关闭selinux(否则挂载目录会存在权限问题)
vim /etc/selinux/config
保存后重启
查看状态sestatus
1.下载elasticsearch、logstash、kibana的docker镜像
2.修改/etc/security/limits.conf 文件,追加或修改配置
* soft nofile 65536
* hard nofile 65536
sudo vim /etc/security/limits.conf
退出用户后重登生效
3.修改/etc/sysctl.conf文件,追加以下内容:
vm.max_map_count=655360
sudo vim /etc/sysctl.conf
执行sudo sysctl -p
4.创建elk/elasticsearch、elk/logstash、elk/kibana文件夹用于挂载配置文件
mkdir elk
cd elk
mkdir elasticsearch logstash kibana
5.创建elasticsearch容器并启动
docker run -it \
--name elasticsearch \
--network host \
-e ES_JAVA_OPTS="-Xms1g -Xmx1g" \
-e "discovery.type=single-node" \
-e LANG=C.UTF-8 \
-e LC_ALL=C.UTF-8 \
elasticsearch:8.3.3
多等待一会儿,启动完成会有这样一段日志,需要先保存下来
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
+4TMJBgOpjdgH+1MJ0nC
ℹ️ HTTP CA certificate SHA-256 fingerprint:
9fefcfcb6fc9e80f4ecb7873b0e4d4f524f597a228265bc2dd15d6936a651da8
ℹ️ Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjMuMyIsImFkciI6WyIxOTIuMTY4LjE4Mi4xMjg6OTIwMCJdLCJmZ3IiOiI5ZmVmY2ZjYjZmYzllODBmNGVjYjc4NzNiMGU0ZDRmNTI0ZjU5N2EyMjgyNjViYzJkZDE1ZDY5MzZhNjUxZGE4Iiwia2V5IjoiUEp5OTM0WUJWX1drWExuREc2Z1c6OGFJVEhwMzJRZDJfWWl5MVRPcmdpQSJ9
ℹ️ Configure other nodes to join this cluster:
• Copy the following enrollment token and start new Elasticsearch nodes with `bin/elasticsearch --enrollment-token <token>` (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjMuMyIsImFkciI6WyIxOTIuMTY4LjE4Mi4xMjg6OTIwMCJdLCJmZ3IiOiI5ZmVmY2ZjYjZmYzllODBmNGVjYjc4NzNiMGU0ZDRmNTI0ZjU5N2EyMjgyNjViYzJkZDE1ZDY5MzZhNjUxZGE4Iiwia2V5IjoiUHB5OTM0WUJWX1drWExuREc2Z3o6X3BZbmQxLUhTMmVPMldDMVFET21tQSJ9
If you're running in Docker, copy the enrollment token and run:
`docker run -e "ENROLLMENT_TOKEN=<token>" docker.elastic.co/elasticsearch/elasticsearch:8.3.3`
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6.另开一个窗口登录服务器
执行
docker cp elasticsearch:/usr/share/elasticsearch/config ~/elk/elasticsearch/
docker cp elasticsearch:/usr/share/elasticsearch/data ~/elk/elasticsearch/
docker cp elasticsearch:/usr/share/elasticsearch/plugins ~/elk/elasticsearch/
docker cp elasticsearch:/usr/share/elasticsearch/logs ~/elk/elasticsearch/
7.给挂载目录设置权限,使容器内外权限一致,elasticsearch内部用户gid:1000,uid:1000
停掉elasticsearch容器;
chown -R 1000:1000 ~/elk/elasticsearch
8.创建elasticsearch运行脚本
mkdir ~/elk/elasticsearch/shell/
vim ~/elk/elasticsearch/shell/elasticsearch.sh
设置脚本如下:
#!/bin/sh
docker run -it \
-d \
--name elasticsearch \
--network host \
-e ES_JAVA_OPTS="-Xms1g -Xmx1g" \
-e "discovery.type=single-node" \
-e LANG=C.UTF-8 \
-e LC_ALL=C.UTF-8 \
-v /home/mfw/elk/elasticsearch/config:/usr/share/elasticsearch/config \
-v /home/mfw/elk/elasticsearch/data:/usr/share/elasticsearch/data \
-v /home/mfw/elk/elasticsearch/plugins:/usr/share/elasticsearch/plugins \
-v /home/mfw/elk/elasticsearch/logs:/usr/share/elasticsearch/logs \
elasticsearch:8.3.3
9.elasticsearch运行脚本赋予执行权限
chmod +x ~/elk/elasticsearch/shell/elasticsearch.sh
10.修改elasticsearch配置
vim ~/elk/elasticsearch/config/elasticsearch.yml
添加两行配置
ingest.geoip.downloader.enabled: false #内网环境配置,防止es报错
xpack.monitoring.collection.enabled: true
11.删除之前创建的elasticsearch容器并运行启动脚本
docker rm -f elasticsearch
~/elk/elasticsearch/shell/elasticsearch.sh
12.浏览器访问验证
访问https://elasticsearch所在服务器ip:9200/
必须要使用https;
输入用户名和密码(用户名默认是elastic,密码在步骤5中:+4TMJBgOpjdgH+1MJ0nC)
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
+4TMJBgOpjdgH+1MJ0nC
看到如下信息表示elasticsearch启动成功