1. 容器化部署elasticsearch
docker run -d -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" docker.elastic.co/elasticsearch/elasticsearch:6.4.2
check:
curl http://127.0.0.1:9200/_cat/health
2. 容器化部署kibana
docker run -d --name kibana -e ELASTICSEARCH_URL="http://your_ip:9200" -p 5601:5601 docker.elastic.co/kibana/kibana:6.4.2
check:
浏览器访问:localhost:5601
3. 二进制启动filebeat
获取二进制包
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-6.4.2-linux-x86_64.tar.gz
tar xzvf filebeat-6.4.2-linux-x86_64.tar.gz
编辑修改filebeat.yml
有几处需要注意,enable必须为true,且paths中的路径有访问权限。
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/lib/docker/containers/*/*.log
#- c:\programdata\elasticsearch\logs\*
# 对外接的elastic search 配置
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
sudo chown root filebeat.yml
sudo nohup ./filebeat -e -c filebeat.yml -d "publish" &
测试过程中,发现kibana总是无法创建index pattern,
在这里查到
but no index will be created in ES until you load data from a source (like Logstash or Beats) or until you create it using the API yourself.
You can check what indices you have in your ES by running a “GET _cat/indices” on localhost:9200 (or your ES host and port).
原理filebeat 一直没有数据过来,容器化部署时,没有获取容器日志目录的权限,有空再查下吧。
795
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
