安裝環境

• Debian GNU/Linux 9 (stretch)
• 2CPU / 6GB
• Disk 40GB SSD

安裝Java

sudo apt-get update && sudo apt install default-jdk -y

安裝Logstash

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

sudo apt-get install apt-transport-https -y

echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

sudo apt-get update && sudo apt-get install logstash=1:7.9.1-1

設定JAVA記憶體的使用

編輯 /etc/elasticsearch/jvm.option或是透過ES_JAVA_OPTS環境變數來修改

-Xms5g #設置JVM最小可用內存，避免每次GC回收完成後JVM重新分配內存
-Xmx5g #設置JVM最大可用內存

設定Logstash

編輯 /etc/logstash/logstash.yml

path.data: /mnt/disks/elk/logstash #logstash資料存放位置(持久性隊列資料)

http.host: "0.0.0.0" #綁定監聽host或是ip

http.port: 9600 #監聽Port號

log.level: error #log紀錄的等級

# 啟用pipelines集中式配置管理
xpack.management.enabled: true #啟用集中式配置管理

# 設定連線方式host或是cloud id選擇一種就好
xpack.management.elasticsearch.hosts: "https://1234564789.asia-east1.gcp.elastic-cloud.com:9243" # 設定Elastic cloud host。
xpack.management.elasticsearch.username: elastic #使用者名稱
xpack.management.elasticsearch.password: RH8mJyzJO3D3x5a6Sx #使用者密碼

# cloud id
xpack.management.elasticsearch.cloud_id: "test_elk:YXNpYS1lYXN0MS5nY3AuZWxNjY4MzkwODE="
xpack.management.elasticsearch.cloud_auth: "elastic:RH8mJyzJO3D3x5a6Sx"

xpack.management.logstash.poll_interval: 5s #多久輪詢一次Elasticsearch的pipeline設定
xpack.management.pipeline.id: ["test_1", "test_2"] #註冊pipeline id

設定自動啟動Logstash

sudo systemctl enable logstash.service

啟動Logstash

sudo systemctl start logstash.service