wxin/es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

上传文件至 /

Browse Source
This commit is contained in:
wxin 2025-04-30 16:51:55 +08:00
commit 2b06a62be4
2 changed files with 620 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

560
Elasticsearch.md Normal file
View File

@ -0,0 +1,560 @@
<h2><center>Elasticsearch 集群搭建</center></h2>
------
## 一:环境准备
### 1. 简介
部署模式es集群采用无主模式
es版本8.13.4
jdk版本使用es内嵌的jdk21无需额外安装jdk环境
操作系统Centos 7
### 2. 环境
| IP地址 | 主机名 | 角色 |
| :-------------: | :-------------: | :-------------: |
| 192.168.159.131 | elasticsearch01 | master&data节点 |
| 192.168.159.132 | elasticsearch02 | master&data节点 |
| 192.168.159.133 | elasticsearch03 | master&data节点 |
## 二:服务器配置
### 1. 创建用户
es不能使用root用户进行部署故创建新用户管理es集群
```bash
# 添加一个用户 elasticsearch 密码 elasticsearch
[root@elasticsearch1 ~]# useradd elasticsearch && echo elasticsearch | passwd --stdin elasticsearch
```
### 2. 本地解析
```bash
[root@elasticsearch1 ~]# vim /etc/hosts
192.168.159.131 elasticsearch1
192.168.159.132 elasticsearch2
192.168.159.133 elasticsearch3
```
### 3. 系统优化
优化最大进程数,最大文件打开数,优化虚拟内存
```bash
[root@elasticsearch1 ~]# vim /etc/security/limits.conf
* soft nofile 65536
* hard nofile 131072
* soft nproc 4096
* hard nproc 6553
[root@elasticsearch1 ~]# vim /etc/sysctl.conf
vm.max_map_count=262144
[root@elasticsearch1 ~]# sysctl -p
vm.max_map_count = 262144
```
## 三:集群部署
### 1. 获取安装包
官网:[Past Releases of Elastic Stack Software | Elastic](https://www.elastic.co/downloads/past-releases#elasticsearch)
```bash
[root@elasticsearch1 ~]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.13.4-linux-x86_64.tar.gz
```
### 2. 解压安装
```bash
[root@elasticsearch1 ~]# tar xf elasticsearch-8.13.4-linux-x86_64.tar.gz -C /usr/local/
[root@elasticsearch1 ~]# mv /usr/local/elasticsearch-8.13.4/ /usr/local/elasticsearch
[root@elasticsearch1 ~]# chown -R elasticsearch:elasticsearch /usr/local/elasticsearch
```
### 3. 配置环境变量
```bash
[root@elasticsearch1 ~]# vim /etc/profile
JAVA_HOME=/usr/local/elasticsearch/jdk
ES_HOME=/usr/local/elasticsearch
PATH=$PATH:$JAVA_HOME/bin:$ES_HOME/bin
export JAVA_HOME ES_HOME PATH
# 刷新环境变量
[root@elasticsearch1 ~]# source /etc/profile
[root@elasticsearch1 ~]# java -version
openjdk version "21.0.2" 2024-01-16
OpenJDK Runtime Environment (build 21.0.2+13-58)
OpenJDK 64-Bit Server VM (build 21.0.2+13-58, mixed mode, sharing)
```
### 4. 创建目录
目录用来存储数据和存放证书并赋予权限
```bash
[root@elasticsearch1 ~]# mkdir -p /usr/local/elasticsearch/data
[root@elasticsearch1 ~]# mkdir -p /usr/local/elasticsearch/config/certs
[root@elasticsearch1 ~]# chown -R elasticsearch:elasticsearch /usr/local/elasticsearch/
```
**注意:截至到目前为止,所有节点服务器的操作都是一致的**
### 5. 签发证书
```bash
# 在第一台服务器节点 elasticsearch1 设置集群多节点通信密钥
# 切换用户
[root@elasticsearch1 ~]# su - elasticsearch
[elasticsearch@elasticsearch1 ~]$ cd /usr/local/elasticsearch/bin/
[elasticsearch@elasticsearch1 bin]$ ./elasticsearch-certutil ca
warning: ignoring JAVA_HOME=/usr/local/elasticsearch/jdk; using bundled JDK
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.
