Rocky Linux 8.1 安装 ELK教程

1. 安装java环境

# Elasticsearch 依赖 Java 11+，需先安装 JDK：
sudo dnf install java-11-openjdk-devel -y
java -version  # 验证安装

2. 配置Elasticsearch 仓库

# 导入 GPG 密钥并添加官方存储库：
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

#### 创建仓库文件
/etc/yum.repos.d/elasticsearch.repo

vim /etc/yum.repos.d/elasticsearch.repo 

#### 内容如下

[elasticsearch]
name=Elasticsearch repository for 8.x
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

3. 安装ES

dnf install --enablerepo=elasticsearch elasticsearch -y


--------------------------- Security autoconfiguration information ------------------------------

Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.

The generated password for the elastic built-in superuser is : qMxSY$GCig7￥XdHXbk

If this node should join an existing cluster, you can reconfigure this with
'/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node --enrollment-token <token-here>'
after creating an enrollment token on your existing cluster.

You can complete the following actions at any time:

Reset the password of the elastic built-in superuser with
'/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic'.

Generate an enrollment token for Kibana instances with
 '/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana'.

Generate an enrollment token for Elasticsearch nodes with
'/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node'.

4. 配置ES

/etc/elasticsearch/elasticsearch.yml

cluster.name: my-elk-cluster    # 自定义集群名
node.name: rocky-node-1         # 节点名称
network.host: 0.0.0.0           # 允许所有IP访问
http.port: 9200                 # 开放端口

调整 JVM 内存限制（可选）：

sudo sed -i 's/-Xms1g/-Xms512m/g; s/-Xmx1g/-Xmx512m/g' /etc/elasticsearch/jvm.options

启动并验证 Elasticsearch

sudo systemctl daemon-reload
sudo systemctl enable --now elasticsearch
curl -X GET "localhost:9200"    # 验证返回JSON数据 

curl: (52) Empty reply from server
# /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: false  # 原来是true 就必须要走安全，用户名密码啥的。改成false就不用了。

查看/重启服务服务的状态

systemctl status elasticsearch
systemctl reenable --now elasticsearch
systemctl restart elasticsearch

5. 安装Kibana

 dnf install kibana -y 
 

编辑配置文件 /etc/kibana/kibana.yml

server.port: 5601
server.host: "0.0.0.0"          # 允许远程访问
elasticsearch.hosts: ["http://localhost:9200"] 

启动服务

systemctl enable --now kibana

kibana启动错误处理 systemd[1]: Unit kibana.service entered failed state

下面的错误中，有YAMLException: can not read a block mapping 错误，通常与配置文件中的YAML格式不正确有关。这种错误通常发生在Kibana的配置文件（如kibana.ym）经过检查发现上面编辑kibana.yml的时候 手误，配置文件添加了导致解析错误的字符，删掉就好了

systemd[1]: Unit kibana.service entered failed state

# 查看日志 ： 查看 kibana.log或者使用journalctl查看系统日志(Kibana的日志文件，通常位于/var/log/kibana/kibana.log)
journalctl -u kibana.service

-- Logs begin at Wed 2025-06-11 16:50:16 KST, end at Fri 2025-07-25 13:22:01 KST. --
Jul 25 11:31:25 st-apiserver kibana[37939]: FATAL CLI ERROR YAMLException: can not read a block mapping entry; a multiline key may not be an implicit key at line 12, column 1:
Jul 25 11:31:25 st-apiserver kibana[37939]: # Specifies the address to which ...
Jul 25 11:31:25 st-apiserver kibana[37939]: ^
Jul 25 11:31:25 st-apiserver kibana[37939]: at generateError (/usr/share/kibana/node_modules/js-yaml/lib/js-yaml/loader.js:167:10)
..................................................

打开kibana，需要token, 如果忘记的话，可以这样处理 ，先要设置xpack.security.enabled位true,然后 停止后在启动elasticsearch 服务，否则会报错

上图的 node配置要一致，否则会报错:

[root@st-server ~]# /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana

ERROR: Failed to determine the health of the cluster., with exit code 69

vim /etc/elasticsearch/elasticsearch.yml  > xpack.security.enabled: true

systemctl stop --now elasticsearch
systemctl enable --now elasticsearch
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana

获取token后打开kibana, 然后通过命令含获取kibana的验证码：

[root@web06 ~]# /usr/share/kibana/bin/kibana-verification-code
Your verification code is:  256 764

kibana 密码设置：

/usr/share/elasticsearch/bin/elasticsearch-users  useradd fuqiwei -p 111111 -r kibana_role


[root@web06 ~]# /usr/share/elasticsearch/bin/elasticsearch-users  userdel fuqiwei
[root@web06 ~]# /usr/share/elasticsearch/bin/elasticsearch-users  useradd fuqiwei -p 123123  -r superuser


kibana_role: [
  watcher_admin, apm_system, viewer, rollup_user, logstash_system, kibana_user, 
  beats_admin, remote_monitoring_agent, rollup_admin, snapshot_user, 
  data_frame_transforms_admin, monitoring_user, enrich_user, kibana_admin, 
  logstash_admin, inference_user, editor, data_frame_transforms_user, machine_learning_user, 
  machine_learning_admin, watcher_user, apm_user, inference_admin, beats_system, 
  transform_user, reporting_user, kibana_system, transform_admin, 
  remote_monitoring_collector, transport_client, superuser, ingest_admin]

6. 安装Logstash

安装
dnf install logstash -y 

创建管道配置文件（示例存储在 /etc/logstash/conf.d/）
mkdir -p  /etc/logstash/conf.d/
  
  启动
systemctl enable --now logstash

7. 防火前配置

firewall-cmd --add-port={9200,5601}/tcp --permanent
firewall-cmd --reload