68-日志分析系统ELK-Elasticsearch单点部署和配置优化

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了68-日志分析系统ELK-Elasticsearch单点部署和配置优化相关的知识,希望对你有一定的参考价值。

Elasticsearch单点安装及优化

  • 安装前环境初始化
CPU 2C
内存4G或更多
操作系统: Ubuntu20.04,Ubuntu18.04,Rocky8.X,Centos 7.X
操作系统盘50G
主机名设置规则为nodeX.mooreyxia.org
*生产环境建议准备单独的数据磁盘

[root@ubuntu2204 ~]#hostnamectl set-hostname es-node1.mooreyxia.org
  • 关闭防火墙和SELinux
#RHEL系列的系统执行下以下配置
[root@es-node1 ~]# systemctl disable firewalld
[root@es-node1 ~]# systemctl disable NetworkManager
[root@es-node1 ~]# sed -i /SELINUX/s/enforcing/disabled/ /etc/selinux/config
[root@es-node1 ~]# reboot
  • 各服务器配置本地域名解析
[root@es-node1 ~]#cat /etc/hosts
...

192.168.11.200 es-node1.mooreyxia.org
  • 优化资源限制配置
  • 内核参数 vm.max_map_count 用于限制一个进程可以拥有的虚拟内存容量
  • 包安装会自动修改此配置
#查看默认值
[root@es-node1 ~]#sysctl -a |grep vm.max_map_count
vm.max_map_count = 65530
#修改配置
[root@es-node1 ~]#echo "vm.max_map_count = 262144" >> /etc/sysctl.conf
[root@es-node1 ~]#sysctl -p
vm.max_map_count = 262144
#设置系统最大打开的文件描述符数,旧版本的ubuntu比较小需要修改,新版已经优化过了
#旧版更改
[root@es-node1 ~]#echo "fs.file-max = 1000000" >> /etc/sysctl.conf
[root@es-node1 ~]#sysctl -p
#新版查看 - 足够大不用修改
[root@es-node1 ~]#sysctl fs.file-max
fs.file-max = 9223372036854775807
  • linux内核优化 - 通用
[root@es-node1 ~]#vim /etc/security/limits.conf
* soft core unlimited
* hard core unlimited
* soft nproc 1000000 --调大打开进程数
* hard nproc 1000000
* soft nofile 1000000 --调大打开文件数
* hard nofile 1000000
* soft memlock 32000 --调大进程锁
* hard memlock 32000
* soft msgqueue 8192000 --调大消息队列
* hard msgqueue 8192000
  • 安装JAVA环境(Elasticsearch包安装分包含JAVA版和不包含)
  • 1.x 2.x 5.x 6.x都没有集成JDK的安装包,也就是需要自己安装java环境
  • 7.x的安装包分为带JDK和不带JDK两种包,带JDK的包在安装时不需要再安装java,如果不带JDK的包仍然需要自己去安装java
#官网JAVA版支持说明
https://www.elastic.co/cn/support/matrix#matrix_jvm

#根据Elasticsearch版本选择JDK
#包安装 apt install openjdk-version-jdk
#二进制安装并自定义环境变量
[root@es-node1 ~]# tar xvf jdk-8u121-linux-x64.tar.gz -C /usr/local/
[root@es-node1 ~]# ln -sv /usr/local/jdk1.8.0_121 /usr/local/jdk
[root@es-node1 ~]# ln -sv /usr/local/jdk/bin/java /usr/bin/
[root@es-node1 ~]# vim /etc/profile
export HISTTIMEFORMAT="%F %T `whoami` "
export JAVA_HOME=/usr/local/jdk
export
CLASSPATH=.:$JAVA_HOME/jre/lib/rt.jar:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools
.jar
export PATH=$PATH:$JAVA_HOME/bin
[root@es-node1 ~]# source /etc/profile
[root@es-node1 ~]# java -version
java version "1.8.0_121" #确认可以出现当前的java版本号
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
  • 包安装 Elasticsearch
#包含JDK的版本下载
https://www.elastic.co/downloads/elasticsearch
https://mirrors.tuna.tsinghua.edu.cn/elasticstack/
#不包含JDK的版本下载
https://www.elastic.co/cn/downloads/elasticsearch-no-jdk

