目录结构
  • elk
    • docker-compose.yml
    • elasticsearch.yml
    • kibana.yml
    • logstash.yml
    • logstash.conf
    • data/
      • elasticsearch
      • logs
      • password.txt

data/elasticsearch/ 文件夹用来持久化保存elasticsearch数据用(权限要给到最高,不然elasticsearch无法写入)
data/password.txt 文件是用来保存密码的,也可以不创建
data/logs 采集的日志的目录

docker-compose.yml 文件
version: "3"
services:
  elasticsearch:
    image: elasticsearch:8.1.1
    labels:
      co.elastic.logs/enabled: "false"
    hostname: elasticsearch
    ports:
      - "9200:9200"
      - "9300:9300"
    environment:
      - discovery.type=single-node
      - "ES_JAVA_OPTS=-Xms2g -Xmx2g"
    volumes:
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./data/elasticsearch:/usr/share/elasticsearch/data

  kibana:
    image: kibana:8.1.1
    labels:
      co.elastic.logs/enabled: "false"
    hostname: docker-kibana
    ports:
      - "5601:5601"
    volumes:
      - ./kibana.yml:/usr/share/kibana/config/kibana.yml
    depends_on:
      - elasticsearch

  logstash:
    image: logstash:8.1.1
    hostname: docker-logstash
    ports:
      - "5044:5044"
      - "9600:9600"
    volumes:
      - ./logstash.yml:/usr/share/logstash/config/logstash.yml
      - ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf
      - ./data/logs:/logs
    environment:
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - "LS_OPTS=--config.reload.automatic"
    depends_on:
      - elasticsearch

elasticsearch.yml

network.host: 0.0.0.0
http.port: 9200
transport.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.security.enabled: true
xpack.security.http.ssl.enabled: false
xpack.security.transport.ssl.enabled: false

kibana.yml

server:
  host: "0.0.0.0"
  port: 5601

elasticsearch:
  hosts: ["http://elasticsearch:9200"]
  username: "kibana_system"
  password: "xxxxx"

i18n.locale: "zh-CN"

logstash.yml

http.host: "0.0.0.0"
path.config: /usr/share/logstash/pipeline/*.conf
xpack.monitoring.enabled: false

logstash.conf

input {
  beats {
    port => 5044
  }
  tcp {
    port => 4569
    codec => "json"
  }
  file {
        path => "/logs/*/*.log"
        start_position => "beginning"
  }
}

output {
  if[appname] != "" {
    elasticsearch {
      hosts => ["http://elasticsearch:9200"]
      index => "%{[appname]}-%{+YYYY.MM.dd}"
      user => "elastic"
      password => "xxxxxx"
    }
  } else {
    elasticsearch {
      hosts => ["http://elasticsearch:9200"]
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    }
  }
}

修改内核参数

vim /etc/sysctl.conf
#在最后面增加下面参数
vm.max_map_count=262144
#重新加载
sysctl -p

文件编写完成后先启动一次

docker compose up -d

使用命令查看容器是否都已经启动

docker ps -a

都正常已启动以后访问kibana会显示服务器未就绪,需要初始化一次密码

docker compose exec -T elasticsearch elasticsearch-setup-passwords auto --batch

可以将输出的信息保存到之前创建的txt文件中,也可以存储到其他地方

然后重新修改配置文件, kibana.ymllogstash.conf 改对应的ES的密码就可以了,注意账号和密码不要搞错了,然后我们停止,再启动

docker compose down
docker compose up -d

等待一段时间,服务重启后再访问kibana

输入密码后登陆,ELK基本环境就已经部署完成了