The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.
Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority
By default the 'ca' mode produces a single PKCS#12 output file which holds:
* The CA certificate
* The CA's private key
If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key
Please enter the desired output file [elastic-stack-ca.p12]:
Enter password for elastic-stack-ca.p12 :
# 用 ca 证书签发节点证书,过程中需按三次回车键,生成目录elasticsearch的home:/usr/local/elasticsearch/
[elasticsearch@elasticsearch1 bin]$ ./elasticsearch-certutil cert --ca elastic-stack-ca.p12
...
If you specify any of the following options:
* -pem (PEM formatted output)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files
Enter password for CA (elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]:
Enter password for elastic-certificates.p12 :
Certificates written to /usr/local/elasticsearch/elastic-certificates.p12
This file should be properly secured as it contains the private key for
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.
For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
# 将生成的证书文件移动到 config/certs 目录中
[elasticsearch@elasticsearch1 bin]$ cd /usr/local/elasticsearch/
[elasticsearch@elasticsearch1 elasticsearch]$ ls -l | grep "elastic-"
-rw------- 1 elasticsearch elasticsearch 3596 4月 29 19:21 elastic-certificates.p12
-rw------- 1 elasticsearch elasticsearch 2672 4月 29 19:19 elastic-stack-ca.p12
[elasticsearch@elasticsearch1 elasticsearch]$ mv elastic-certificates.p12 config/certs/
[elasticsearch@elasticsearch1 elasticsearch]$ mv elastic-stack-ca.p12 config/certs/
```
### 6. 设置集群多节点HTTP证书
```bash
[elasticsearch@elasticsearch1 elasticsearch]$ cd /usr/local/elasticsearch/bin/
[elasticsearch@elasticsearch1 bin]$ ./elasticsearch-certutil http
warning: ignoring JAVA_HOME=/usr/local/elasticsearch/jdk; using bundled JDK
## Elasticsearch HTTP Certificate Utility
The 'http' command guides you through the process of generating certificates
for use on the HTTP (Rest) interface for Elasticsearch.
This tool will ask you a number of questions in order to generate the right
set of files for your needs.
## Do you wish to generate a Certificate Signing Request (CSR)?
A CSR is used when you want your certificate to be created by an existing
Certificate Authority (CA) that you do not control (that is, you don't have
access to the keys for that CA).
If you are in a corporate environment with a central security team, then you
may have an existing Corporate CA that can generate your certificate for you.
Infrastructure within your organisation may already be configured to trust this
CA, so it may be easier for clients to connect to Elasticsearch if you use a
CSR and send that request to the team that controls your CA.
If you choose not to generate a CSR, this tool will generate a new certificate
for you. That certificate will be signed by a CA under your control. This is a
quick and easy way to secure your cluster with TLS, but you will need to
configure all your clients to trust that custom CA.
######################################################
# 是否生成CSR选择 N ,不需要 #
######################################################
Generate a CSR? [y/N]N
## Do you have an existing Certificate Authority (CA) key-pair that you wish to use to sign your certificate?
If you have an existing CA certificate and key, then you can use that CA to
sign your new http certificate. This allows you to use the same CA across
multiple Elasticsearch clusters which can make it easier to configure clients,
and may be easier for you to manage.
If you do not have an existing CA, one will be generated for you.
########################################################
# 是否使用已经存在的CA证书选择 y 因为已经创建签发好了CA #
########################################################
Use an existing CA? [y/N]y
## What is the path to your CA?
Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
######################################################
# 指定CA证书的路径地址CA Path:后写绝对路径 #
######################################################
CA Path: /usr/local/elasticsearch/config/certs/elastic-stack-ca.p12
Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
######################################################
# 设置密钥库的密码,直接 回车 即可 #
######################################################
Password for elastic-stack-ca.p12:
## How long should your certificates be valid?
Every certificate has an expiry date. When the expiry date is reached clients
will stop trusting your certificate and TLS connections will fail.