#这里选择带JDK版本
[root@es-node1 ~]#wget https://mirrors.tuna.tsinghua.edu.cn/elasticstack/8.x/apt/pool/main/e/elasticsearch/elasticsearch-8.6.1-amd64.deb;dpkg -i elasticsearch-8.6.1-amd64.deb
--2023-02-23 14:03:15-- https://mirrors.tuna.tsinghua.edu.cn/elasticstack/8.x/apt/pool/main/e/elasticsearch/elasticsearch-8.6.1-amd64.deb
Resolving mirrors.tuna.tsinghua.edu.cn (mirrors.tuna.tsinghua.edu.cn)... 2402:f000:1:400::2, 101.6.15.130
Connecting to mirrors.tuna.tsinghua.edu.cn (mirrors.tuna.tsinghua.edu.cn)|2402:f000:1:400::2|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 581827662 (555M) [application/octet-stream]
Saving to: ‘elasticsearch-8.6.1-amd64.deb’

elasticsearch-8.6.1-amd64.deb 100%[=================================================================================================>] 554.87M 66.3MB/s in 8.7s

2023-02-23 14:03:24 (63.7 MB/s) - ‘elasticsearch-8.6.1-amd64.deb’ saved [581827662/581827662]

Selecting previously unselected package elasticsearch.
(Reading database ... 70905 files and directories currently installed.)
Preparing to unpack elasticsearch-8.6.1-amd64.deb ...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Unpacking elasticsearch (8.6.1) ...
Setting up elasticsearch (8.6.1) ...
--------------------------- Security autoconfiguration information ------------------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : FyYEor0UlIk4=oKH1ndN #注意这里是内置的密码

If this node should join an existing cluster, you can reconfigure this with
/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>
after creating an enrollment token on your existing cluster. #这里配置集群

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with
/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic. #这里可以重设密码

Generate an enrollment token for Kibana instances with
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana. #这里可以访问Kibana令牌

Generate an enrollment token for Elasticsearch nodes with
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node. #这里可以访问Elasticsearch令牌

-------------------------------------------------------------------------------------------------
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service

#安装完毕后查看服务情况
[root@es-node1 ~]#systemctl status elasticsearch.service
○ elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; disabled; vendor preset: enabled)
Active: inactive (dead)
Docs: https://www.elastic.co
[root@es-node1 ~]#cat /lib/systemd/system/elasticsearch.service
[Unit]
Description=Elasticsearch
Documentation=https://www.elastic.co
Wants=network-online.target
After=network-online.target

[Service]
Type=notify
# the elasticsearch process currently sends the notifications back to systemd
# and for some reason exec does not work (even though it is a child). We should change
# this notify access back to main (the default), see https://github.com/elastic/elasticsearch/issues/86475
NotifyAccess=all
RuntimeDirectory=elasticsearch
PrivateTmp=true
Environment=ES_HOME=/usr/share/elasticsearch
Environment=ES_PATH_CONF=/etc/elasticsearch
Environment=PID_DIR=/var/run/elasticsearch
Environment=ES_SD_NOTIFY=true
EnvironmentFile=-/etc/default/elasticsearch

WorkingDirectory=/usr/share/elasticsearch

User=elasticsearch
Group=elasticsearch

ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p $PID_DIR/elasticsearch.pid --quiet #这里有个脚本,可以查看下

# StandardOutput is configured to redirect to journalctl since
# some error messages may be logged in standard output before
# elasticsearch logging system is initialized. Elasticsearch
# stores its logs in /var/log/elasticsearch and does not use
# journalctl by default. If you also want to enable journalctl
# logging, you can simply remove the "quiet" option from ExecStart.
StandardOutput=journal
StandardError=inherit

