elk笔记2--使用docker启一套elk实例
1 需求简介
1)使用 docker 启动一个elasticsearch 实例
2)使用 docker 启动一个kibana 实例
3)使用 docker 启动一个logstash 实例
4)使用 logstash 收集dmsg和syslog日志
2 启动步骤
2.1 下载docker镜像
笔者此处直接从dockerhub拉取, 也可以按照官网的制定路径拉镜像(使用官方路径可能下载速度较慢)
- docker pull elasticsearch:7.6.1
- docker pull kibana:7.6.1
- docker pull logstash:7.6.1
2.2 启动docker实例
- 启动elasticsearch
此处将/usr/share/elasticsearch/config 拷贝到本地目录,以便于更改配置,此处可以去掉-v参数docker run -d --name=elasticsearch_7.6.1 -p 9203:9200 -p 9303:9300 -e "discovery.type=single-node" -e ES_JAVA_OPTS="-Xms512m -Xmx512m" \ -v /home/xg/soft/bigdata/elk7.6.1/docker/es_config:/usr/share/elasticsearch/config \ elasticsearch:7.6.1
- 启动kibana
此处将/usr/share/kibana/config 拷贝到本地目录,以便于更改配置,此处可以去掉-v参数docker run -d --name=kibana_7.6.1 --link elasticsearch_7.6.1:elasticsearch -p 5603:5601 \ -v /home/xg/soft/bigdata/elk7.6.1/docker/kibana_config:/usr/share/kibana/config \ kibana:7.6.1
- 启动logstash
此处有多个目录映射, 其中syslog,dmesg主要为了logstash能正常读取宿主上的日志,pipline目录文件主要存放input、output 和 filter规则, logstash_config和testlog可以根据需要去掉。docker run -d --name=logstash_7.6.1 --link elasticsearch_7.6.1:elasticsearch \ -v /home/xg/soft/bigdata/elk7.6.1/docker/logstash_config:/usr/share/logstash/config \ -v /home/xg/soft/bigdata/elk7.6.1/docker/pipline:/usr/share/logstash/pipeline \ -v /home/xg/soft/bigdata/log/testlog:/var/log/testlog \ -v /var/log/syslog:/var/log/syslog_host \ -v /var/log/dmesg:/var/log/dmesg_host \ logstash:7.6.1
注意: logstash对应的pipeline不能为空,若为空则logstsh会自动退出。
logstash的pipeline configuration 在pipeline目录下,以下为笔者写的一个pipeline配置, default.conf 中包含syslog,dmesg,es_error(此处没有映射过来,可以删掉):
最简单的方式,不需要挂载数据卷(此处以为7.2.1为例):input{ file{ path => "/var/log/syslog_host" type => "syslog" start_position => "beginning" } file{ path => "/var/log/dmesg_host" type => "dmesg" start_position => "beginning" } file{ path => "/home/xg/soft/bigdata/log/es6.8.8/es6.8.log" type => "es_error" start_position => "beginning" codec => multiline { # Grok pattern names are valid! :) pattern => "^\[" negate => true what => "previous" } } } filter{ } output{ if [type] == "syslog" { elasticsearch { hosts => ["elasticsearch:9200"] index => "syslog-%{+YYYY.MM.dd}" } } if [type] == "dmesg" { elasticsearch { hosts => ["elasticsearch:9200"] index => "dmesg-%{+YYYY.MM.dd}" } } if [type] == "es_error" { elasticsearch { hosts => ["elasticsearch:9200"] index => "es_error-%{+YYYY.MM.dd}" } } }
docker run --name=es7.2.1 -d -p 9204:9200 -p 9304:9300 --name es7.2.1 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.2.1 docker run --name=kibana7.2.1 -d --link es7.2.1:elasticsearch -p 5604:5601 docker.elastic.co/kibana/kibana:7.2.1
2.3 多功能elk实例管理脚本
笔者根据个人使用需要,写了一个小脚本,以便于统一管理elk实例,可以根据需要修改。
#!/bin/bash
help()
{
cat <<_EOF
Help function:
bash updown_docker_elk.sh help|start|stop|restart|new|es|kibana|logstash|rm
=> start|stop|restart es|kibana|logstash|all
_EOF
}
elk_rm()
{
docker stop elasticsearch_7.6.1
docker rm elasticsearch_7.6.1
docker stop kibana_7.6.1
docker rm kibana_7.6.1
docker stop logstash_7.6.1
docker rm logstash_7.6.1
}
elk_start()
{
case "$1" in
es)
docker start elasticsearch_7.6.1
;;
kibana)
docker start kibana_7.6.1
;;
logstash)
docker start logstash_7.6.1
;;
all)
docker start elasticsearch_7.6.1
sleep 15
docker start kibana_7.6.1
sleep 10
docker start logstash_7.6.1
;;
*)
help
exit 1
;;
esac
}
elk_restart()
{
case "$1" in
es)
docker restart elasticsearch_7.6.1
;;
kibana)
docker restart kibana_7.6.1
;;
logstash)
docker restart logstash_7.6.1
;;
all)
docker restart elasticsearch_7.6.1
