ELK filebeat docker部署
- 一、 elasticsearch部署
- 1、运行elasticsearch临时配置容器
- 2、拷贝文件目录到本地
- 3、检查elasticsearch.yml
- 4、删除之前elastic,运行正式容器
- 5、docker logs记录启动日志
- 二、部署kibana
- 1、运行kibana临时配置容器
- 2、docker拷贝配置文件到本地,
- 3、删除之前kibana,运行正式容器
- 三、部署logstash
- 1、运行logstash临时配置容器
- 2、docker拷贝配置文件到本地,
- 3、修改logstash配置--1
- 4、修改logstash配置--2
- 5、删除之前logstash,运行正式容器
- 四、部署filebeat
- 1、运行logstash临时配置容器
- 2、docker拷贝配置文件到本地,
- 3、修改filebeat配置,匹配nginx access/error未json格式化日志
- 5、删除之前logstash,运行正式容器
- 五、最终展示
一、 elasticsearch部署
1、运行elasticsearch临时配置容器
docker run -it -p 9200:9200 -p 9300:9300 --name elasticsearch --net elastic -e ES_JAVA_OPTS="-Xms1g -Xmx1g" -e "discovery.type=single-node" -e LANG=C.UTF-8 -e LC_ALL=C.UTF-8 elasticsearch:8.4.3
2、拷贝文件目录到本地
mkdir -p /u01/elk/{elasticsearch,filebeat,kibana,logstash}cd /u01/elk/elasticsearch/docker cp elasticsearch:/usr/share/elasticsearch/config .
docker cp elasticsearch:/usr/share/elasticsearch/data .
docker cp elasticsearch:/usr/share/elasticsearch/plugins .
docker cp elasticsearch:/usr/share/elasticsearch/logs .
3、检查elasticsearch.yml
elasticsearch.yml network.host: 0.0.0.0
4、删除之前elastic,运行正式容器
docker run -it \-d \-p 9200:9200 \-p 9300:9300 \--name elasticsearch \--net elastic \-e ES_JAVA_OPTS="-Xms1g -Xmx1g" \-e "discovery.type=single-node" \-e LANG=C.UTF-8 \-e LC_ALL=C.UTF-8 \-v /u01/elk/elasticsearch/config:/usr/share/elasticsearch/config \-v /u01/elk/elasticsearch/data:/usr/share/elasticsearch/data \-v /u01/elk/elasticsearch/plugins:/usr/share/elasticsearch/plugins \-v /u01/elk/elasticsearch/logs:/usr/share/elasticsearch/logs \elasticsearch:8.4.3
5、docker logs记录启动日志
后续用到的密码,证书,token可在以下查找
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):BtFaekYKKP6m0_pp+s9gℹ️ HTTP CA certificate SHA-256 fingerprint:ab72993f131f9bae496f4f4b35f955f4909557e13da751bd5f2d1198c2695af6ℹ️ Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):eyJ2ZXIiOiI4LjQuMyIsImFkciI6WyIxNzIuMTguMC4yOjkyMDAiXSwiZmdyIjoiYWI3Mjk5M2YxMzFmOWJhZTQ5NmY0ZjRiMzVmOTU1ZjQ5MDk1NTdlMTNkYTc1MWJkNWYyZDExOThjMjY5NWFmNiIsImtleSI6ImtWZFZJbzhCbjJVRjUtRUxmektrOjFva29XRktxUlBxYkh4UmdXWWhhMkEifQ==ℹ️ Configure other nodes to join this cluster:
• Copy the following enrollment token and start new Elasticsearch nodes with `bin/elasticsearch --enrollment-token <token>` (valid for the next 30 minutes):eyJ2ZXIiOiI4LjQuMyIsImFkciI6WyIxNzIuMTguMC4yOjkyMDAiXSwiZmdyIjoiYWI3Mjk5M2YxMzFmOWJhZTQ5NmY0ZjRiMzVmOTU1ZjQ5MDk1NTdlMTNkYTc1MWJkNWYyZDExOThjMjY5NWFmNiIsImtleSI6ImsxZFZJbzhCbjJVRjUtRUxmekttOnJxY0NUekM0VGR5YlRVaXF4dDRRQ1EifQ==If you're running in Docker, copy the enrollment token and run:
`docker run -e "ENROLLMENT_TOKEN=<token>" docker.elastic.co/elasticsearch/elasticsearch:8.4.3`二、部署kibana
1、运行kibana临时配置容器
docker run -it -d --restart=always --log-driver json-file --log-opt max-size=100m --log-opt max-file=2 --name kibana -p 5601:5601 --net elastic kibana:8.4.3
2、docker拷贝配置文件到本地,
cd /u01/elk/kibanadocker cp kibana:/usr/share/kibana/config/ .docker cp kibana:/usr/share/kibana/data/ .docker cp kibana:/usr/share/kibana/plugins/ .docker cp kibana:/usr/share/kibana/logs/ .
