ela+fiebeat+logstash 容器化 kiban
2019-11-21 本文已影响0人
_str_
拉取官方文档镜像到本地
docker pull docker.elastic.co/elasticsearch/elasticsearch:7.4.2
docker pull docker.elastic.co/beats/filebeat:7.4.2
docker pull docker.elastic.co/logstash/logstash:7.4.2
docker pull docker.elastic.co/kibana/kibana:7.4.2
详情请点击官方文档
image.png
首先先使得filebeat中的日志被logstash搜集到
创建目录下的树形结构
image.png
docker-compose.yml
version: "3.2"
services:
filebeat:
image: docker.elastic.co/beats/filebeat:7.4.2
volumes:
- type: bind
source: "./filebeat/2018.log"
target: "/2018.log"
- type: bind
source: "./filebeat/filebeat.yml"
target: "/usr/share/filebeat/filebeat.yml"
networks:
- elk-net
logstash:
image: docker.elastic.co/logstash/logstash:7.4.2
container_name: logstash
volumes:
- type: bind
source: "./logstash/logstash_stdout.conf"
target: "/usr/share/logstash/pipeline/logstash.conf"
networks:
- elk-net
networks:
elk-net:
image.png
filebeat/filebeat.yml
filebeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
processors:
- add_cloud_metadata: ~
#output.elasticsearch:
# hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
# username: '${ELASTICSEARCH_USERNAME:}'
# password: '${ELASTICSEARCH_PASSWORD:}
filebeat.inputs:
- type: log
paths:
- /*.log
#output.console:
#pretty: true
output.logstash:
# The Logstash hosts
hosts: ["logstash:5044"] -----这里指定logstash的ip 这里是容器名 在上面的compose里面已经指定了
logstash/logstash_stdout.conf
#input {
# file {
# path => "./2018.log"
# type => "nginx"
# }
#}
input {
beats {
port => 5044 ---寻找端口
host => "0.0.0.0" --- ip地址
}
}
output {
stdout { codec => rubydebug } --- 输出使用rebydebug 类似json的一种格式
}
具体运行步骤就是 fielbeat这个容器将假数据的log给读出来 然后logstash暴露端口5044 将日志从fielbeat中读取到展示出来 因为是前台 只能展示到终端里 `
加入kibana镜像
version: "3.2"
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.4.2
container_name: elasticsearch
networks:
- elk-net
ports:
- "9200:9200"
- "9300:9300"
#restart: always
environment:
- discovery.type=single-node ---单节点
#- bootstrap.memory_lock=true
#- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
filebeat:
image: docker.elastic.co/beats/filebeat:7.4.2
volumes:
- type: bind
source: "./filebeat/2018.log"
target: "/2018.log"
- type: bind
source: "./filebeat/filebeat.yml"
target: "/usr/share/filebeat/filebeat.yml"
networks:
- elk-net
depends_on: ---依赖项
- logstash
logstash:
image: docker.elastic.co/logstash/logstash:7.4.2
container_name: logstash
volumes:
- type: bind
source: "./logstash/logstash_stdout.conf"
target: "/usr/share/logstash/pipeline/logstash.conf"
networks:
- elk-net
depends_on:
- elasticsearch
kibana:
image: docker.elastic.co/kibana/kibana:7.4.2
networks:
- elk-net
ports:
- "5601:5601"
# environment:
# - ELASTICSEARCH_URL=http://elasticsearch:9200
depends_on:
- elasticsearch
networks:
elk-net:
修改logstash/logstash_stdout.conf
input {
beats {
port => 5044
host => "0.0.0.0"
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"] -- 传到ela便于存储
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" --索引 用于kibana查找
}
# stdout { codec => rubydebug } # 假如有问题,可以打开此行进行调试
}
- hosts ==>["elasticsearch:9200"] 指定机群的主机名,主机名就是容器名* manage_template => false 禁用默认的模板,详细官方介绍* index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
- %{[@metadata][beat]} 从源数据获取到处理日志的插件,比如
Filebeat - %{[@metadata][version]} 从源数据获取到版本号
- %{+YYYY.MM.dd} 以
Logstash的时间戳格式显示的时间
- %{[@metadata][beat]} 从源数据获取到处理日志的插件,比如
访问 http://127.0.0.1:5601
image.png
image.png
image.png
创建成功
image.png
