# How to install ELK 8.x on ubuntu 22.04 *1. Install ubuntu server. *2. Install JAVA & prepare /etc/environment* 2.1 sudo /etc/environment 2.2 modify JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64/" 2.3 source /etc/environment *** 檢測是否設置完成*** 2.4 echo $JAVA_HOME *3. Install elasticsearch* 3.1 curl -fsSL https://artifacts.elastic.co/GPG-KEY-elasticsearch |sudo gpg --dearmor -o /usr/share/keyrings/elastic.gpg 3.2 echo "deb [signed-by=/usr/share/keyrings/elastic.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list 3.3 sudo apt-get update 3.4 sudo apt-get install elasticsearch 3.5 sudo systemctl start elasticsearch 3.6 sudo systemctl enable elasticsearch 3.7 sudo systemctl status elasticsearch 3.8 sudo nano /etc/eleasticsearch/elasticsearch.yml *** only change network.host: localhost*** 若要讓任何一個外部IP可連線到elasticsearch，此次要修改成0.0.0.0 3.9 sudo systemctl restart elasticsearch 3.10 sudo systemctl status elasticsearch 3.11 測試elasticsearch是否正常運作- curl -u elastic --cacert /etc/elasticsearch/certs/http_ca.crt https://127.0.0.1:9200 *** h3elastic 帳號密碼與安裝過程中，自動生成*** 3.12 Uninstall Elasticsearch sudo apt-get --purge autoremove elasticsearch sudo apt-get remove --purge elasticsearch sudo rm -rf /etc/elasticsearch *4. Install Logstash* 4.1 sudo apt-get install logstash 4.2 sudo systemctl start logstash 4.3 sudo systemctl enable logstash 4.4 sudo systemctl status logstash 4.5 sudo nano /etc/logstash/logstash.yml ***修改logstash設定*** 4.5.1 此次先維持預設值. 4.6 sudo nano /etc/logstash/jvm.options ***修改logstash的jvm.options，最大4G -Xms4g -Xmx4g 4.7 設定xxxx.conf (放在conf.d資料夾內) 4.7.1 設定接收資料(input, filter & output) input { tcp { port => 514 tags => 514 } udp { port => 514 tags => 514 } } output { if "514" in [tags] { elasticsearch { hosts => ["https://0.0.0.0:9200"] index => "logstash-514-%{+YYYYMMdd}" user => elastic (or xxxx其他帳號) password => "xxxxxxxxx" ssl => true ssl_certificate_verification => false } } } *5. Install Kibana* 5.1 sudo apt-get install kibana 5.2 sudo systemctl start kibana 5.3 sudo systemctl enable kibana 5.4 sudo systemctl status kibana 5.5 sudo nano /etc/kibana/kibana.yml ***修改kibana設定*** ** server.port: 5601 ** server.host: "0.0.0.0" ** server.publicBaseUrl: "https://your ip:5601" **server.ssl.enabled: true **server.ssl.certificate: /etc/kibana/server.crt **server.ssl.key: /etc/kibana/server.key ***先產生自簽憑證*** 請參考-https://blog.miniasp.com/post/2019/02/25/Creating-Self-signed-Certificate-using-OpenSSL 5.6 sudo systemctl restart kibana 5.7 sudo systemctl status kibana 5.8 Test kibana 5.8.1 https://your ip_address:5601 ***透過瀏覽器驗證*** 5.9 chown -R kibana. /etc/kibana ***修改kibana權限*** 5.10 輸入elastic token- 5.11 輸入elastic & password 成功登入. qSp8amU75=jw0WFfJGG9 註： ** /usr/share/kibana/bin/kibana-verification-code 查詢驗證碼指令. ** /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic 修改elastic帳號的密碼指令. ** /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana 取得token指令. 6.0 ELK應用面 6.1 確認是否收到資料 (logstash設定請參照4.7) 6.1.1 登入ELK > 點選[Management] > [Stack Management] > [Index Management] > 查看log檔名是否有資訊。(ex. logstash-514-20230117,PS.檔名依據logstash.conf的output設定為主) 6.1.2 確認有抓到log檔後，移到[Kibana] > [Data Views] > [creat data view] > [Save data view to Kibana]。 6.1.2.1 for creat data view >> Name-自己設定。 >> Index pattern-logstash-514-20230117 (若index management沒有log資訊，系統會顯示無法對應到相關聯資料) >> Timestamp field-系統會自動帶入。 6.1.2 [Analytics] > [Discover] > 選擇已建立之[514]data view，確認資料有傳入，即完成設定。