docker 安装 ELK 记录
1.docker pull sebp/elk
2.mkdir -p /var/data/elk
3.docker run -d -p 5044:5044 -p 5601:5601 -p 9200:9200 -p 9300:9300 -v /var/data/elk:/var/lib/elasticsearch --name=myelk sebp/elk
查看容器的标准输出: docker attach --sig-proxy=false myelk
停止容器: docker stop myelk
启动容器: docker start myelk
查看运行中的容器: docker ps
进入容器命令行: docker exec -it myelk /bin/bash
cd /etc/logstash/conf.d/
vim 02-beats-input.conf # 注释掉ssl ,这个根据情况选择,我这里选择不启用ssl
vim myfilter.conf 输入如下内容并保持
filter { json { source => "message" #target => "doc"
# message字段保留的就是整个json数据,如果把下面的语句生效,则流入es的数据中,没有message这个字段。具体效果可以自行做实验
#remove_field => ["message"]
}
#这里是在处理日期时间,因为日志本身有时间,然后logstash会自行生成一个时间字段:@timestamp ,显然应该以日志里的时间为准。所以有如下配置:替换@timestamp字段的值为日志本身的时间。
date {
match => ["date","yyyy-MM-dd HH:mm:ss,SSS"]
target => "@timestamp"
locale => "cn"
timezone => "Asia/Chongqing"
}
}
重启logstash: service logstash restart 如果提示stop fail,则再试一次。
测试logstash
进入容器,先执行: service logstash stop
保证logstash已经停止
cd /opt/logstash
vim test-logstash.conf 输入以下内容:
input { stdin {} }
filter { json { source => "message" #target => "doc" #remove_field => ["message"] }
date { match => ["date","yyyy-MM-dd HH:mm:ss,SSS"] target => "@timestamp" locale => "cn" timezone => "Asia/Chongqing" }
}
output { stdout {} }
保存,然后执行:
bin/logstash -f test-logstash.conf
等待一会,直到看到如下字样:
The stdin plugin is now waiting for input: [2018-12-29T07:57:25,159][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x2d752f07 run>"} [2018-12-29T07:57:25,210][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]} [2018-12-29T07:57:25,458][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
然后直接在命令行输入一个json字符串,比如这里输入:
{ "date":"2018-12-28 18:54:04,052", "level":"INFO", "logger":"c.l.s.l.c.u.GeTuiPushUtils", "file_line":"GeTuiPushUtils.java:54", "msg":{"value":"初始化个推服务成功"}, "exception":"" }
然后会输出一个字符串,大致如下:
{ "msg" => { "value" => "初始化个推服务成功" }, "host" => "d6e142cd797d", "level" => "INFO", "exception" => "", "file_line" => "GeTuiPushUtils.java:54", "logger" => "c.l.s.l.c.u.GeTuiPushUtils", "message" => "{ "date":"2018-12-28 18:54:04,052", "level":"INFO", "logger":"c.l.s.l.c.u.GeTuiPushUtils", "file_line":"GeTuiPushUtils.java:54", "msg":{"value":"初始化个推服务成功"}, "exception":"" }", "@version" => "1", "@timestamp" => 2018-12-28T10:54:04.052Z, "date" => "2018-12-28 18:54:04,052" }
如果是这样的,说明配置成功。然后按住 ctrl + c 停止测试。
安装filebeat
安装测试完成