Best practice suggests that you should either:
(a) set this to a short duration (90 - 120 days) and have automatic processes
to generate a new certificate before the old one expires, or
(b) set it to a longer duration (3 - 5 years) and then perform a manual update
a few months before it expires.
You may enter the validity period in years (e.g. 3Y), months (e.g. 18M), or days (e.g. 90D)
######################################################
# 设置证书的失效时间这里的y表示年5y则代表失效时间5年 #
######################################################
For how long should your certificate be valid? [5y] 5y
## Do you wish to generate one certificate per node?
If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.
Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.
If all of your nodes will be accessed through a single domain
(e.g. node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.
However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.
#########################################################
# 是否需要为每个节点都生成证书,选择 N 无需每个节点都配置证书#
#########################################################
Generate a certificate per node? [y/N]N
## Which hostnames will be used to connect to your nodes?
These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.
You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.
If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.
Enter all the hostnames that you need, one per line.
############################################################
# 输入需连接集群节点主机名信息一行输入一个IP地址空行回车结束 #
############################################################
When you are done, press <ENTER> once more to move on to the next step.
elasticsearch1
elasticsearch2
elasticsearch3
You entered the following hostnames.
- elasticsearch1
- elasticsearch2
- elasticsearch3
####################################################
# 确认以上是否为正确的配置,输入 Y 表示信息正确 #
####################################################
Is this correct [Y/n]Y
## Which IP addresses will be used to connect to your nodes?
If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.
If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.
Enter all the IP addresses that you need, one per line.
#########################################################
# 输入需连接集群节点IP信息一行输入一个IP地址空行回车结束 #
#########################################################
When you are done, press <ENTER> once more to move on to the next step.
192.168.159.131
192.168.159.132
192.168.159.133
You entered the following IP addresses.
- 192.168.159.131
- 192.168.159.132
- 192.168.159.133
####################################################
# 确认以上是否为正确的配置,输入 Y 表示信息正确 #
####################################################
Is this correct [Y/n]Y
## Other certificate options
The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.
Key Name: elasticsearch1
Subject DN: CN=elasticsearch1
Key Size: 2048
####################################################
# 是否要更改以上这些选项,选择 N ,不更改证书选项配置 #
####################################################
Do you wish to change any of these options? [y/N]N
## What password do you want for your private key(s)?
Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.
####################################################
# 是否要给证书加密,不需要加密,两次 回车 即可 #
####################################################
If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file: [<ENTER> for none]
## Where should we save the generated files?
A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.
These files will be included in a single zip archive.
What filename should be used for the output zip file? [/usr/local/elasticsearch/elasticsearch-ssl-http.zip]
Zip file written to /usr/local/elasticsearch/elasticsearch-ssl-http.zip
```
### 7. 分发证书
```bash
# 解压
[elasticsearch@elasticsearch1 bin]$ cd /usr/local/elasticsearch/
[elasticsearch@elasticsearch1 elasticsearch]$ unzip elasticsearch-ssl-http.zip
