背景:elasticsearch7需要開啟https才可以建立報警,因此就需要搭建https的elasticsearch
參考官方網站:https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-deploy-elasticsearch.html
第一步,建立crd
kubectl create -f https://download.elastic.co/downloads/eck/2.12.1/crds.yaml
第二步,安裝operator的RDBC
kubectl apply -f https://download.elastic.co/downloads/eck/2.12.1/operator.yaml
第三步,確保operator的pod成功啟動
[root@localhost ~]# kubectl -n elastic-system get pods NAME READY STATUS RESTARTS AGE elastic-operator-0 1/1 Running 6 (20h ago) 20h
第四步,建立es叢集
[root@localhost es]# cat es.yaml.bak apiVersion: elasticsearch.k8s.elastic.co/v1 kind: Elasticsearch metadata: name: eck-cluster namespace: elk spec: version: 7.9.1 http: tls: selfSignedCertificate: disabled: true nodeSets: - name: default count: 1 config: node.master: true node.data: true node.ingest: true node.ml: false xpack.graph.enabled: false xpack.ml.enabled: false xpack.watcher.enabled: false xpack.monitoring.collection.enabled: true xpack.security.enabled: true xpack.security.http.ssl.enabled: true xpack.security.authc: anonymous: username: anonymous roles: superuser authz_exception: false volumeClaimTemplates: - metadata: name: elasticsearch-data spec: accessModes: - ReadWriteOnce resources: requests: storage: 100Gi storageClassName: standard podTemplate: spec: initContainers: - name: sysctl securityContext: privileged: true command: ['sh', '-c', 'sysctl -w vm.max_map_count=262144'] containers: - name: elasticsearch env: - name: ES_JAVA_OPTS value: -Xms512m -Xmx512m -Des.allow_insecure_settings=true - name: READINESS_PROBE_PROTOCOL value: https resources: requests: memory: 2Gi limits: memory: 4Gi
第五步,確保es正常啟動,我這裡只建立了一個節點,因此是yellow,啟動3個就是green了
[root@localhost es]# kubectl -n elk get es NAME HEALTH NODES VERSION PHASE AGE eck-cluster yellow 1 7.9.1 Ready 61m
第六步,建立kibana,這裡要注意的是紅色字型的名字要對應kubectl -n elk get es顯示的名字
apiVersion: kibana.k8s.elastic.co/v1 kind: Kibana metadata: name: eck-cluster namespace: elk spec: version: 7.9.1 count: 1 config: #elasticsearch.hosts: ["https://eck-cluster-es-http.elk.svc:9200"] elasticsearch.username: "elastic" elasticsearch.password: "xxxxx" elasticsearchRef: name: eck-cluster
第七步,確保es和kibana都正常啟動
[root@localhost es]# kubectl -n elk get pods NAME READY STATUS RESTARTS AGE eck-cluster-es-default-0 1/1 Running 0 44m eck-cluster-kb-7d75dd6758-g2rcp 1/1 Running 0 57m
第八步,開啟埠轉發,訪問kibana UI
kubectl -n elk port-forward --address 0.0.0.0 svc/eck-cluster-kb-http 5601:5601
第九步,可以看到kibana的報警已經可以使用了
補充,如果需要filebeat連線es傳送日誌的話,也需要https協議,紅色字型是開啟https協議的內容具體配置如下:
filebeat.inputs: - type: log processors: paths: - "/mnt/log/logstash.log" fields: app: xxx index: xxxx group: xxx namespaces: xxx clusterName: "${CLUSTER_NAME:}" #沒有新日誌採集後多長時間關閉檔案控制代碼,預設5分鐘,設定成1分鐘,加快檔案控制代碼關閉; close_inactive: 1m #傳輸了3h後荏沒有傳輸完成的話就強行關閉檔案控制代碼; close_timeout: 3h #這個配置項也應該配置上,預設值是0表示不清理,不清理的意思是採集過的檔案描述在registry檔案裡永不清理,在執行一段時間後,registry會變大,可能會帶來問題。 clean_inactive: 72h #設定了clean_inactive後就需要設定ignore_older,且要保證ignore_older < clean_inactive ignore_older: 70h #multiline.pattern: ^20[0-9]{2}-[0-9]{2}-[0-9]{2} [0-9]{2}:[0-9]{2}:[0-9]{2} #multiline.negate: true #multiline.match: after # 和福林確認日誌只需要處理1毫秒內的多行輸出 #multiline.timeout: 50ms # 只保留40行日誌 #multiline.max_lines: 40 exclude_files: ['debug'] json.message_key: message json.keys_under_root: true json.overwrite_keys: true json.add_error_key: true - type: log processors: paths: - "/mnt/log/requestlog.log" fields: app: xxx index: xxx group: xxx namespaces: xxx clusterName: "${CLUSTER_NAME:}" close_inactive: 1m close_timeout: 3h clean_inactive: 72h ignore_older: 70h exclude_files: ['debug'] json.message_key: message json.keys_under_root: true json.overwrite_keys: true json.add_error_key: true - type: log processors: paths: - "/mnt/log/gc.log" fields: app: xxxx index: gc group: xxx namespaces: xxxx clusterName: "${CLUSTER_NAME:}" close_inactive: 1m close_timeout: 3h clean_inactive: 72h ignore_older: 70h exclude_files: ['debug'] output.elasticsearch: enabled: true hosts: ["eck-cluster-es-http.elastic-system.svc:9200"] protocol: "https" username: "elastic-system-eck-cluster-kibana-user" password: "wYPuZ0719ix52U408M6prQXx" ssl: certificate_authorities: ["/usr/share/filebeat/ca.pem"] erification_mode: "certificate" index: "%{[fields.index]}-%{+yyyy.MM.dd}" setup.ilm.enabled: false setup.template.name: "%{[fields.index]}" setup.template.pattern: "%{[fields.index]}-*" setup.template.enabled: false setup.template.overwrite: true