# Specifies the maximum file descriptor number that can be opened by this process
LimitNOFILE=65535

# Specifies the maximum number of processes
LimitNPROC=4096

# Specifies the maximum size of virtual memory
LimitAS=infinity

# Specifies the maximum file size
LimitFSIZE=infinity

# Disable timeout logic and wait until process is stopped
TimeoutStopSec=0

# SIGTERM signal is used to stop the Java process
KillSignal=SIGTERM

# Send the signal only to the JVM rather than its control group
KillMode=process

# Java process is never killed
SendSIGKILL=no

# When a JVM receives a SIGTERM signal it exits with code 143
SuccessExitStatus=143

# Allow a slow startup before the systemd notifier module kicks in to extend the timeout
TimeoutStartSec=75

[Install]
WantedBy=multi-user.target

# Built for packages-8.6.1 (packages)

#查看service中的启动脚本内容
[root@es-node1 ~]#file /usr/share/elasticsearch/bin/systemd-entrypoint
/usr/share/elasticsearch/bin/systemd-entrypoint: POSIX shell script, ASCII text executable
[root@es-node1 ~]#cat /usr/share/elasticsearch/bin/systemd-entrypoint
#!/bin/sh

# This wrapper script allows SystemD to feed a file containing a passphrase into
# the main Elasticsearch startup script

if [ -n "$ES_KEYSTORE_PASSPHRASE_FILE" ] ; then
#发现这里内嵌了elasticsearch的一个执行程序,查看一下
exec /usr/share/elasticsearch/bin/elasticsearch "$@" < "$ES_KEYSTORE_PASSPHRASE_FILE"
else
exec /usr/share/elasticsearch/bin/elasticsearch "$@"
fi

#查看elasticsearch执行程序
[root@es-node1 ~]#file /usr/share/elasticsearch/bin/elasticsearch
/usr/share/elasticsearch/bin/elasticsearch: Bourne-Again shell script, ASCII text executable
[root@es-node1 ~]#cat /usr/share/elasticsearch/bin/elasticsearch
#!/bin/bash

CLI_NAME=server
CLI_LIBS=lib/tools/server-cli
source "`dirname "$0"`"/elasticsearch-cli
  • 启动Elasticsearch服务
[root@es-node1 ~]#systemctl enable --now elasticsearch.service
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service.
[root@es-node1 ~]#systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2023-02-23 14:16:21 UTC; 36s ago
Docs: https://www.elastic.co
Main PID: 1326 (java)
Tasks: 86 (limit: 4575)
Memory: 2.4G
CPU: 55.897s
CGroup: /system.slice/elasticsearch.service
├─1326 /usr/share/elasticsearch/jdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -Dcli.name=server -Dcli.script=/usr/share/elasticsearch/bin/elasticsearch -Dcli.libs=lib/tools
/server-cli -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -Des.distribution.type=deb -cp "/usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/lib/cli-la
uncher/*" org.elasticsearch.launcher.CliToolLauncher -p /var/run/elasticsearch/elasticsearch.pid --quiet
├─1651 /usr/share/elasticsearch/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -Djava.security.manager=allow -XX:+AlwaysPreTouch -
Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.m
axCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-
UNNAMED -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-17157946413569632496 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/elasticsearch -XX:Er
rorFile=/var/log/elasticsearch/hs_err_pid%p.log "-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m" -Xms1961m -Xmx1961m -XX
:MaxDirectMemorySize=1028653056 -XX:G1HeapRegionSize=4m -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=15 -Des.distribution.type=deb --module-path /usr/share/elasticsearch/
lib --add-modules=jdk.net -m org.elasticsearch.server/org.elasticsearch.bootstrap.Elasticsearch
└─1692 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Feb 23 14:15:56 es-node1.mooreyxia.org systemd[1]: Starting Elasticsearch...
Feb 23 14:16:21 es-node1.mooreyxia.org systemd[1]: Started Elasticsearch.

