xpack.security.enabled: truexpack.security.transport.ssl.enabled: truexpack.security.transport.ssl.verification_mode: certificatexpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

重启systemctl restart elasticsearch.service,然后生成默认的密码

[root@gz3_elk_001 /]# cd /usr/share/elasticsearch/bin/[root@gz3_elk_001 /]# ./elasticsearch-setup-passwords autoChanged password for user apm_systemPASSWORD apm_system = hyyhuxxxChanged password for user kibanaPASSWORD kibana = HbwFY0xxxChanged password for user logstash_systemPASSWORD logstash_system = nvrxxxChanged password for user beats_systemPASSWORD beats_system = VvAhnxxxChanged password for user remote_monitoring_userPASSWORD remote_monitoring_user = yGNFRTxxxChanged password for user elasticPASSWORD elastic = czF01xx

记住以上的信息，后期要用

二，配置kibana

[root@gz3_elk_001 /]# cd /etc/kibana/[root@gz3_elk_001 /]# cp kibana.yml kibana.ymlback[root@gz3_elk_001 /]# cat kibana.yml |grep -v "#"|grep -v "^$"server.port: 5601server.host: "192.168.3.44"elasticsearch.hosts: ["http://192.168.3.44:9200"]elasticsearch.username: "kibana"elasticsearch.password: "kOHyFxxxx"i18n.locale: "zh-CN" 

i18n.locale: "zh-CN" 表示用中文版，界面比较友好

三.配置logstash

[root@gz3_elk_001 /]# cd /etc/logstash/[root@gz3_elk_001 /]# cp logstash.yml logstash.ymlback[root@gz3_elk_001 /]# cd /etc/logstash/conf.dcat nginx_access.confinput {  beats {    type => "nginx_access"    port => 5044  }}filter {  if[type] =="nginx_access" {    grok {      match => { "message" => "%{IP:remote_ip} - %{DATA:user_name} \[%{HTTPDATE:time}\] \"%{WORD:method} %{DATA:url} HTTP/%{NUMBER:http_version:float}\" %{NUMBER:response_code:int} %{NUMBER:body_sent:int} \"%{DATA:referrer}\" \"%{DATA:agent}\" \"%{DATA:x_forwarded_for}\"" }    remove_field => "message"  }  date {    match => ["time", "yyyy-MM-dd HH:mm:ss,SSS"]    target => "@timestamp"    }  }}output {  if[type]=="nginx_access"{    elasticsearch {      hosts => ["http://192.168.3.44:9200"]      index => "nginx-access-%{+YYYY.MM.dd}"      user => "elastic"      password => "czF01xx"    }  }}

此处用过logstash_system这个账号密码，但是没成功
只能用最高权限的 elastic账号

验证配置是否正确

[root@gz3_elk_001 /]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/nginx_access.conf -tThread.exclusive is deprecated, use Thread::MutexWARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaultsCould not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console[WARN ] 2019-11-27 14:59:29.515 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified[INFO ] 2019-11-27 14:59:31.841 [LogStash::Runner] Reflections - Reflections took 56 ms to scan 1 urls, producing 20 keys and 40 values Configuration OK[INFO ] 2019-11-27 14:59:32.487 [LogStash::Runner] runner - Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

出现Configuration OK就说明配置Ok

[root@gz3_elk_001 /]# systemctl status logstash.service ● logstash.service - logstash   Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)   Active: active (running) since 三 2019-11-27 16:12:15 CST; 2min 11s ago

主服务器上的配置就配好了，这个时候可以登录kibana
使用elastic这个账号密码登录。