ELK搭建+filebeat

数据流

Beats -> Logstash -> Elasticsearch<->kibana

• 创建虚拟网络

  docker network create elknetwork
  

• 安装数据存储工具->elasticsearch

  docker pull docker.elastic.co/elasticsearch/elasticsearch:7.14.0
  
  docker run -d \
  	--name elasticsearch \
  	--net elknetwork \
  	-v /etc/localtime:/etc/localtime \
  	-v /etc/timezone:/etc/timezone \
  	-v /home/docker/conf/elasticsearch:/usr/share/elasticsearch/config \
  	-p 9200:9200 \
  	-p 9300:9300 \
  	-e "discovery.type=single-node" \
  	docker.elastic.co/elasticsearch/elasticsearch:7.14.0
  	
  docker ps |grep elasticsearch
  #检测是否启动成功
  curl 127.0.0.1:9200
  

• 安装可视化工具->kibana

  docker pull docker.elastic.co/kibana/kibana:7.14.0
  
  docker run -d \
  	--name kibana \
  	--net elknetwork \
  	-v /etc/localtime:/etc/localtime \
  	-v /etc/timezone:/etc/timezone \
  	-v /home/docker/conf/kibana:/usr/share/kibana/config \
  	-p 5601:5601 \
  	-e "ELASTICSEARCH_HOSTS=http://elasticsearch:9200" \
  	docker.elastic.co/kibana/kibana:7.14.0
  	
  docker ps |grep kibana
  #检测是否启动成功,浏览器打开 http://ip:5601
  curl http://127.0.0.1:5601
  

• 安装数据整理工具->logstash

  docker pull docker.elastic.co/logstash/logstash:7.14.0
  
  mkdir -p /home/docker/conf/logstash/pipeline /home/docker/conf/logstash/config
  
  docker run -d \
  	--name logstash \
  	--net elknetwork \
  	-v /etc/localtime:/etc/localtime \
  	-v /etc/timezone:/etc/timezone \
  	-p 5044:5044 \
  	-v /home/docker/conf/logstash/pipeline/:/usr/share/logstash/pipeline/ \
  	-v /home/docker/conf/logstash/config/:/usr/share/logstash/config/ \
  	docker.elastic.co/logstash/logstash:7.14.0
  
  docker ps |grep logstash
  
  

• 安装日志采集工具->filebeat

  docker pull docker.elastic.co/beats/filebeat:7.14.0
  
  docker run -d \
  	--name filebeat \
  	--user=root \
  	-v /etc/localtime:/etc/localtime \
  	-v /etc/timezone:/etc/timezone \
  	-v /home/docker/conf/filebeat/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro \
  	-v /home/docker/logs/:/var/log/filebeat/:ro \
  	-v /var/lib/docker/containers:/var/lib/docker/containers:ro \
  	-v /var/run/docker.sock:/var/run/docker.sock:ro \
  	docker.elastic.co/beats/filebeat:7.14.0 filebeat
  	
  
  

• 开启权限

  1. elasticsearch.yml文件增加以下内容：

     xpack.security.enabled: true
     xpack.security.authc.accept_default_password: false
     

  2. 重启elasticsearch：

     docker restart elasticsearch
     

  3. 初始化密码：

     /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive
     

     

  4. filebeat.docker.yml的配置文件增加和修改以下内容：

     filebeat.inputs:
     - type: log
       enabled: true
       tags: ["xxx-yyy"]
       paths:
     - /var/log/filebeat/xxx-yyy/catalina.out
     output.logstash:
     hosts: ["192.168.100.201:5044"]
       username: elastic
       password: Mofar123
     #output.elasticsearch:
     

  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'

  username: '${ELASTICSEARCH_USERNAME:elastic}'

  password: '${ELASTICSEARCH_PASSWORD:Mofar123}'

  
  7. 重启filebeat:
  
  ```bash
  docker restart filebeat
  

  6. logstash.yml的配置文件增加和修改以下内容：

     http.host: "0.0.0.0"
     xpack.monitoring.elasticsearch.hosts: [ "http://elasticsearch:9200" ]
     xpack.monitoring.elasticsearch.username: "elastic"
     xpack.monitoring.elasticsearch.password: "Mofar123"
     

  7. 重启logstash:

  docker restart logstash

  
  8. kibana.yml文件增加以下内容：
  
  ```yaml
  elasticsearch.hosts: ["http://elasticsearch:9200"]
  elasticsearch.username: "kibana_system"
  elasticsearch.passwrod: "Mofar123" //上一步设置的 kibana_system 用户的密码
  xpack.security.encryptionKey: "134275508981772424006115915913889817" // 32位以上加密字符串
  

  9. 重启kibana：

     docker restart kibana
     

  10. 使用超级用户角色账户(elastic/密码)登录，根据需求配置账号

  

注意：索引名

索引受文件系统的限制。仅可能为小写字母，不能下划线开头。同时需遵守下列规则：

• 不能包括 , /, *, ?, ", <, >, |, 空格, 逗号, #
• 7.0版本之前可以使用冒号:,但不建议使用并在7.0版本之后不再支持
• 不能以这些字符 -, _, + 开头
• 不能包括 . 或 …
• 长度不能超过255个字符