docker安装elk

一、创建network

docker network create elknetwork

二、安装elasticsearch 1、拉取镜像

docker pull elasticsearch:7.6.2

2、设置max_map_count

sysctl -w vm.max_map_count=262144

3、创建目录

mkdir /usr/local/elk/elasticsearch/config

4、启动临时容器

docker run --name elasticsearch -d -e ES_JAVA_OPTS="-Xms512m -Xmx512m" -e "discovery.type=single-node" -p 9200:9200 -p 9300:9300 elasticsearch:7.6.2

5、从容器中拷贝配置文件

docker cp elasticsearch:/usr/share/elasticsearch/config/elasticsearch.yml /usr/local/elk/elasticsearch/config/

docker cp elasticsearch:/usr/share/elasticsearch/config/jvm.options /usr/local/elk/elasticsearch/config/

6、修改配置文件

7、删除临时容器，重新启动容器

docker rm -f elasticsearch

docker run --name elasticsearch 
--net elknetwork 
-d -e "discovery.type=single-node" 
-p 9200:9200 -p 9300:9300 
-v /usr/local/elk/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml 
-v /usr/local/elk/elasticsearch/config/jvm.options:/usr/share/elasticsearch/config/jvm.options 
elasticsearch:7.6.2

8、访问服务

浏览器访问 http://127.0.0.1:9200，返回服务器信息表示启动成功：

二、安装kibana 1.拉取镜像

docker pull kibana:7.6.2

2.启动容器

docker run -d --name kibana 
--net elknetwork 
-p 5601:5601 kibana:7.6.2

3、访问服务

访问 http://127.0.0.1:5601  （启动可能会较慢，如失败等几秒再尝试刷新一下）

三、安装logstash 1.拉取镜像

docker pull logstash:7.6.2

2.创建目录

mkdir -p /usr/local/elk/logstash/config

3.启动临时容器复制配置文件

docker run -it -d -p 5044:5044 --name logstash --net elknetwork logstash:7.6.2

docker cp logstash:/usr/share/logstash/config/logstash.yml /usr/local/elk/logstash/config/

docker cp logstash:/usr/share/logstash/pipeline/logstash.conf /usr/local/elk/logstash/config/

4.删除临时容器，启动容器

docker rm -f logstash

docker run -d -p 5044:5044 
--name logstash --net elknetwork 
-v /usr/local/elk/logstash/config/logstash.yml:/usr/share/logstash/logstash.yml 
-v /usr/local/elk/logstash/config/logstash.conf:/usr/share/logstash/pipeline/logstash.conf 
logstash:7.6.2

修改配置文件 

 logstash.yml

input {
  beats {
    port => 5044
  }
}
#过滤日期时间
filter {
	#定义数据的格式
	grok {
		match => { "message" => "%{TIMESTAMP_ISO8601:logdate}" }
	}

	#定义时间戳的格式
	date {
	  match => [ "logdate", "ISO8601" ]
	  timezone => "Asia/Shanghai"
	  target => "@timestamp"
	}
	ruby {
	  code => "
		  event.set('@timestamp', LogStash::Timestamp.at(event.get('@timestamp').time.localtime + 8*60*60))
	  "
	}

    #合并错误日志
	multiline {
		pattern => "^d{4}-d{1,2}-d{1,2}sd{1,2}:d{1,2}:d{1,2}"
		negate => true
		what => "previous"
	}
}

output {
  stdout {
    codec => rubydebug
  }
  elasticsearch {
    hosts => ["192.168.0.201:9200"]  # 定义es服务器的ip
    index => "eas-serverlog-%{+YYYY.MM}" # 定义索引
  }
}

 四、客户端安装FileBeat 1.下载安装FileBeat

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.2-linux-x86_64.tar.gz

tar xzvf filebeat-7.6.2-linux-x86_64.tar.gz

 修改filebeat.yml配置文件

 

 2.启动filebeat

cd /usr/local/filebeat/filebeat-7.6.2-linux-x86_64

nohup ./filebeat -e -c filebeat.yml > start.log 2>&1 &

exit