ELK日志分析系统实战（一）安装和部署

http://www.iyunv.com/forum.php?mod=viewthread&tid=198268

1.系统概述



2、安装过程

安装java环境

3、获取最新版本

 wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-5.2.1.zip
解压缩

修改配置文件

max number of threads [1024] for user [admin] is too low, increase to at least [2048]

原因：用户允许最大线程数首先

vi bin/elasticsearch

ulimit -u 2048 //仅供测试使用

Warning: Ignoring JAVA_OPTS=…….

Please pass JVM parameters via ES_JAVA_OPTS instead

vi bin/elasticsearch

添加如下配置项：

JAVA_HOME=”/export/servers/jdk1.8.0_60”

JAVA_OPTS=”“

JAVA_OPTS配置为空，是为了不受系统配置的环境变量的影响

can not run elasticsearch as root

不能以root用户启动ES服务器。非要以root用户运行？

配置

-Des.insecure.allow.root=true

对于5.X，在config/jvm.options配置文件中，添加

-Des.insecure.allow.root=true

内存锁定:

解决方法1：配置 config/elasticsearch.yml ，注释掉以下内容

#bootstrap.memory_lock: true

解决方法2：配置：/etc/security/limits.conf,

admin soft memlock unlimited

admin hard memlock unlimited

system call filters failed to install; check the logs and fix your configuration or disable system call filters at your own risk

Your kernel does not support seccomp.

Elasticsearch attempts to utilize seccomp by default (via the setting bootstrap.system_call_filter).

Starting in 5.2.0, if you’re in production mode, bootstrap.system_call_filter is enabled, and initializing seccomp fails, then Elasticsearch will refuse to bootstrap.

You either have to migrate to a kernel that supports seccomp, or disable bootstrap.system_call_filter.

Centos6不支持SecComp，而ES5.2.0默认bootstrap.system_call_filter为true

禁用：在elasticsearch.yml中配置bootstrap.system_call_filter为false，注意要在Memory下面:

bootstrap.memory_lock: false

bootstrap.system_call_filter: false

配置IP和http端口，TCP端口默认在HTTP端口上加100

network.host: 192.168.179.20

http.port: 9201

path.conf is not a recognized option

之前的配置： –path.conf=ESCONF修改为：−Epath.conf={ES_CONF}

unknown setting [path.plugins]

https://www.elastic.co/guide/en/elasticsearch/reference/5.0/breaking_50_plugins.html#_custom_plugins_path

specify a custom plugins path via path.plugins has been removed.

node settings must not contain any index level settings

Since elasticsearch 5.x index level settings can NOT be set on the nodes

configuration like the elasticsearch.yaml, in system properties or command line

arguments.

curl -XPUT ‘http://localhost:9200/_all/_settings?preserve_existing=true’ -d ‘{

“index.number_of_shards” : “3”

}’

curl -XPUT ‘http://localhost:9200/_all/_settings?preserve_existing=true’ -d ‘{

“index.mapper.dynamic” : “false”,

“index.translog.durability” : “async”,

“index.translog.sync_interval” : “30s”

}’

即以index开头的配置删除。

unknown setting [bootstrap.mlockall]

修改为： bootstrap.memory_lock: true

unknown setting [action.disable_delete_all_indices]

新配置：action.destructive_requires_name: true