# 移动证书
[elasticsearch@elasticsearch1 elasticsearch]$ mv ./elasticsearch/http.p12 config/certs/
[elasticsearch@elasticsearch1 elasticsearch]$ mv ./kibana/elasticsearch-ca.pem config/certs/
# 将证书分发到其他节点02 03
[elasticsearch@elasticsearch1 elasticsearch]$ exit
登出
[root@elasticsearch1 ~]# cd /usr/local/elasticsearch/config/certs/
[root@elasticsearch1 certs]# scp ./* elasticsearch2:/usr/local/elasticsearch/config/certs/
[root@elasticsearch1 certs]# scp ./* elasticsearch3:/usr/local/elasticsearch/config/certs/
# 修改属主属组
[root@elasticsearch2/3 ~]#chown -R /usr/local/elasticsearch/config/certs/*
```
### 8. 修改配置
```bash
[root@elasticsearch1/2/3 certs]# cd /usr/local/elasticsearch/config/
[root@elasticsearch1/2/3 config]# vim elasticsearch.yml
cluster.name: elasticsearch
node.name: elasticsearch1
path.data: /usr/local/elasticsearch/data
path.logs: /usr/local/elasticsearch/logs
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["192.168.159.131:9200", "192.168.159.132:9200","192.168.159.133:9200"]
cluster.initial_master_nodes: ["elasticsearch1", "elasticsearch2","elasticsearch3"]
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: /usr/local/elasticsearch/config/certs/http.p12
keystore.password: 123456 # 如果生成证书时设置了密码则要添加密码配置
truststore.path: /usr/local/elasticsearch/config/certs/http.p12
truststore.password: 123456 # 如果生成证书时设置了密码则要添加密码配置
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: /usr/local/elasticsearch/config/certs/elastic-certificates.p12
keystore.password: 123456 # 如果生成证书时设置了密码则要添加密码配置
truststore.path: /usr/local/elasticsearch/config/certs/elastic-certificates.p12
truststore.password: 123456 # 如果生成证书时设置了密码则要添加密码配置
http.host: [_local_, _site_]
ingest.geoip.downloader.enabled: false
xpack.security.http.ssl.client_authentication: none
```
注意:
- xpack.security.http.ssl和xpack.security.transport.ssl后的子配置需要空一格遵循yml的格式要求
- 如果不需要后续的http证书认证或者用户密码认证可以将以下参数的值改为false
```yaml
xpack.security.http.ssl:
enabled: false
xpack.security.transport.ssl:
enabled: false
```
- 如果后续在业务场景中遇到了跨域的问题,解决跨域的问题添加以下参数
```yaml
http.cors.enabled: true
http.cors.allow-origin: "*"
```
### 9. 参数解释
```shell
cluster.name: xingdian-es
含义: 指定Elasticsearch集群的名称。在此例中集群名为xingdian-es所有想要加入此集群的节点都应配置相同的集群名称。
node.name: es-1.xingdian.com
含义: 设置单个节点的名称。这里将节点命名为es-1.xingdian.com有助于标识和管理集群中的不同节点。
path.data: /usr/local/es/data
含义: 指定Elasticsearch存储数据的路径。数据文件将保存在/usr/local/es/data目录下。
path.logs: /usr/local/es/logs
含义: 配置日志文件的存放路径,即日志将会被写入到/usr/local/es/logs目录中。
network.host: 0.0.0.0
含义: 设置监听所有可用网络接口的IP地址允许Elasticsearch从任何网络接口接收连接请求。
http.port: 9200
含义: 指定HTTP服务监听的端口号这里是9200是Elasticsearch默认的HTTP访问端口。
discovery.seed_hosts: ["es-1.xingdian.com","es-2.xingdian.com","es-3.xingdian.com"]
含义: 列出初始种子节点的地址,用于集群启动时发现其他节点。这有助于新节点加入或现有节点重启后找到集群。
cluster.initial_master_nodes: ["es-1.xingdian.com","es-2.xingdian.com","es-3.xingdian.com"]
含义: 在初次启动或集群完全重启后,指定哪些节点可以成为初始主节点,用于选举过程。
xpack.security.enabled: true
含义: 启用X-Pack安全特性提供认证、授权、加密传输等功能增强Elasticsearch的安全性。
xpack.security.http.ssl.enabled: true
含义: 开启HTTP通信的SSL加密确保客户端与Elasticsearch之间的数据传输安全。
keystore.path, truststore.path, keystore.password, truststore.password
含义: 分别指定了SSL证书的存放路径和密钥库、信任库的密码。这些设置用于保护SSL连接的密钥和信任信息。
http.host: [local, site]
含义: 指定HTTP服务可以绑定的主机名_local_表示绑定本地主机_site_允许绑定所有公开站点地址。
ingest.geoip.downloader.enabled: false
含义: 禁用了GeoIP数据库的自动下载功能。GeoIP用于地理定位禁用后需要手动管理数据库更新。
xpack.security.http.ssl.client_authentication: none
含义: 设置客户端认证方式为“无”意味着HTTP客户端连接到Elasticsearch时不需要提供证书进行认证。
```
### 10. JVM参数调整
```bash
[root@elasticsearch1 config]# vim jvm.options
-Xms2g
-Xmx2g
```
注意该值为真实内存的1/2
### 11. 启动集群
```bash
[elasticsearch@elasticsearch1/2/3 ~]$ nohup /usr/local/elasticsearch/bin/elasticsearch &
```
### 12. 设置登录密码
```bash
[elasticsearch@elasticsearch1/2/3 ~]$ /usr/local/elasticsearch/bin/elasticsearch-reset-password -u elastic -i
warning: ignoring JAVA_HOME=/usr/local/elasticsearch/jdk; using bundled JDK
This tool will reset the password of the [elastic] user.
