什么是ElasticStack?
ElasticStack早期名称为elk。
elk分别代表了3个组件:
– ElasticSearch 负责数据存储和检索。
– Logstash: 负责数据的采集,将源数据采集到ElasticSearch进行存储。
– Kibana: 负责数据的展示。
由于Logstash是一个重量级产品,安装包超过300MB+,很多同学只是用于采集日志,
于是使用其他采集工具代替,比如flume,fluentd等产品替代。(后期会发布logsh的部署安装)
后来elastic公司也发现了这个问题,于是开发了一堆beats产品,其中典型代表就是Filebeat,metricbeat,heartbeat等。
而后,对于安全而言,又推出了xpack等相关组件,以及云环境的组件。
后期名称命名为elk stack,后来公司为了宣传ElasticStack(关于介绍只讲这么多,感兴趣的小伙伴可以参考一下官网)。
- ES集群常见的术语:
- 索引: Index
用户进行数据的读写单元。 - 分片: Shard
一个索引至少要有一个分片,如果一个索引仅有一个分片,意味着该索引的数据只能全量存储在某个节点上,且分片是不可拆分的,隶属于某个节点。
换句话说,分片是ES集群最小的调度单元。 一个索引数据也可以被分散的存储在不同的分片上,且这些分片可以放在不同的节点,从而实现数据的分布式存储。 - 副本: replica
副本是针对分片来说的,一个分片可以有0个或多个副本。 当副本数量为0时,意味着只有主分片(priamry shard),当主分片所在的节点宕机时,数据就无法访问了。 当副本数量大于0时,意味着同时存在主分片和副本分片(replica shard):
– 主分片负责数据的读写(read write,rw)
– 副本分片负责数据的读的负载均衡(read only,ro) - 文档: document:
指的是用户存储的数据。其中包含元数据和源数据。- 元数据:
用于描述源数据的数据。 - 源数据:
用户实际存储的数据。
- 元数据:
- 分配: allocation
指的是将索引的不同分片(包含主分片和副本分片)分配到整个集群的过程。 - ES相比与MySQL
– MySQL属于关系型数据库:
增删改查: 基于SQL- ES属于文档型数据库,和MangoDB很相似 增删改查: DSL语句,属于ES独有的有种查询语言。 针对模糊查询,mysql无法充分利用索引,性能较低,而是用ES查询模糊数据,是非常高效的。
- 索引: Index
- ES的master选举流程
- 0.启动时会检查集群是否有master,如果有则不发起选举master;
- 1.刚开始启动,所有节点均为人自己是master,并向集群的其他节点发送信息(包含ClusterStateVersion,ID等)
- 2.基于类似gossip协议获取所有可以参与master选举的节点列表;
- 3.先比较”ClusterStateVersion”,谁最大,谁优先级高,会被选举出master;
- 4.如果比不出来,则比较ID,谁的ID小,就优先成为master;
- 5.当集群半熟以上节点参与选举完成后,则完成master选举,比如有N个节点,仅需要”(N/2)+1″节点就可以确认master;
- 6.master选举完成后,会向集群列表通报最新的master节点,此时才意味着选举完成;
elk单点部署:
- 1.二进制部署ES单点环境以及ElasticSearch的版本选择及下载
[root@elk91 ~]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.28-linux-x86_64.tar.gz
[root@elk91 ~]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.28-linux-x86_64.tar.gz.sha512
[root@elk91 ~]# shasum -a 512 -c elasticsearch-7.17.28-linux-x86_64.tar.gz.sha512- 2.解压软件包
[root@elk91 ~]# tar xf elasticsearch-7.17.28-linux-x86_64.tar.gz -C /usr/local/- 3.修改配置文件
[root@elk91 ~]# vim /usr/local/elasticsearch-7.17.28/config/elasticsearch.yml
[root@elk91 ~]# egrep -v "^#|^$" /usr/local/elasticsearch-7.17.28/config/elasticsearch.yml
cluster.name: elk91
path.data: /var/lib/es7
path.logs: /var/log/es7
network.host: 0.0.0.0
discovery.type: single-node
[root@elk91 ~]# 相关参数说明:
cluster.name
集群的名称
path.data
ES的数据存储路径。
path.logs
ES的日志存储路径。
network.host
ES服务监听的地址。
discovery.type
指的ES集群的部署类型,此处的"single-node",表示的是一个单点环境。- 4.创建用户并授权
[root@elk91 ~]# useradd -m elk
[root@elk91 ~]# chown elk:elk -R /usr/local/elasticsearch-7.17.28/- 5.创建数据目录和日志目录
[root@elk91 ~]# install -d /var/{lib,log}/es7 -o elk -g elk- 6.启动ElasticSearch服务
