目录结构
- elk
- docker-compose.yml
- elasticsearch.yml
- kibana.yml
- logstash.yml
- logstash.conf
- data/
- elasticsearch
- logs
- password.txt
data/elasticsearch/
文件夹用来持久化保存elasticsearch数据用(权限要给到最高,不然elasticsearch无法写入)data/password.txt
文件是用来保存密码的,也可以不创建data/logs
采集的日志的目录
docker-compose.yml 文件
version: "3"
services:
elasticsearch:
image: elasticsearch:8.1.1
labels:
co.elastic.logs/enabled: "false"
hostname: elasticsearch
ports:
- "9200:9200"
- "9300:9300"
environment:
- discovery.type=single-node
- "ES_JAVA_OPTS=-Xms2g -Xmx2g"
volumes:
- ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
- ./data/elasticsearch:/usr/share/elasticsearch/data
kibana:
image: kibana:8.1.1
labels:
co.elastic.logs/enabled: "false"
hostname: docker-kibana
ports:
- "5601:5601"
volumes:
- ./kibana.yml:/usr/share/kibana/config/kibana.yml
depends_on:
- elasticsearch
logstash:
image: logstash:8.1.1
hostname: docker-logstash
ports:
- "5044:5044"
- "9600:9600"
volumes:
- ./logstash.yml:/usr/share/logstash/config/logstash.yml
- ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf
- ./data/logs:/logs
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- "LS_OPTS=--config.reload.automatic"
depends_on:
- elasticsearch
elasticsearch.yml
network.host: 0.0.0.0
http.port: 9200
transport.port: 9300
http.cors.enabled: true
http.cors.allow-origin: "*"
xpack.security.enabled: true
xpack.security.http.ssl.enabled: false
xpack.security.transport.ssl.enabled: false
kibana.yml
server:
host: "0.0.0.0"
port: 5601
elasticsearch:
hosts: ["http://elasticsearch:9200"]
username: "kibana_system"
password: "xxxxx"
i18n.locale: "zh-CN"
logstash.yml
http.host: "0.0.0.0"
path.config: /usr/share/logstash/pipeline/*.conf
xpack.monitoring.enabled: false
logstash.conf
input {
beats {
port => 5044
}
tcp {
port => 4569
codec => "json"
}
file {
path => "/logs/*/*.log"
start_position => "beginning"
}
}
output {
if[appname] != "" {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "%{[appname]}-%{+YYYY.MM.dd}"
user => "elastic"
password => "xxxxxx"
}
} else {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
}
修改内核参数
vim /etc/sysctl.conf
#在最后面增加下面参数
vm.max_map_count=262144
#重新加载
sysctl -p
文件编写完成后先启动一次
docker compose up -d

使用命令查看容器是否都已经启动
docker ps -a

都正常已启动以后访问kibana会显示服务器未就绪,需要初始化一次密码
docker compose exec -T elasticsearch elasticsearch-setup-passwords auto --batch

可以将输出的信息保存到之前创建的txt文件中,也可以存储到其他地方
然后重新修改配置文件, kibana.yml
, logstash.conf
改对应的ES的密码就可以了,注意账号和密码不要搞错了,然后我们停止,再启动
docker compose down
docker compose up -d
等待一段时间,服务重启后再访问kibana

输入密码后登陆,ELK基本环境就已经部署完成了