3、删除之前kibana,运行正式容器
docker run -it \-d \--restart=always \--log-driver json-file \--log-opt max-size=100m \--log-opt max-file=2 \--name kibana \-p 5601:5601 \--net elastic \-v /u01/elk/kibana/config:/usr/share/kibana/config \-v /u01/elk/kibana/data:/usr/share/kibana/data \-v /u01/elk/kibana/plugins:/usr/share/kibana/plugins \-v /u01/elk/kibana/logs:/usr/share/kibana/logs \kibana:8.4.3三、部署logstash
1、运行logstash临时配置容器
docker run -it -d --name logstash -p 9600:9600 -p 5044:5044 --net elastic logstash:8.4.3
2、docker拷贝配置文件到本地,
cd /u01/elk/logstashdocker cp logstash:/usr/share/logstash/config/* ./config/
docker cp logstash:/usr/share/logstash/config/ ./config
docker cp logstash:/usr/share/logstash/pipeline ./
3、修改logstash配置–1
cat config/logstash.yml
http.host: "0.0.0.0"
xpack.monitoring.elasticsearch.hosts: [ "https://172.18.0.2:9200" ]
xpack.monitoring.elasticsearch.username: "elastic"
xpack.monitoring.elasticsearch.password: "BtFaekYKKP6m0_pp+s9g" ##前面elastic日志中查找
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/usr/share/logstash/config/certs/http_ca.crt"
xpack.monitoring.elasticsearch.ssl.ca_trusted_fingerprint: "ab72993f131f9bae496f4f4b35f955f4909557e13da751bd5f2d1198c2695af6" ##前面elastic日志中查找
4、修改logstash配置–2
cat pipeline/logstash.conf
input {beats {port => 5044}
}filter {}output {if [fields][project] == "nginx-accesslog" {elasticsearch {hosts => ["https://172.18.0.2:9200"]index => "server-%{+YYYY.MM.dd}"ssl => truessl_certificate_verification => falsecacert => "/usr/share/logstash/config/certs/http_ca.crt"ca_trusted_fingerprint => "ab72993f131f9bae496f4f4b35f955f4909557e13da751bd5f2d1198c2695af6"user => "elastic"password => "BtFaekYKKP6m0_pp+s9g"}}if [fields][project] == "nginx-errorlog" {elasticsearch {hosts => ["https://172.18.0.2:9200"]index => "error-%{+YYYY.MM.dd}"ssl => truessl_certificate_verification => falsecacert => "/usr/share/logstash/config/certs/http_ca.crt"ca_trusted_fingerprint => "ab72993f131f9bae496f4f4b35f955f4909557e13da751bd5f2d1198c2695af6"user => "elastic"password => "BtFaekYKKP6m0_pp+s9g"}}
}
5、删除之前logstash,运行正式容器
docker run -it \-d \--name logstash \-p 9600:9600 \-p 5044:5044 \--net elastic \-v /u01/elk/logstash/config:/usr/share/logstash/config \-v /u01/elk/logstash/pipeline:/usr/share/logstash/pipeline \logstash:8.4.3
四、部署filebeat
1、运行logstash临时配置容器
docker run -it -d --name filebeat --network host -e TZ=Asia/Shanghai elastic/filebeat:8.4.3 filebeat -e -c /usr/share/filebeat/filebeat.yml
2、docker拷贝配置文件到本地,
docker cp filebeat:/usr/share/filebeat/filebeat.yml .