[root@elk91 ~]# su - elk -c '/usr/local/elasticsearch-7.17.28/bin/elasticsearch -d'- 7.查看服务验证
[root@elk93 ~]# curl http://10.0.0.91:9200
{
"name" : "elk91",
"cluster_name" : "elk91",
"cluster_uuid" : "f8m0l-IiQAG1ZHKFjQgqFA",
"version" : {
"number" : "7.17.28",
"build_flavor" : "default",
"build_type" : "tar",
"build_hash" : "139cb5a961d8de68b8e02c45cc47f5289a3623af",
"build_date" : "2025-02-20T09:05:31.349013687Z",
"build_snapshot" : false,
"lucene_version" : "8.11.3",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[root@elk93 ~]# curl http://10.0.0.91:9200/_cat/nodes
10.0.0.91 34 97 7 0.11 0.09 0.03 cdfhilmrstw * elk91- 常见的报错梳理Q1:
bootstrap check failure [1] of [1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
ERROR: Elasticsearch did not exit normally - check the logs at /var/log/es7/my-haoshuaicong.log
报错问题:
虚拟内存映射过小导致的问题。
解决方案:
[root@elk91 config]# echo vm.max_map_count=262144 >> /etc/sysctl.d/es.conf
[root@elk91 config]#
[root@elk91 config]# sysctl -f /etc/sysctl.d/es.conf
vm.max_map_count = 262144
[root@elk91 config]# - 常见的报错梳理Q2:
java.lang.IllegalStateException: failed to obtain node locks, tried [[/var/lib/es7]] with lock id [0]; maybe these locations are not writable or multiple nodes were started without increasing [node.max_local_storage_nodes] (was [1])?
报错问题:
出现lock字样说明已经有ES实例启动。
解决方案:
检查是否有ES启动。kill掉进程就可以了。
[root@elk91 config]# pkill java #生产环境不要这么暴力 可以 ps -ef|grep es进程去杀掉对应进程即可
[root@elk91 config]# rm -rf /var/{lib,log}/es7/* /tmp/*- 常见的报错梳理Q3:
{"error":{"root_cause":[{"type":"master_not_discovered_exception","reason":null}],"type":"master_not_discovered_exception","reason":null},"status":503}
报错问题:
ES集群部署的有问题,缺少master角色。
解决方案:
检查集群配置是否正确。- 8.卸载二进制的ES程序
1.停止服务:
kill `ps -ef | grep java | grep -v grep | awk '{print $2}'`
2.删除程序,数据,日志目录:
[root@elk91 ~]# rm -rf /usr/local/elasticsearch-7.17.28/ /var/{lib,log}/es7/
3.移除普通用户
[root@elk91 ~]# userdel -r elk基于deb包安装ES单点:
- 1.下载软件包
[root@elk91 ~]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.28-amd64.deb- 2.安装es
[root@elk91 ~]# dpkg -i elasticsearch-7.17.28-amd64.deb- 3.添加别名
root@elk91 ~]# tail -1 .bashrc
alias yy='egrep -v "^#|^$"'
[root@elk91 ~]#
[root@elk91 ~]# source .bashrc
[root@elk91 ~]#- 4.修改配置文件
root@elk91 ~]# yy /etc/elasticsearch/elasticsearch.yml
cluster.name: elk91
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
[root@elk91 ~]#- 5.启动ES服务
[root@elk91 ~]# systemctl enable --now elasticsearch.service
[root@elk91 ~]#
[root@elk91 ~]# ss -ntl | egrep "9[2|3]00"
LISTEN 0 4096 *:9300 *:*
LISTEN 0 4096 *:9200 *:*
[root@elk91 ~]#- 6.访问ES的WebUI
