基于docker的ELK部署
ELK是三个开源软件的缩写,分别表示:Elasticsearch , Logstash, Kibana,但是我们实际应用一般都会加上FileBeat,它是一个轻量级的日志收集处理工具(Agent),Filebeat占用资源少,适合于在各个服务器上搜集日志后传输给Logstash
准备YML文件
本次使用docker-compose部署,镜像版本均为8.4.3
文件目录结构(在home目录下)
-
elk
-
docker-compose.yml
-
elasticsearch.yml
-
kibana.yml
-
logstash.yml
-
logstash.conf
-
filebeat.yml
-
data/
- elasticsearch/
- logs/
-
data/elasticsearch/ 文件夹是用来保存elasticsearch数据用的 data/logs 需要采集的日志的目录
docker-compose.yml
version: "3"
services:
es:
image: docker.elastic.co/elasticsearch/elasticsearch:8.4.3
labels:
co.elastic.logs/enabled: "false"
hostname: docker-es
ports:
- "9200:9200"
- "9300:9300"
environment:
- discovery.type=single-node
- "ES_JAVA_OPTS=-Xms1g -Xmx1g"
- ELASTIC_PASSWORD=elastic
- KIBANA_PASSWORD=elastic
volumes:
- ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./data/elasticsearch:/usr/share/elasticsearch/data
kibana:
image: docker.elastic.co/kibana/kibana:8.4.3
labels:
co.elastic.logs/enabled: "false"
hostname: docker-kibana
ports:
- "5601:5601"
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
depends_on:
- es
logstash:
image: docker.elastic.co/logstash/logstash:8.4.3
hostname: docker-logstash
labels:
co.elastic.logs/enabled: "false"
ports:
- "5044:5044"
- "9600:9600"
volumes:
- ./logstash.yml:/usr/share/logstash/config/logstash.yml
- ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf
- ./data/logs:/logs
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- "LS_OPTS=--config.reload.automatic"
depends_on:
- es
filebeat:
image: docker.elastic.co/beats/filebeat:8.4.3
labels:
co.elastic.logs/enabled: "false"
user: root
hostname: docker-filebeat
volumes:
- ./filebeat.yml:/usr/share/filebeat/filebeat.yml
- "/var/lib/docker/containers:/var/lib/docker/containers:ro"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
depends_on:
- es
这里值得注意的是:
elasticsearch的登录密码是 ELASTIC_PASSWORD=elastic,
kibana的初始密码是KIBANA_PASSWORD=elastic
elasticsearch.yml
network.host: 0.0.0.0
http.port: 9200
transport.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.security.enabled: true
xpack.security.http.ssl.enabled: false
xpack.security.transport.ssl.enabled: false
kibana.yml
server:
host: "0.0.0.0"
port: 5601
# ES
elasticsearch:
hosts: ["http://docker-es:9200"]
username: "kibana_system"
password: "elastic"
# 汉化
i18n.locale: "zh-CN"
这里值得注意的是,密码password要对应docker-compose.yml里面的kibana的初始密码
logstash.yml
http.host: "0.0.0.0"
path.config: /usr/share/logstash/pipeline/*.conf
xpack.monitoring.enabled: false
logstash.conf
input {
file {
path => "/logs/*.log"
start_position => "beginning"
}
}
output {
elasticsearch {
hosts => [ "http://docker-es:9200" ]
user => "elastic"
password => "elastic"
index => "logstash-%{+YYYY-MM-dd}"
}
}
这里的密码是,elasticsearch的登录密码
filebeat.yml
filebeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
processors:
- add_cloud_metadata: ~
output.elasticsearch:
hosts: 'docker-es:9200'
username: 'elastic'
password: 'elastic'
这里的密码是,elasticsearch的登录密码
安装前
安装前,一定要把data目录的权限赋值为最高,不然elasticsearch安装报错,权限不足
chmod -R 777 /home/elk/data
同时也将相关的yml文件权限赋值为可执行
chmod +x *.yml
安装
在elk目录下执行:
最好先把镜像下载好,不然执行太久,而导致失败
docker-compose up -d
验证elasticsearch和kibana
登录elasticsearch,端口9200,账号密码:elastic/elastic
登录kibana,端口5601,账号密码:elastic/elastic
如果能正常登录进去,那么elasticsearch和kibana部署成功
验证Filebeat和Logstash
从左侧菜单中,可以找到Management,点击,找到数据视图
从下图可以看出,右侧出现filebeathelogstash,证明部署成功
创建logstash视图:
验证日志收集
我们的最终目的是,能够监控log日志自动上报es,现在可以在logs目录下任意创建.log结尾的文件
abc.log
第一次部署ELK 好激动 啊啊啊啊啊 噢噢噢噢噢噢噢噢
在kibana的discover页面中查看:
其他问题
重新设置elastic,kibana_system等用户的密码
进入elasticsearch容器的bin目录执行:
./elasticsearch-setup-passwords interactive
elk重启,es正常启动,但是可能kibana报错
解决方法:
删除kibana相关的索引,一般是
.kibana*,此时只能通过elasticsearch的接口删除了同时,删除kibana相关的索引只能用
kibana_system用户的账号和密码
-
获取索引及别名(es的账号密码)
http://10.1.34.159:9200/_aliases
- 删除索引别名(kibana_system账号和密码)
```
http://10.1.34.159:9200/_aliases
{
"actions": [
{
"remove": {
"index": ".kibana_task_manager_8.4.3_001",
"alias": ".kibana_task_manager_8.4.3"
}
}
]
}
```
-
删除索引(kibana_system账号和密码)
http://10.1.34.159:9200/.kibana_task_manager_8.4.3_001
