关闭防火墙和selinux
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
安装docker拉取镜像
yum -y install docker
systemctl start docker
docker pull elasticsearch:7.1.1
docker pull kibana:7.1.1
查看镜像
docker images
启动
docker network create somenetwork
docker run -d --name kibana --net somenetwork -p 5601:5601 kibana:7.1.1
docker run -d --name elasticsearch --net somenetwork -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" elasticsearch:7.1.1
查看启动状态
docker ps
Kibana中文设置
查看kibana的容器ID并进入容器
docker exec -it 0cf3785f7bb9 bash
添加配置
vi /usr/share/kibana/config/kibana.yml
elasticsearch.hosts: [ "http://192.168.163.100:9200" ]
i18n.locale: "zh-CN"
重启kibana
docker restart 0cf3785f7bb9
安装HEAD
docker pull mobz/elasticsearch-head:5
docker run -d -p 9100:9100 docker.io/mobz/elasticsearch-head:5
进入es容器
docker exec -it3c44e8af553f bash
跨域设置
vim config/elasticsearch.yml
http.cors.enabled: true
http.cors.allow-origin: "*"
重启 elasticsearch容器
docker restart elasticsearch
客户机下载并安装 Filebeat
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.1.1-x86_64.rpm
rpm -vi filebeat-7.1.1-x86_64.rpm
配置
vim /etc/filebeat/filebeat.yml
#日志路径
- type: log
enabled: true
tags: ["super-user-center"]
paths:
- /data/logs/application/super-user-center/console/spring.log
#java多行日志合并
multiline:
pattern: '^\d{4}-\d{1,2}-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}'
negate: true
match: after
#修改索引名
output.elasticsearch:
hosts: ["192.168.1.41:9200"]
setup.ilm.enabled: auto
setup.ilm.rollover_alias: "channel"
setup.ilm.pattern: "channel-*"
查看索引
curl http://IP:9200/_cat/indices
Kibana创建索引并设置筛选查看
1 #!/bin/bash
2 #只保留5天内的日志索引
3 LAST_DATA=date -d "-5 days" "+%Y.%m.%d"
4 #删除上个月份所有的索引
curl -XDELETE ‘http://192.168.1.41:9200/user’
再在设置一个定时策略即可
1 0 1 * * * /data1/elk/scripts/clear-index.sh