#上面信息可以发现占用内存 2.4G
[root@es-node1 ~]#free -h
total used free shared buff/cache available
Mem: 3.8Gi 2.5Gi 141Mi 0.0Ki 1.2Gi 1.1Gi
Swap: 1.9Gi 0.0Ki 1.9Gi
#开启了9200和9300端口 9200提供http访问请求
[root@es-node1 ~]#ss -ntl|grep 9200;ss -ntl|grep 9300;
LISTEN 0 4096 *:9200 *:*
LISTEN 0 4096 [::ffff:127.0.0.1]:9300 *:*
LISTEN 0 4096 [::1]:9300 [::]:*
#查看下内置java版本 - 版本比较新
[root@es-node1 ~]#ps aux|grep java
elastic+ 1326 0.9 2.4 2599692 100292 ? Ssl 14:15 0:03 /usr/share/elasticsearch/jdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -Dcli.name=server -Dcli.script=/usr/share/elasticsearch/bin/elasticsearch -Dcli.libs=lib/tools/server-cli -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -Des.distribution.type=deb -cp /usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/lib/cli-launcher/* org.elasticsearch.launcher.CliToolLauncher -p /var/run/elasticsearch/elasticsearch.pid --quiet
elastic+ 1651 13.6 60.0 4802620 2411668 ? Sl 14:15 0:55 /usr/share/elasticsearch/jdk/bin/java -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -Djava.security.manager=allow -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j2.formatMsgNoLookups=true -Djava.locale.providers=SPI,COMPAT --add-opens=java.base/java.io=ALL-UNNAMED -XX:+UseG1GC -Djava.io.tmpdir=/tmp/elasticsearch-17157946413569632496 -XX:+HeapDumpOnOutOfMemoryError -XX:+ExitOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/elasticsearch -XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m -Xms1961m -Xmx1961m -XX:MaxDirectMemorySize=1028653056 -XX:G1HeapRegionSize=4m -XX:InitiatingHeapOccupancyPercent=30 -XX:G1ReservePercent=15 -Des.distribution.type=deb --module-path /usr/share/elasticsearch/lib --add-modules=jdk.net -m org.elasticsearch.server/org.elasticsearch.bootstrap.Elasticsearch
root 1767 0.0 0.0 4020 1952 pts/0 S+ 14:22 0:00 grep --color=auto java
[root@es-node1 ~]#/usr/share/elasticsearch/jdk/bin/java -version
openjdk version "19.0.1" 2022-10-18
OpenJDK Runtime Environment (build 19.0.1+10-21)
OpenJDK 64-Bit Server VM (build 19.0.1+10-21, mixed mode, sharing)
  • 测试环境降低Elasticsearch内置JAVA虚拟机内存占用、 更改单节点配置信息
[root@es-node1 ~]#dpkg -L elasticsearch|grep etc
/etc
/etc/elasticsearch
/etc/elasticsearch/elasticsearch-plugins.example.yml
/etc/elasticsearch/elasticsearch.yml
/etc/elasticsearch/jvm.options #这里控制java虚拟机占用的内存,如果主机内存比较小可以调整
/etc/elasticsearch/role_mapping.yml
/etc/elasticsearch/roles.yml
/etc/elasticsearch/users
/etc/elasticsearch/users_roles
/etc/elasticsearch/log4j2.properties
/etc/default
/etc/default/elasticsearch
/etc/elasticsearch/jvm.options.d

#测试环境降低虚拟机内存大小 - 生产环境不建议
[root@es-node1 ~]#vim /etc/elasticsearch/jvm.options
[root@es-node1 ~]#cat /etc/elasticsearch/jvm.options|grep Xm
## -Xms4g
## -Xmx4g
-Xms256m
-Xmx256m
[root@es-node1 ~]#systemctl restart elasticsearch
[root@es-node1 ~]#free -h
total used free shared buff/cache available
Mem: 3.8Gi 733Mi 1.9Gi 0.0Ki 1.2Gi 2.9Gi
Swap: 1.9Gi 0.0Ki 1.9Gi

#更改单节点配置信息
#默认
[root@es-node1 ~]#grep -Ev #|^$ /etc/elasticsearch/elasticsearch.yml
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["es-node1.mooreyxia.org"]
http.host: 0.0.0.0

