实验环境:
redhat6.5 server1 172.25.35.1
redhat6.5 server1 172.25.35.2
redhat6.5 server1 172.25.35.3
准备安装包;
[root@server1 elk]# ls
bigdesk-master.zip jemalloc-devel-3.6.0-1.el6.x86_64.rpm
elasticsearch-2.3.3.rpm kibana-4.5.1-1.x86_64.rpm
elasticsearch-head-master.zip logstash-2.3.3-1.noarch.rpm
elk日志分析平台.pdf nginx-1.8.0-1.el6.ngx.x86_64.rpm
jemalloc-3.6.0-1.el6.x86_64.rpm redis-3.0.6.tar.gz
安装:
elasticsearch-2.3.3.rpm jdk-8u121-linux-x64.rpm因系统环境依赖
[root@server1 elk]# rpm -ivh elasticsearch-2.3.3.rpm
[root@server1 elk]# cd /etc/elasticsearch/
[root@server1 elasticsearch]# vim elasticsearch.yml 写 配置文件
cluster.name: my-es
node.name: server1
network.host: 172.25.35.1
#

Set a custom port for HTTP:

#
http.port: 9200
bootstrap.mlockall: true 内存锁定开启
[root@server1 ~]# rpm -ivh jdk-8u121-linux-x64.rpm
[root@server1 ~]# which java 检查java环境
/usr/bin/java
[root@server1 ~]# which javac
/usr/bin/javac
[root@server1 ~]# /etc/init.d/elasticsearch start
[root@server1 elasticsearch]# cd /var/log/elasticsearch/
[root@server1 elasticsearch]# cat my-es.log 看日志会有报错:
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited 会有这两行报错
这是没有内存锁定
[root@server1 elasticsearch]# vim /etc/security/limits.conf
将这两行加到文件末尾,重起服务。注意虚拟机内存不可小于1G否则会报错
[root@server1 elasticsearch]# /etc/init.d/elasticsearch restart
[root@server1 elasticsearch]# netstat -antlp 查看端口
浏览器测试: 172.25.35.1:9200
[root@server1 elasticsearch]# /usr/share/elasticsearch/bin/plugin install file:/root/elk/elasticsearch-head-master.zip 安装master端
[root@server1 elasticsearch]# cd /usr/share/elasticsearch/plugins/
[root@server1 plugins]# cd head/
[root@server1 head]# /usr/share/elasticsearch/bin/plugin list
Installed plugins in /usr/share/elasticsearch/plugins:

[root@server1 head]# vim /etc/elasticsearch/elasticsearch.yml 添加节点
node.master: true #控制节点
node.data: false

将安装包发给 jdk-8u121-linux-x64.rpm,elasticsearch-2.3.3.rpm server2和server3 安装
配置同server1方法一致:以server2为例:
node.name: server2
node.master: false
node.data: true
network.host: 172.25.35.2
http.port: 9200
cluster.name: my-es
bootstrap.mlockall: true
同时所有server配置文件开启:
discovery.zen.ping.unicast.hosts: ["server1", "server2","server3"]
加上集群
[root@server1 head]# /etc/init.d/elasticsearch reload 重起服务

[root@server1 head]# rpm -ivh logstash-2.3.3-1.noarch.rpm
[root@server1 head]# cd /opt/logstash/
[root@server1 logstash]# cd /opt/logstash/
[root@server1 logstash]# cd bin/
[root@server1 bin]# ls
[root@server1 bin]# ./logstash -e 'input {stdin { } } output { stdout {} }'
[root@server1 bin]# ./logstash -e 'input {stdin { } } output { elasticsearch {hosts => ["172.25.35.1"] index => "logstash-%{+YYYY.MM.dd}" }}'
[root@server1 bin]# ./logstash -e 'input {stdin { } } output { elasticsearch {hosts => ["172.25.35.1"] index => "logstash-%{+YYYY.MM.dd}" } stdout {codec => rubydebug} }' 交互式添加几个文件看一下
[root@server1 bin]# cd /etc/logstash/
[root@server1 logstash]# cd conf.d/ 建立以conf结尾的配置文件
[root@server1 conf.d]# vim es.conf
input {
stdin {}
}

output {
elasticsearch {
hosts => ["172.25.35.1"]
index => "index-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
[root@server1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/es.conf 执行浏览器验证