[root@elk91 ~]# curl http://10.0.0.91:9200/_cat/nodes
10.0.0.91 17 97 0 0.20 0.09 0.03 cdfhilmrstw * elk91
[root@elk91 ~]#
[root@elk91 ~]# curl http://10.0.0.91:9200/
{
"name" : "elk91",
"cluster_name" : "elk91",
"cluster_uuid" : "h5Eru0tzSKmIHxgyw2q3rg",
"version" : {
"number" : "7.17.28",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "139cb5a961d8de68b8e02c45cc47f5289a3623af",
"build_date" : "2025-02-20T09:05:31.349013687Z",
"build_snapshot" : false,
"lucene_version" : "8.11.3",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[root@elk91 ~]#- 7.查看集群状态:
[root@elk91 ~]# curl http://10.0.0.91:9200/_cat/health?v
epoch timestamp cluster status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent
1741676068 06:54:28 elk91 green 1 1 3 3 0 0 0 0 - 100.0%
[root@elk91 ~]#至此单点部署完成。
ES集群环境部署:
- 1.停止单点服务
[root@elk91 ~]# systemctl stop elasticsearch.service
[root@elk91 ~]#- 2.拷贝软件包
[root@elk91 ~]# scp elasticsearch-7.17.28-amd64.deb 10.0.0.92:~
[root@elk91 ~]# scp elasticsearch-7.17.28-amd64.deb 10.0.0.93:~- 3.其他节点安装ES环境
[root@elk92 ~]# dpkg -i elasticsearch-7.17.28-amd64.deb
[root@elk93 ~]# dpkg -i elasticsearch-7.17.28-amd64.deb- 4.修改ES集群配置文件
root@elk91 ~]# vim /etc/elasticsearch/elasticsearch.yml
[root@elk91 ~]#
[root@elk91 ~]# yy /etc/elasticsearch/elasticsearch.yml
cluster.name: elks
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["10.0.0.91", "10.0.0.92","10.0.0.93"]
cluster.initial_master_nodes: ["10.0.0.91","10.0.0.92","10.0.0.93"]
[root@elk91 ~]#
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.92:/etc/elasticsearch/
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.93:/etc/elasticsearch/- 5.所有节点同时启动ES服务
[root@elk91 ~]# systemctl enable --now elasticsearch.service
[root@elk91 ~]# ss -ntl | egrep "9[2|3]00"
LISTEN 0 4096 *:9300 *:*
LISTEN 0 4096 *:9200 *:*
[root@elk91 ~]#[root@elk92 ~]# systemctl enable --now elasticsearch.service
[root@elk92 ~]# ss -ntl | egrep "9[2|3]00"
LISTEN 0 4096 *:9300 *:*
LISTEN 0 4096 *:9200 *:*
[root@elk92 ~]#[root@elk93 ~]# systemctl enable --now elasticsearch.service
[root@elk93 ~]# ss -ntl | egrep "9[2|3]00"
LISTEN 0 4096 *:9300 *:*
LISTEN 0 4096 *:9200 *:*
[root@elk93 ~]#- 6.检查集群是否正常工作
[root@elk93 ~]# curl http://10.0.0.91:9200/_cat/nodes?v
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name
10.0.0.93 27 97 0 0.28 0.17 0.06 cdfhilmrstw - elk93
10.0.0.91 8 97 0 0.23 0.14 0.05 cdfhilmrstw * elk91
10.0.0.92 27 97 4 0.80 0.33 0.12 cdfhilmrstw - elk92
[root@elk93 ~]#- 7.快速部署校验ES集群解决方案
快速部署校验ES集群解决方案
报错信息: 集群缺少master
