【ELK 安裝】

## **ELK 安裝** :::info * 什麼是ELK? * 在Linux上安裝 ::: ### 什麼是ELK? ELK是一種日誌和事件數據管理的平臺，由 **Elasticsearch**、**Logstash**、**Kibana** 組成，Linux安裝好後 => 將資料使用**Logstash** 轉換成想要的欄位傳入，也可以新增欄位(經緯度、判斷條件...) => 使用**Elasticsearch** 分佈式搜索和分析引擎，可以存儲和檢索大量結構化/非結構化數據 => 使用**kibana** 視覺化工具，查看、探索和分析並繪製圖片/儀表板 ### 在Linux上安裝 #### :+1: **切換使用者root，在home底下建立/ELK資料夾** ```= su root or sudo su -l cd /home mkdir ELK cd ELK ``` #### :+1: **一次下載、安裝** ```= apt-get install wget ``` elasticsearch ```= wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.5.3-amd64.deb dpkg -i elasticsearch-8.5.3-amd64.deb ``` logstash ```= wget https://artifacts.elastic.co/downloads/logstash/logstash-8.5.3-amd64.deb dpkg -i logstash-8.5.3-amd64.deb ``` kibana ```= wget https://artifacts.elastic.co/downloads/kibana/kibana-8.5.3-amd64.deb dpkg -i kibana-8.5.3-amd64.deb ``` #### :+1: **elasticsearch** 載入、啟動 ```= systemctl daemon-reload systemctl start elasticsearch ``` 修改elasticsearch設定檔 ```= vi /etc/elasticsearch/elasticsearch.yml path.data: 改成/data/es (配置數據目錄) bootstrap.memory_lock: true (關閉Swap，以提高效能) ``` 修改JVM 文件 ```= vi /etc/elasticsearch/jvm.options 找到 -Xms4g 找到 -Xmx4g (調整容量，兩個值必須相同，不超過elasticsearch 64G 的50%，因此要<31G) ``` Server允許內存鎖定 ```= systemctl edit elasticsearch (nano)[Service] LimitMEMLOCK=infinity ctrl+x >> Y >> enter ``` 如果要更改帳密權限 ```= /usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u elastic /usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u kibana_system ``` ``` 帳號 : elastic 密碼 : 剛更改的密碼 ``` 登入ip 去Google登入自己機台的ip ```= https://000.000.00.00:9200/ ``` 操作: 啟動、重啟、暫停、目前狀態、開機時自動開啟 ```= systemctl start elasticsearch systemctl restart elasticsearch systemctl stop elasticsearch systemctl status elasticsearch systemctl enable elasticsearch ``` #### :+1: **logstash** 創建 /data/es 資料夾， for data.Path ```= mkdir -p /data/es ``` 更改/data 權限給 elasticsearch ```= chown -R elasticsearch. /data ``` 操作: 啟動、重啟、暫停、目前狀態、開機時自動開啟 ```= systemctl start logstash systemctl restart logstash systemctl stop logstash systemctl status logstash systemctl enable logstash ``` #### :+1: **kibana** 載入、啟動 ```= wget https://artifacts.elastic.co/downloads/kibana/kibana-8.5.3-amd64.deb dpkg -i kibana-8.5.3-amd64.deb ``` 修改kibana設定檔 ```= vi /etc/kibana/kibana.yml server.host: "0.0.0.0" (在最上方加入) ``` 如果要更改帳密權限 ```= sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u elastic sudo /usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u kibana_system ``` ``` 帳號 : elastic 密碼 : 剛更改的密碼 ``` 登入ip 去Google登入自己機台的ip ```= https://000.000.00.00:5601/ ``` 拿kibana token、驗證碼安裝時，讓UI介面接過來，才需要token，之後使用都不用 ```= sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana (得到token後，輸入https://000.000.00.00:5601/) sudo /usr/share/kibana/bin/kibana-verification-code (得到驗證碼後，輸入https://000.000.00.00:5601/) ``` 操作: 啟動、重啟、暫停、目前狀態、開機時自動開啟 ```= systemctl start kibana systemctl restart kibana systemctl stop kibana systemctl status kibana systemctl enable kibana ``` #### :+1: **關閉Swap** ```= vi /etc/fstab #/dev/mapper/centos-swap swap swap defaults 0 0 (把這句隱掉) swapoff -a ``` #### :+1: **PS 如果關閉，要重啟** ```= systemctl daemon-reload systemctl start elasticsearch /usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u elastic /usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u kibana_system systemctl start kibana ``` 如果失敗，可以試著把token刪掉，重新取得﹐再重啟 **作品** [各縣市ESG公開資訊整合平臺 PPT](https://docs.google.com/presentation/d/16N8TuPlKy23CEiewDIMT6lhfBTDcGFU1kj9tVgXoaZo/edit?usp=sharing)