1. 到https://www.elastic.co/cn/products网址下载最新版的elasticsearch、kibana、logstash

2. 搭建java环境jdk1.8

3. 解压elasticsearch、kibana、logstash

sudo tar xvzf elasticsearch-6.1.2.tar.gz

sudo tar zxvf kibana-6.1.2-linux-x86_64.tar.gz

sudo tar xvzf logstash-6.1.2.tar.gz

4. sudo mv ~/elasticsearch-6.1.2 /usr/share/elasticsearch

sudo mv ~/kibana-6.1.2-linux-x86_64/ /usr/share/kibana

sudo mv ~/logstash-6.1.2 /usr/share/logstas

5. 修改/etc/sysctl.conf配置文件

sudo vim /etc/sysctl.conf

最后添加vm.max_map_count=262144

fs.file-max=65536

6. sysctl -p

7. 修改/etc/security/limits.conf配置文件

sudo vim /etc/security/limits.conf

* soft nofile 65536

* hard nofile 65536

8. 若服务器配置低，则需要修改elasticsearch(配置高的不需要修改否则限制es性能)

cd /usr/share/elasticsearch/config/

sudo vim jvm.options

-Xms1g  

-Xmx1g  

修改为

-Xms512m  

-Xmx512m

9. 修改elasticsearch的配置文件

cd /usr/share/elasticsearch/config/

sudo vim elasticsearch.yml

cluster.name: cluster1

node.name: node1

bootstrap.system_call_filter: false

bootstrap.memory_lock: false

network.host: 0.0.0.0

http.port: 9200

以上信息取消注释，若没有则添加

10. 修改kibana的配置文件

cd /usr/share/kibana/config/

sudo vim kibana.yml

server.port: 5601

server.host: "0.0.0.0"

elasticsearch.url: "http://你的ip:9200"

kibana.index: ".kibana"

以上信息取消注释，若没有则添加

11. 修改logstash的配置文件(重点请熟悉配置规则对自己的需求进行修改)

本配置文件日志通过http请求发送给logstash 以端口来对日志类型分类可以自行扩展

cd /usr/share/logstash/

sudo mkdir conf

cd conf

sudo vim logstash.conf(名字可以自定义以.conf结尾)

input {

        tcp{

                host => "localhost"

                mode => "server"

                port => 1337

        }

        http{

                host => "0.0.0.0"

                port => 8080

                additional_codecs => {"application/json" => "json"}

                codec => "plain"

                threads => 4

                ssl => false

                type => "error"

        }

        http{

                host => "0.0.0.0"

                port => 9000

                additional_codecs => {"application/json" => "json"}

                codec => "plain"

                threads => 4

                ssl => false

                type => "info"

        }

}

filter {

        if ([message]== "")

        {

            drop {}

        }

}

output {

        if [type] == "error" {

                elasticsearch {

hosts => [ "你的ip:9200"]

                        index => "logstash-error"

                }

        }

        if [type] == "info" {

                elasticsearch {

hosts => [ "你的ip:9200"]

                        index => "logstash-info"

                }

        }

        stdout{

                codec => rubydebug

         }

}

12. 创建组以及用户

sudo groupadd es

sudo useradd es-g es-p es

13. 把文件所有权给es组下的es用户

sudo chown -R es:es /usr/share/elasticsearch

sudo chown -R es:es /usr/share/kibana

sudo chown -R es:es /usr/share/logstash

14. 切换到es用户下 查看java -version是否为jdk1.8

如果不是则运行source /etc/profile

15. 启动elasticsearch

cd  /usr/share/elasticsearch,执行./bin/elasticsearch &

如果还有报错请查看http://www.bubuko.com/infodetail-2108888.html

16. 在浏览器访问http://你的ip:9200,若显示如下信息说明elasticsearch启动成功

17. 启动kibana

cd  /usr/share/kibana,执行./bin/kibana &

显示如下则成功

18. 启动logstash

cd /usr/share/logstash,执行./bin/logstash -f conf/logstash.conf &

19. 测试(以python为例)

url=”http://你的ip:8080”

url2=”http://你的ip:9000”

20. 浏览器打开http:你的ip:5601 打开kibana界面

系统提示你常见index创建logstash-*

以@tiemstamp为filter

通过时间筛选你的过滤条件可以查看你通过http请求发送到logstash的日志

8080端口对应的index 为logstash-error

9000端口对应的index 为logstash-info

有其他需求可以自行修改logstash.conf配置文件