A quick start guild of ELK 7.3.2, including package installation and simple test.

ok , It was before the discovery Quickly build ELK7.2 There are some pits , Decide to do it again .

The installation version has some advantages over the direct decompression version , At least after installation Service, Save a lot of trouble on the command line .

Download and install

• https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.3.2-x86_64.rpm
• https://artifacts.elastic.co/downloads/kibana/kibana-7.3.2-x86_64.rpm
• https://artifacts.elastic.co/downloads/logstash/logstash-7.3.2.rpm
• https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.3.2-x86_64.rpm
• https://artifacts.elastic.co/downloads/beats/heartbeat/heartbeat-7.3.2-x86_64.rpm

https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-elastic-stack.html

Elasticsearch

Install

$ sudo rpm -ivh elasticsearch-7.3.2-x86_64.rpm
warning: elasticsearch-7.3.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
   1:elasticsearch-0:7.3.2-1          ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch

Startup

sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service

sudo systemctl status elasticsearch.service
sudo systemctl start elasticsearch.service
### Check process
# ps -ef|grep ela
### Check installed files location
# sudo rpm -ql elasticsearch

Test

$ curl localhost:9200
{
  "name" : "appserver01",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "wCDlDy6UTriUSuZuDrqWrw",
  "version" : {
    "number" : "7.3.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "1c1faf1",
    "build_date" : "2019-09-06T14:40:30.409026Z",
    "build_snapshot" : false,
    "lucene_version" : "8.1.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Startup Commands

All other installations are similar, you can find the services list as below.

sudo systemctl start elasticsearch.service
sudo systemctl start kibana.service
sudo systemctl start logstash.service
sudo systemctl start filebeat.service
sudo systemctl start heartbeat-elastic.service

Remote Access to Elasticsearch

sudo vi /etc/elasticsearch/elasticsearch.yml

#network.host: 192.168.0.1
network.host: 0.0.0.0

cluster.initial_master_nodes: node-1

The last configure change is for bootstrap error below.

sudo tail  /var/log/elasticsearch/elasticsearch.log

[2019-10-10T10:06:24,340][ERROR][o.e.b.Bootstrap          ] [appserver01] node validation exception
[1] bootstrap checks failed
[1]: the default discovery settings are unsuitable for production use; at least one of [discovery.seed_hosts, discovery.seed_providers, cluster.initial_master_nodes] must be configured

I haven't met 7.2 Decompression version Inside vm.max_map_count is too low The problem of .

Take a cursory look at , It is put into the boot script In the .

sudo view /etc/init.d/elasticsearch

MAX_OPEN_FILES=65535
MAX_MAP_COUNT=262144

sysctl -q -w vm.max_map_count=$MAX_MAP_COUNT

Remote Access to Kibana

# curl localhost:5601
# curl localhost:5601/app/kibana
sudo vi /etc/kibana/kibana.yml

#server.host: "localhost"
server.host: "0.0.0.0"

sudo systemctl restart kibana.service

Now Kibana can be accessed from another host browser
http://192.168.1.88:5601/

Installation path problem

At first, try to install it into the specified directory , But I found that after loading Service The path in the has not been changed , Explain that some manual work is required , Still don't bother .

$ sudo rpm -ivh --prefix=/opt/elk elasticsearch-7.3.2-x86_64.rpm
warning: elasticsearch-7.3.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing...                          ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
   1:elasticsearch-0:7.3.2-1          ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
/var/tmp/rpm-tmp.JyvHeM: line 8: /usr/share/elasticsearch/bin/elasticsearch-keystore: No such file or directory
chown: cannot access ‘/etc/elasticsearch/elasticsearch.keystore’: No such file or directory
chmod: cannot access ‘/etc/elasticsearch/elasticsearch.keystore’: No such file or directory
md5sum: /etc/elasticsearch/elasticsearch.keystore: No such file or directory
warning: %posttrans(elasticsearch-0:7.3.2-1.x86_64) scriptlet failed, exit status 1

Re installation issues

Because there was an old version in the machine ELK, reinstall Elasticsearch I found that I couldn't start .

It is said on the Internet that there is already one running , But I didn't find it here .

Finally, the problem was solved again , Before reloading, delete all the files in the relevant path .

failed to obtain node locks

Failed to startup Elasticsearch with below error.

[2019-09-23T16:41:39,751][ERROR][o.e.b.Bootstrap          ] [appserver01] Exception
java.lang.IllegalStateException: failed to obtain node locks, tried [[/var/lib/elasticsearch]] with lock id [0]; maybe these locations are not writable or multiple nodes were started without increasing [node.max_local_storage_nodes] (was [1])?

Not work even after nodes configure is updated as below.

node.max_local_storage_nodes: 2

The issue was solved after removing all related folders, and we also added CPU and memory (reboot) during the period.

Maybe the files were not cleaned up in the related folders when uninstalled old version.

$ sudo rpm -ql elasticsearch>elasticsearch_pkg.log
$ sudo rpm -ev elasticsearch
Preparing packages...
Stopping elasticsearch service... OK
elasticsearch-0:5.4.0-1.noarch
Deleting log directory... OK
$ sudo rpm -ql elasticsearch
package elasticsearch is not installed

find / -iname "elasticsearch"

Remove all old version files found.

sudo rm -rf /usr/share/elasticsearch
sudo rm -rf /etc/elasticsearch
sudo rm -rf /var/log/elasticsearch
sudo rm -rf /var/lib/elasticsearch