1、#下载镜像
docker pull elasticsearch:7.1.1
docker pull kibana:7.1.1
docker pull logstash:7.1.1
docker pull store/elastic/filebeat:7.1.1
docker network create elknetwork
2、#设置nginx日志保存位置
mkdir --p /var/log/nginx
3、设置logstash
3.1#设置logstash日志同步至elasticsearch
mkdir --p /usr/share/logstash/conf.d
vi /usr/share/logstash/conf.d/test.conf
input {
beats {
port => 5044
codec => "json"
}
}
output {
elasticsearch { hosts => ["elasticsearch:9200"] }
stdout { codec => rubydebug }
file {
path => "/tmp/logstash-nginx-accesslog-%{+YYYY.MM.dd}"
}
}
3.2、#设置logstash配置
mkdir --p /usr/share/logstash/config
vi /usr/share/logstash/config/logstash.yml
path.config: /usr/share/logstash/conf.d/*.conf
path.logs: /var/log/logstash
3.3、#设置logstash日志存放目录
mkdir --p /var/log/logstash
4、#设置filebeat采集日志配置
mkdir --p /usr/share/logstash/filebeat
cd /usr/share/logstash/filebeat
curl -L -O https://raw.githubusercontent.com/elastic/beats/7.1/deploy/docker/filebeat.docker.yml
vim filebeat.docker.yml
mv filebeat.docker.yml filebeat.yml
# 增加下面的配置 (收集 .log 数据 把数据发送到当前网络5044端口 (logstash 端口) )
# 这个地方的 .log 要保证有几条测试数据
# /var/log/nginx/ 为nginx日志存放位置
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/*.log
output.logstash:
hosts: ['{ip}:5044']
5、启动镜像
docker run --name nginx-test -p 8080:80 -v /var/log/nginx:/var/log/nginx -d nginx
docker run -d --name elasticsearch --net elknetwork -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:7.1.1
#docker inspect 容器ID | grep IPAddress
#docker inspect 606969dd4bee | grep IPAddress
docker run -d --name kibana --net elknetwork -p 5601:5601 -e ELASTICSEARCH_HOSTS=http://172.18.0.2:9200 kibana:7.1.1
docker run -it -d -p 5044:5044 --name logstash --net elknetwork -v /var/log/logstash:/var/log/logstash -v /usr/share/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml -v /usr/share/logstash/conf.d/:/usr/share/logstash/conf.d/ logstash:7.1.1
6、# 运行Filebeat
6.1、# 请更改下面两个路径
{nginx-path} = 本地的日志文件目录(映射到容器中 作为数据源) /var/log/nginx/
{path} = Filebeat配置文件路径 /usr/share/logstash/filebeat
{ip} = logstash 地址或实例名 filebeat.yml--hosts: ['{ip}:5044']--> hosts: 'logstash:5044'
6.2、#参考以下语法 。注意filebeat.yml是文件,不是文件名。因为这个文件夹下还有内置的其他文件,配置错误不能启动
docker run --name filebeat --user=root -d --net somenetwork --volume="{nginx-path}:/var/log/nginx/" --volume="{path}/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" --volume="/var/run/docker.sock:/var/run/docker.sock:ro" store/elastic/filebeat:7.1.1
----------------------------
docker run --name filebeat --user=root -d --net elknetwork -v /var/log/nginx/:/var/log/nginx/ --volume="/usr/share/logstash/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro" -v /var/lib/docker/containers:/var/lib/docker/containers --volume="/var/run/docker.sock:/var/run/docker.sock:ro" store/elastic/filebeat:7.1.1
7、操作:
1、点击nginx
/var/log/nginx/ 同步更新
logstash的/tmp/logstash-nginx-accesslog 同步更新
2、kibana
打开http://192.168.8.46:5601/
点击:Management---kibana---index pattern-----Create index pattern 即可在Discover进行查询
