环境准备
# 服务器 IP:192.168.5.20
# 服务器环境:Centos 7.9
# 完成 docker 和 docker-compose 部署
https://juejin.cn/post/7373645836872531978
# 限制容器日志大小
cat > /etc/docker/daemon.json << 'EOF'
{
"log-driver": "json-file",
"log-opts": {
"max-size": "500m",
"max-file": "3"
}
}
EOF
systemctl restart docker
# 申请 license。其他信息随便填,邮箱必须是真实的,需要接收邮件
https://www.elastiflow.com/basic-license
# 下载模板,选择 8.14-codex 版本
https://www.elastiflow.com/docs/data_platforms/elastic/kibana/
路由器配置
以思科路由器为例
# 对应填入服务器 IP
flow exporter ElastiFLow-FE
destination 192.168.5.20
transport udp 9995
export-protocol netflow-v9
exit
flow monitor ElastiFLow-FM
record netflow ipv4 original-input
exporter ElastiFLow-FE
cache timeout active 60
cache timeout inactive 15
exit
! 此处示例是应用在 vlan6,自行修改
interface Vlan6
ip flow monitor ElastiFLow-FM input
ip flow monitor ElastiFLow-FM output
show flow exporter statistics
show flow monitor ElastiFLow-FM cache
创建部署文件
mkdir-p /opt/docker-compose.yaml && vim /opt/docker-compose.yaml
#---start---
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.14.0
container_name: elasticsearch
environment:
- discovery.type=single-node
- xpack.security.enabled=true
- xpack.security.http.ssl.enabled=false
- xpack.security.transport.ssl.enabled=false
- ELASTIC_PASSWORD=qqwwee123 # 修改密码
- bootstrap.memory_lock=true
- TZ=Asia/Shanghai
- "ES_JAVA_OPTS=-Xms4g -Xmx8g"
ulimits:
memlock: -1
volumes:
- es-data:/usr/share/elasticsearch/data
ports:
- 9200:9200
- 9300:9300
networks:
- elastic
kibana:
image: docker.elastic.co/kibana/kibana:8.14.0
container_name: kibana
environment:
- ELASTICSEARCH_HOSTS=http://elasticsearch:9200
- ELASTICSEARCH_SERVICEACCOUNTTOKEN=AAEAAWVsYXN0aWMva2 # 此处信息后续可获取
- xpack.security.enabled=true
- TZ=Asia/Shanghai
- I18N_LOCALE=zh-CN
volumes:
- /etc/localtime:/etc/localtime:ro
ports:
- 5601:5601
depends_on:
- elasticsearch
networks:
- elastic
elastiflow:
image: elastiflow/flow-collector:7.20.0
container_name: elastiflow
restart: unless-stopped
network_mode: host
environment:
- EF_OUTPUT_ELASTICSEARCH_ENABLE=true
- EF_OUTPUT_ELASTICSEARCH_ADDRESSES=127.0.0.1:9200
- EF_OUTPUT_ELASTICSEARCH_USERNAME=elastic
- EF_OUTPUT_ELASTICSEARCH_PASSWORD=qqwwee123 # 修改密码
- EF_FLOW_SERVER_UDP_PORT=9995
- EF_ACCOUNT_ID=69424578ce # license 信息
- EF_FLOW_LICENSE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 # license 信息
# snmp 相关的四条配置非必要,可删除
- EF_PROCESSOR_ENRICH_NETIF_SNMP_COMMUNITIES=public
- EF_PROCESSOR_ENRICH_NETIF_SNMP_VERSION=2
- EF_PROCESSOR_ENRICH_NETIF_SNMP_TIMEOUT=15
- EF_PROCESSOR_ENRICH_NETIF_SNMP_RETRIES=2
- EF_LOGGER_LEVEL=info
- EF_LICENSE_ACCEPTED=true
- TZ=Asia/Shanghai
volumes:
- /etc/localtime:/etc/localtime:ro
depends_on:
- elasticsearch
volumes:
es-data:
driver: local
fb-data:
driver: local
networks:
elastic:
driver: bridge
#---end---
执行部署命令
docker-compose up -d elasticsearch
# 进入容器
docker exec -it elasticsearch /bin/bash
# 获取 token
bin/elasticsearch-service-tokens create elastic/kibana kibana-token
# 将输出的 token 填入 docker-compose.yaml 文件中,参考配置如下
- ELASTICSEARCH_SERVICEACCOUNTTOKEN=AAEAAWVsYXN0a
# 部署全部服务
docker-compose up -d
开放端口
# centos
firewall-cmd --permanent --add-port=9995/udp
firewall-cmd --zone=public --add-port=5601/tcp --permanent
firewall-cmd --reload
Kibana 导入对象
访问 webui,登录 kibana:http://服务器ip:5601
导航到以下路径:首页-> Stack Manager -> Kibana -> 已保存对象,导入下载好的模板文件
返回 Dashboard 查看信息
效果展示