[root@elk3 ~]# curl http://10.0.0.92:9200/cat/nodes?v {"error":{"root_cause":[{"type":"master_not_discovered_exception","reason":null}],"type":"master_not_discovered_exception","reason":null},"status":503} [root@elk3 ~]# curl 10.0.0.91:9200 { "name" : "elk91", "cluster_name" : "oldboyedu-linux96", "cluster_uuid" : "_na",
…
}
[root@elk3 ~]#
[root@elk3 ~]# curl 10.0.0.92:9200
{
"name" : "elk2",
"cluster_name" : "oldboyedu-linux96",
"cluster_uuid" : "na",
…
}
[root@elk3 ~]#
[root@elk3 ~]#
[root@elk3 ~]# curl 10.0.0.93:9200
{
"name" : "elk3",
"cluster_name" : "oldboyedu-linux96",
"cluster_uuid" : "na",
…
}
[root@elk3 ~]#
解决方案:
- 停止集群的ES服务
[root@elk91 ~]# systemctl stop elasticsearch.service
[root@elk92 ~]# systemctl stop elasticsearch.service
[root@elk93 ~]# systemctl stop elasticsearch.service
- 删除数据,日志,和临时数据
[root@elk91 ~]# rm -rf /var/{lib,log}/elasticsearch/* /tmp/*
[root@elk92 ~]# rm -rf /var/{lib,log}/elasticsearch/* /tmp/*
[root@elk93 ~]# rm -rf /var/{lib,log}/elasticsearch/* /tmp/*
[root@elk91 ~]# yy /etc/elasticsearch/elasticsearch.yml
cluster.name: oldboyedu-linux96
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["10.0.0.91", "10.0.0.92","10.0.0.93"]
cluster.initial_master_nodes: ["10.0.0.91","10.0.0.92","10.0.0.93"]
[root@elk91 ~]#
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.92:/etc/elasticsearch/
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.93:/etc/elasticsearch/
- 检查集群各节点的配置
[root@elk91 ~]# yy /etc/elasticsearch/elasticsearch.yml
cluster.name: oldboyedu-linux96
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
discovery.seed_hosts: ["10.0.0.91", "10.0.0.92","10.0.0.93"]
cluster.initial_master_nodes: ["10.0.0.91","10.0.0.92","10.0.0.93"]
[root@elk91 ~]#
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.92:/etc/elasticsearch/
[root@elk91 ~]# scp /etc/elasticsearch/elasticsearch.yml 10.0.0.93:/etc/elasticsearch/
- 启动ES服务
[root@elk91 ~]# systemctl restart elasticsearch.service
[root@elk92 ~]# systemctl restart elasticsearch.service
[root@elk93 ~]# systemctl restart elasticsearch.service
- 测试验证
[root@elk91 ~]# for i in seq 91 93; do curl -s 10.0.0.$i:9200 | grep cluster_uuid; done
"cluster_uuid" : "-5ly4d8-Tl6biIMmp4pzKw",
"cluster_uuid" : "-5ly4d8-Tl6biIMmp4pzKw",
"cluster_uuid" : "-5ly4d8-Tl6biIMmp4pzKw",
[root@elk91 ~]#
[root@elk91 ~]# curl 10.0.0.93:9200/_cat/nodes
10.0.0.91 11 94 4 0.43 0.36 0.29 cdfhilmrstw - elk91
10.0.0.93 11 96 2 0.47 0.43 0.28 cdfhilmrstw - elk93
10.0.0.92 5 97 3 0.32 0.44 0.33 cdfhilmrstw * elk92
[root@elk91 ~]#
至此ES集群搭建完毕!ES的集群加密可以参考对应文章链接:ES集群加密 – violet
Categories: