原作者:灼灼2015
链接:https://www.jianshu.com/p/460a307adebb
Elasticsearch, Logstash 和 Kibana 简称ELK,是日志平台。
用途:Bug定位,历史统计。
自从有了Dokcer 什么都想往里面放来着。
1. 规划
从N台应用服务器上收集localhost_access的日志,通过Logstash做数据加工处理(filter),使用Elasticsearch保存数据建立索引,最后通过Kibana 图形界面-来使用日志信息。
重复配置jdk,提前准备elk的基础镜像
准备工作 下载jdk1.8
编写dockerfile
FROM centos:latest
MAINTAINER yangxi
VOLUME [ "/opt/product/data/" ]
RUN /bin/cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
RUN /bin/echo -e "ZONE="Asia/Shanghai"\nUTC=false\nRTC=false" > /etc/sysconfig/clock
RUN mkdir /opt/product/tools/
ADD ./tools /opt/product/tools/
ENV JAVA_HOME /opt/product/tools/jdk1.8.0_51
CMD ["/usr/sbin/init"]
-
docker build -t elkbase:v1.0 ./
得到一个ELK的基础镜像。
3. Elasticsearch 配置
ELK的官方网站 https://www.elastic.co
下载Elasticsearch tar包
编写dockerfile
FROM elkbase:v1.0
MAINTAINER yangxi
VOLUME [ "/opt/product/data/" ]
ADD ./elasticsearch-6.1.1 /opt/product/elasticsearch-6.1.1
RUN useradd elk && chown -R elk:elk /opt/product/elasticsearch-6.1.1
ADD elastic.sh /root/
RUN chmod +x /root/elastic.sh
EXPOSE 9200
EXPOSE 9300
ENTRYPOINT ["/root/elastic.sh"]
CMD ["/usr/sbin/init"]
- 编写启动运行脚本
#!/bin/bash
echo "* soft nofile 65536" > /etc/security/limits.conf
echo "* hard nofile 131072" > /etc/security/limits.conf
echo "* soft nproc 2048" > /etc/security/limits.conf
echo "* hard nproc 4096" > /etc/security/limits.conf
echo "vm.max_map_count=655360" > /etc/sysctl.conf
sysctl -p
cd /opt/product/elasticsearch-6.1.1/config/
rm -rf elasticsearch.yml
cp /opt/product/data/elk/elasticsearch.yml .
chown -R elk:elk /opt/product/elasticsearch-6.1.1
chown -R elk:elk /opt/product/data/elk/elasticsearchdata
su - elk <docker build -f elasticsearch:v1.0 ./
-
elasticsearch的配置
在/opt/product/data目录下
建立elk目录,并拷贝elasticsearch.yml文件到该目录
设置
path.data: /opt/product/data/elk/elasticsearchdata
network.host: 0.0.0.0
在/opt/product/data目录创建elasticsearchdata 目录
启动
docker run --privileged --name es --restart=always -d -ti -v /opt/product/data:/opt/product/data -p 9200:9200 -p 9300:9300 elasticsearch:v1.0 /bin/bash
-
访问
http://ip:9200/kimchy/tweet/1?pretty%27%20-d
看到有json串返回即可
4. Logstash 配置
下载Logstash tar包
编写dockerfile
FROM elkbase:v1.0
MAINTAINER yangxi
VOLUME [ "/opt/product/data/" ]
ADD ./logstash-6.1.1 /opt/product/logstash-6.1.1
ADD logstash.sh /root/
RUN chmod +x /root/logstash.sh
EXPOSE 5044
EXPOSE 4560
EXPOSE 8080
ENTRYPOINT ["/root/logstash.sh"]
CMD ["/usr/sbin/init"]
- 编写启动运行脚本
#!/bin/bash
export JAVA_HOME=/opt/product/tools/jdk1.8.0_151
export PATH=$JAVA_HOME/bin:$PATH
JAVA_OPTS="$JAVA_OPTS -Dfile.encoding=UTF8 -Duser.timezone=GMT+08"
cd /opt/product/logstash-6.1.1/config/
rm -rf logstash.yml
cp /opt/product/data/elk/logstash.yml logstash.yml
/opt/product/logstash-6.1.1/bin/logstash -f /opt/product/data/elk/logstash.conf
docker build -f logstash:v1.0 ./
-
配置logstash
在/opt/product/data/elk目录下创建logstash.conf
input {
beats {
port => "5044"
}
}
output {
elasticsearch {
hosts => ["elasticsearch的ip:9200"]
index => "logstash-tomcat-accesslog-%{+YYYY.MM.dd}"
}
}
logstash.yml
将logstash本身的logstash.yml 拷贝到/opt/product/data/elk目录下
在/opt/product/data/elk目录下建立 logstashdata目录
- 启动logstash
docker run --name logstash --privileged=true --restart=always -d -ti -v /opt/product/data:/opt/product/data -p 5044:5044 -p 4560:4560 -p 18080:8080 logstash:v1.0 /bin/bash
5. kibana 配置
下载kibana
编写dockerfile
FROM elkbase:v1.0
MAINTAINER yangxi
VOLUME [ "/opt/product/data/" ]
ADD ./kibana-6.1.1-linux-x86_64 /opt/product/kibana-6.1.1-linux-x86_64
ADD kibana.sh /root/
RUN chmod +x /root/kibana.sh
EXPOSE 5601
ENTRYPOINT ["/root/kibana.sh"]
CMD ["/usr/sbin/init"]
- 编写运行文件
#!/bin/bash
export JAVA_HOME=/opt/product/tools/jdk1.8.0_151
export PATH=$JAVA_HOME/bin:$PATH
cd /opt/product/kibana-6.1.1-linux-x86_64/config/
rm -rf kibana.yml
ln -s /opt/product/data/elk/kibana.yml .