sleep 15
docker restart kibana_7.6.1
sleep 10
docker restart logstash_7.6.1
;;
*)
help
exit 1
;;
esac
}
elk_stop()
{
case "$1" in
es)
docker stop elasticsearch_7.6.1
;;
kibana)
docker stop kibana_7.6.1
;;
logstash)
docker stop logstash_7.6.1
;;
all)
docker stop logstash_7.6.1
docker stop kibana_7.6.1
docker stop elasticsearch_7.6.1
;;
*)
help
exit 1
;;
esac
}
elk_new(){
docker stop elasticsearch_7.6.1
docker rm elasticsearch_7.6.1
docker stop kibana_7.6.1
docker rm kibana_7.6.1
docker stop logstash_7.6.1
docker rm logstash_7.6.1
# es
elk_es
# kibana
sleep 15
elk_kibana
# logstash
elk_logstash
}
elk_es()
{
docker run -d --name=elasticsearch_7.6.1 -p 9203:9200 -p 9303:9300 -e "discovery.type=single-node" -e ES_JAVA_OPTS="-Xms512m -Xmx512m" \
-v /home/xg/soft/bigdata/elk7.6.1/docker/es_config:/usr/share/elasticsearch/config \
elasticsearch:7.6.1
}
elk_kibana()
{
docker run -d --name=kibana_7.6.1 --link elasticsearch_7.6.1:elasticsearch -p 5603:5601 \
-v /home/xg/soft/bigdata/elk7.6.1/docker/kibana_config:/usr/share/kibana/config \
kibana:7.6.1
}
elk_logstash()
{
docker run -d --name=logstash_7.6.1 --link elasticsearch_7.6.1:elasticsearch \
-v /home/xg/soft/bigdata/elk7.6.1/docker/logstash_config:/usr/share/logstash/config \
-v /home/xg/soft/bigdata/elk7.6.1/docker/pipline:/usr/share/logstash/pipeline \
-v /home/xg/soft/bigdata/log/testlog:/var/log/testlog \
-v /var/log/syslog:/var/log/syslog_host \
-v /var/log/dmesg:/var/log/dmesg_host \
logstash:7.6.1
}
case "$1" in
help)
help
;;
start)
elk_start $2
;;
restart)
elk_restart $2
;;
stop)
elk_stop $2
;;
new)
elk_new
;;
es)
elk_es
;;
kibana)
elk_kibana
;;
logstash)
elk_logstash
;;
rm)
elk_rm
;;
*)
echo "Unknown command: $1"
help
exit 1
;;
esac
2.4 测试结果
- es 查看所有index
- kibana 查看所有logstash上传的syslog日志
注意事项
- elk 7.17.12 版本安装卸载方法(截至2023/08/10)
开启认证下载镜像 docker pull docker.elastic.co/elasticsearch/elasticsearch:7.17.12 docker pull docker.elastic.co/kibana/kibana:7.17.12 启动es 和 kibana docker network create elastic docker run -d --name elasticsearch_7.17.12 --net elastic -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:7.17.12 docker run -d --name kibana_7.17.12 --net elastic -p 5601:5601 -e "ELASTICSEARCH_HOSTS=http://elasticsearch_7.17.12:9200" docker.elastic.co/kibana/kibana:7.17.12 默认是没有用户密码的, 直接 your-ip:9200 或 your-ip:5601 即可访问 停止服务 docker stop elasticsearch_7.17.12 docker stop kibana_7.17.12 删除服务 docker network rm elastic docker rm elasticsearch_7.17.12 docker rm kibana_7.17.12
默认没开启http认证,可以通过如下方式开启: 1)调整es配置文件 # vim config/elasticsearch.yml cluster.name: "docker-cluster" network.host: 0.0.0.0 xpack.security.enabled: true # 这个是新增的,开启http basic auth认证 xpack.monitoring.collection.enabled: true # 这个是新增的, 开启kibana中的 /app/monitoring ,也可以在kibana前端手动开启 将该文件copy到容器目录,docker cp elasticsearch.yml es-7-17-12:/usr/share/elasticsearch/config/ 拷贝后重启实例,否则会报错 ERROR: X-Pack Security is disabled by configuration 2)生成用户密码 docker exec -it es-7-17-12 bash $ bin/elasticsearch-setup-passwords interactive 确认yes,按需输入密码,此处全部输入 elastic 3)调整kibana配置文件 # vim config/kibana.yml server.host: "0.0.0.0" server.shutdownTimeout: "5s" elasticsearch.hosts: [ "http://elasticsearch:9200" ] monitoring.ui.container.elasticsearch.enabled: true elasticsearch.username: "elastic" # 这个是新增的 elasticsearch.password: "elastic" # 这个是新增的 将该文件拷贝到容器目录,docker cp kibana.yml kibana-7-17-12:/usr/share/kibana/config/kibana.yml 重启kibana即可通过密码登录了
3 说明
- 软件环境
笔者测试系统为Ubuntu 2004 Desktop
elk 版本为7.6.1 - 参考文档
installing-elastic-stack