You will be prompted to enter the password.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Re-enter password for [elastic]:
Password for the [elastic] user successfully reset.
```
### 13. 浏览器访问
https://192.168.159.131:9200
![](accents\image-202504300004.png)
![](accents\image-202504300005.png)
### 14. 插件访问
Multi Elasticsearch Heads
![](accents\image-202504300006.png)
Elasticsearch Tools
![](accents\image-202504300007.png)
Elasticvue
![](accents\image-202504300008.png)
![](accents\image-202504300009.png)
![](accents\image-202504300010.png)
![](accents\image-202504300011.png)
![](accents\image-202504300012.png)

60
日志分析集群.md Normal file
View File

@ -0,0 +1,60 @@
<h2><center>日志分析集群</center></h2>
------
## 一:组件介绍
### 1. Elasticsearch
主要用来日志存储
是一个基于Lucene的搜索服务器。提供搜集、分析、存储数据三大功能。它提供了一个分布式多用户能力的全文搜索引擎基于RESTful web接口。Elasticsearch是用Java开发的并作为Apache许可条款下的开放源码发布是当前流行的企业级搜索引擎。设计用于云计算中能够达到实时搜索稳定可靠快速安装使用方便。
### 2. Logstash
主要用来日志的搜集
主要是用来日志的搜集、分析、过滤日志的工具。用于管理日志和事件的工具,你可以用它去收集日志、转换日志、解析日志并将他们作为数据提供给其它模块调用,例如搜索、存储等。
### 3. Kibana
主要用于日志的展示
是一个优秀的前端日志展示框架,它可以非常详细的将日志转化为各种图表,为用户提供强大的数据可视化支持,它能够搜索、展示存储在 Elasticsearch 中索引数据。使用它可以很方便的用图表、表格、地图展示和分析数据。
### 4. Kafaka
是一种高吞吐量的分布式发布订阅消息系统。具有峰值处理能力,使用消息队列能够使关键组件顶住突发的访问压力,而不会因为突发的超负荷的请求而完全崩溃。
### 5. Filebeat
隶属于Beats,轻量级数据收集引擎。基于原先 Logstash-fowarder 的源码改造出来。换句话说Filebeat就是新版的 Logstash-fowarder也会是 ELK Stack 在 Agent 的第一选择常见的Beat有
- Packetbeat搜集网络流量数据
- Metricbeat搜集系统、进程和文件系统级别的 CPU 和内存使用情况等数据)
- Filebeat搜集文件数据
- Winlogbeat搜集 Windows 事件日志数据)
## 二:集群构建
### 1. 架构
![](accents\image-202504290001.png)
**基础架构**
单一的架构logstash作为日志搜集器从数据源采集数据并对数据进行过滤格式化处理然后交由Elasticsearch存储kibana对日志进行可视化处理。
![](accents\image-202504290002.png)
**多节点部署Logstash架构**
这种架构模式适合需要采集日志的客户端不多且各服务端cpu,内存等资源充足的情况下。因为每个节点都安装Logstash, 非常消耗节点资源。其中logstash作为日志搜集器将每一台节点的数据发送到Elasticsearch上进行存储再由kibana进行可视化分析。
![](accents\image-202504290003.png)
### 2. 官网地址
官网地址https://www.elastic.co
官网搭建https://www.elastic.co/guide/index.html