#改一下discovery.seed_hosts 和 node.name
[root@es-node1 ~]#cat /etc/elasticsearch/elasticsearch.yml|grep node.name
node.name: node-1
[root@es-node1 ~]#cat /etc/elasticsearch/elasticsearch.yml|grep discovery.seed_hosts
discovery.seed_hosts: ["192.168.11.200"]
[root@es-node1 ~]#systemctl restart elasticsearch
[root@es-node1 ~]#grep -Ev #|^$ /etc/elasticsearch/elasticsearch.yml
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
discovery.seed_hosts: ["192.168.11.200"]
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["es-node1.mooreyxia.org"]
http.host: 0.0.0.0
  • Elasticsearch配置文件说明
[root@es-node1 ~]#cat /etc/elasticsearch/elasticsearch.yml
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
#network.host: 192.168.0.1
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# --------------------------------- Readiness ----------------------------------
#
# Enable an unauthenticated TCP readiness endpoint on localhost
#
#readiness.port: 9399
#
# ---------------------------------- Various -----------------------------------
#
# Allow wildcard deletion of indices:
#
#action.destructive_requires_name: false

#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically
# generated to configure Elasticsearch security features on 23-02-2023 14:03:48
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["es-node1.mooreyxia.org"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

#说明
#ELK集群名称,单节点无需配置,同一个集群内每个节点的此项必须相同,新加集群的节点此项和其它节点相同即可加入集群,而无需再验证
cluster.name: ELK-Cluster
#当前节点在集群内的节点名称,同一集群中每个节点要确保此名称唯一
node.name: es-node1
#ES 数据保存目录,包安装默认路径:/var/lib/elasticsearch/
path.data: /data/es-data
#ES 日志保存目录,包安装默认路径:/var/llog/elasticsearch/
path.logs: /data/es-logs
#服务启动的时候立即分配(锁定)足够的内存,防止数据写入swap,提高启动速度,但是true会导致启动失败,需要优化
bootstrap.memory_lock: true
#指定该节点监听IP,如果绑定了错误的IP,可将此修改为指定IP
network.host: 0.0.0.0
#监听端口
http.port: 9200
#发现集群的node节点列表,可以添加部分或全部节点IP
#在新增节点到已有集群时,此处需指定至少一个已经在集群中的节点地址
discovery.seed_hosts: ["10.0.0.101","10.0.0.102","10.0.0.103"]
#集群初始化时指定希望哪些节点可以被选举为 master,只在初始化时使用,新加节点到已有集群时此项可不配置
cluster.initial_master_nodes: ["10.0.0.101","10.0.0.102","10.0.0.103"]
#一个集群中的 N 个节点启动后,才允许进行数据恢复处理,默认是1,一般设为为所有节点的一半以上,防止出现脑裂现象
#当集群无法启动时,可以将之修改为1,或者将下面行注释掉,实现快速恢复启动
gateway.recover_after_nodes: 2
#设置是否可以通过正则表达式或者_all匹配索引库进行删除或者关闭索引库,默认true表示必须需要明确指定索引库名称,不能使用正则表达式和_all,生产环境建议设置为 true,防止误删索引库。
action.destructive_requires_name: true
#如果不参与主节点选举设为false,默认值为true
node.master: false
#存储数据,默认值为true,此值为false则不存储数据而成为一个路由节点
  • 单点部署完毕后关闭认证功能即可访问到http9200端口,旧版可以直接访问
#关闭认证
[root@es-node1 ~]#cat /etc/elasticsearch/elasticsearch.yml|grep xpack.security.enabled
#xpack.security.enabled: true
xpack.security.enabled: false
[root@es-node1 ~]#systemctl restart elasticsearch

#访问http9200端口
[root@es-node1 ~]#curl http://127.0.0.1:9200/

"name" : "node-1",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "F8QsLBF5TVKl6tPAt8laRQ",
"version" :
"number" : "8.6.1",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "180c9830da956993e59e2cd70eb32b5e383ea42c",
"build_date" : "2023-01-24T21:35:11.506992272Z",
"build_snapshot" : false,
"lucene_version" : "9.4.2",
"minimum_wire_compatibility_version" : "7.17.0",
"minimum_index_compatibility_version" : "7.0.0"
,
"tagline" : "You Know, for Search"

68-日志分析系统ELK-Elasticsearch单点部署和配置优化_elastic

我是moore,大家一起加油!

以上是关于68-日志分析系统ELK-Elasticsearch单点部署和配置优化的主要内容,如果未能解决你的问题,请参考以下文章

统计分析日志

Linux09(一些面试题)

ELK日志分析系统

ELK——ELK日志分析系统部署搭建

ELK日志分析系统(实例!!!)

ELK日志分析系统