docker cp filebeat:/usr/share/filebeat/data .
docker cp filebeat:/usr/share/filebeat/logs .
3、修改filebeat配置,匹配nginx access/error未json格式化日志
尽可能自己格式化nginx日志,这是未格式化的情况
cat filebeat.yml ilebeat.config:modules:path: ${path.config}/modules.d/*.ymlreload.enabled: falseprocessors:- add_host_metadata: ~#when.not.contains.tags: forwarded- add_cloud_metadata: ~- add_docker_metadata: ~- add_kubernetes_metadata: ~#output.elasticsearch:
# hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
# username: '${ELASTICSEARCH_USERNAME:}'
# password: '${ELASTICSEARCH_PASSWORD:}'filebeat.inputs:
- type: logenabled: truepaths:- /usr/share/filebeat/target/access.log # 这个路径是需要收集的日志路径,是docker容器中的路径fields:project: nginx-accesslogscan_frequency: 10s#multiline.pattern: '((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}'multiline.pattern: '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'multiline.negate: falsemultiline.match: afterprocessors:- dissect:tokenizer: '"%{ip} - - [%{timestamp}] \"%{method} %{url} HTTP/%{http_version}\" %{response_code} %{bytes} \"%{referrer}\" \"%{user_agent}\"'field: "message"target_prefix: ""ignore_missing: true# '^[0-9]{4}-[0-9]{2}-[0-9]{2}'- type: logenabled: truepaths:- /usr/share/filebeat/target/error.log # 这个路径是需要收集的日志路径,是docker容器中的路径fields:project: nginx-errorlogscan_frequency: 10s#multiline.pattern: '((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})(\.((2(5[0-5]|[0-4]\d))|[0-1]?\d{1,2})){3}'multiline.pattern: '^[0-9]{4}/[0-9]{2}/[0-9]{2} 'multiline.negate: falsemultiline.match: afterprocessors:- dissect:tokenizer: '%{timestamp} [%{log.level}] %{nginx.error}: %{error_message}, client: %{client_ip}, server: %{server_name}, request: "%{request}", host: "%{host}"'field: "message"target_prefix: ""ignore_missing: true# '^[0-9]{4}-[0-9]{2}-[0-9]{2}'json.keys_under_root: true # 开启json格式
json.overwrite_keys: true#- type: log# enabled: true# paths:# - /usr/share/filebeat/target/error.log. # 这个路径是需要收集的日志路径,是docker容器中的路径# scan_frequency: 10s# exclude_lines: ['error']# multiline.pattern: '^[0-9]{4}/[0-9]{2}/[0-9]{2}'# multiline.negate: false# multiline.match: after#output.logstash:enabled: true# The Logstash hostshosts: ["192.168.10.222:5044"]
5、删除之前logstash,运行正式容器
docker run --name=filebeat --hostname=ubuntu --user=filebeat --env=TZ=Asia/Shanghai --volume=/etc/nginx/logs/:/usr/share/filebeat/target/ --volume=/u01/elk/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml --volume=/u01/elk/filebeat/data:/usr/share/filebeat/data --volume=/u01/elk/filebeat/logs:/usr/share/filebeat/logs --network=host --workdir=/usr/share/filebeat --restart=no --runtime=runc --detach=true -t elastic/filebeat:8.4.3 filebeat -e -c /usr/share/filebeat/filebeat.yml
五、最终展示