cd /opt/product/kibana-6.1.1-linux-x86_64/
rm -rf data
ln -s /opt/product/data/elk/kibanadata /opt/product/kibana-6.1.1-linux-x86_64/data
/opt/product/kibana-6.1.1-linux-x86_64/bin/kibana
docker build -t kibana:v1.0 ./
-
配置
在/opt/product/data/elk目录下建立kibana.yml
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://ip:9200"
- 启动
docker run --name kibana --privileged=true --restart=always -d -ti -v /opt/product/data:/opt/product/data -p 5601:5601 kibana:v1.0 /bin/bash
-
访问
http://ip:5601/
6. FileBeat配置
下载Filebeat
编写dockerfile
FROM elkbase:v1.0
MAINTAINER yangxi
VOLUME [ "/opt/product/data/" ]
ADD ./filebeat-6.1.2-linux-x86_64 /opt/product/filebeat-6.1.2-linux-x86_64
ADD filebeat.sh /root/
RUN chmod +x /root/filebeat.sh
ENTRYPOINT ["/root/filebeat.sh"]
CMD ["/usr/sbin/init"]
- 编写运行脚本
#!/bin/bash
export JAVA_HOME=/opt/product/tools/jdk1.8.0_151
export PATH=$JAVA_HOME/bin:$PATH
cd /opt/product/filebeat-6.1.2-linux-x86_64/
rm -rf filebeat.yml
ln -s /opt/product/data/elk/filebeat.yml .
rm -rf data
ln -s /opt/product/data/elk/filebeatdata /opt/product/filebeat-6.1.2-linux-x86_64/data
/opt/product/filebeat-6.1.2-linux-x86_64/filebeat -e -c filebeat.yml
docker build -t filebeat:v1.0 ./
-
配置filebeat
在/opt/product/data/elk目录下 创建
filebeat.yml
filebeat.prospectors:
- input_type: log
document_type: tomcataccess
paths:
- /opt/product/data/logs/tomcat/localhost_access_log*.txt
- /opt/product/data/epg2logs/tomcat/localhost_access_log*.txt
output.logstash:
# The Logstash hosts
hosts: ["ip:5044"]
在/opt/product/data/elk 目录下创建filebeatdata
-
启动filebeat
filebeat.yml
docker run -d -ti --privileged -v /opt/product/data:/opt/product/data filebeat:v1.0 /bin/bash
7. UI界面
访问http://ip:5601/
-
配置Configure an index pattern
因当前是filebeat收集日志,Index name or pattern 为logstash-*
界面展示
8. 遇到错误
-
使用rpm安装logstash时遇到如下错误,改成tar.gz解压缩则是正常的。
error: unpacking of archive failed on file /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-geoip-4.0.4-java/vendor/GeoLite2-City.mmdb;58776068: cpio: read failed - No such file or directory
-
在docker中启动elasticsearch后,容器内可访问,但用ip:port无法访问。
ERROR: bootstrap checks failed
max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]
-
在使用IP:PORT无法访问时 需要将
server.host: "localhost" 改成server.host: 0.0.0.0
copy、add 等操作是基于Dockerfile的相对路径,绝对路径会报错。
由于elastic、kibana、logstash需访问宿主挂载的磁盘空间,因此新建docker时,需开启特权模式 --privileged
docker run --name es --privileged --restart=always -d -ti -v /opt/product/data:/opt/product/data -p 9200:9200 -p 9300:9300 elasticsearch:v1.0 /bin/bash
docker run --name kibana --privileged=true --restart=always -d -ti -v /opt/product/data:/opt/product/data -p 5601:5601 kibana:v1.0 /bin/bash
docker run --name logstash --privileged=true --restart=always -d -ti -v /opt/product/data:/opt/product/data -p 5044:5044 -p 4560:4560 -p 18080:8080 logstash:v1.0 /bin/bash