docker network create elknetwork
docker pull elasticsearch:7.6.2
sysctl -w vm.max_map_count=262144
mkdir /usr/local/elk/elasticsearch/config
docker run --name elasticsearch -d -e ES_JAVA_OPTS="-Xms512m -Xmx512m" -e "discovery.type=single-node" -p 9200:9200 -p 9300:9300 elasticsearch:7.6.2
docker cp elasticsearch:/usr/share/elasticsearch/config/elasticsearch.yml /usr/local/elk/elasticsearch/config/
docker cp elasticsearch:/usr/share/elasticsearch/config/jvm.options /usr/local/elk/elasticsearch/config/
docker rm -f elasticsearch
docker run --name elasticsearch \
--net elknetwork \
-d -e "discovery.type=single-node" \
-p 9200:9200 -p 9300:9300 \
-v /usr/local/elk/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml \
-v /usr/local/elk/elasticsearch/config/jvm.options:/usr/share/elasticsearch/config/jvm.options \
elasticsearch:7.6.2
浏览器访问 http://127.0.0.1:9200,返回服务器信息表示启动成功:
docker pull kibana:7.6.2
docker run -d --name kibana \
--net elknetwork \
-p 5601:5601 kibana:7.6.2
访问 http://127.0.0.1:5601 (启动可能会较慢,如失败等几秒再尝试刷新一下)
docker pull logstash:7.6.2
mkdir -p /usr/local/elk/logstash/config
docker run -it -d -p 5044:5044 --name logstash --net elknetwork logstash:7.6.2
docker cp logstash:/usr/share/logstash/config/logstash.yml /usr/local/elk/logstash/config/
docker cp logstash:/usr/share/logstash/pipeline/logstash.conf /usr/local/elk/logstash/config/
docker rm -f logstash
docker run -d -p 5044:5044 \
--name logstash --net elknetwork \
-v /usr/local/elk/logstash/config/logstash.yml:/usr/share/logstash/logstash.yml \
-v /usr/local/elk/logstash/config/logstash.conf:/usr/share/logstash/pipeline/logstash.conf \
logstash:7.6.2
修改配置文件
logstash.yml
input {
beats {
port => 5044
}
}
#过滤日期时间
filter {
#定义数据的格式
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:logdate}" }
}
#定义时间戳的格式
date {
match => [ "logdate", "ISO8601" ]
timezone => "Asia/Shanghai"
target => "@timestamp"
}
ruby {
code => "
event.set('@timestamp', LogStash::Timestamp.at(event.get('@timestamp').time.localtime + 8*60*60))
"
}
#合并错误日志
multiline {
pattern => "^\d{4}-\d{1,2}-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}"
negate => true
what => "previous"
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["192.168.0.201:9200"] # 定义es服务器的ip
index => "eas-serverlog-%{+YYYY.MM}" # 定义索引
}
}
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.6.2-linux-x86_64.tar.gz
tar xzvf filebeat-7.6.2-linux-x86_64.tar.gz
修改filebeat.yml配置文件
cd /usr/local/filebeat/filebeat-7.6.2-linux-x86_64
nohup ./filebeat -e -c filebeat.yml > start.log 2>&1 &
exit