参考文档:
Docker ELK使用文档:http://elk-docker.readthedocs.io/
1.拉取镜像
查看 Docker Hub 的镜像
docker search elk
拉取镜像
sudo docker pull sebp/elk
2.启动容器
docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -p 4560:4560 -it --name elk sebp/elk
elasticsearch用户拥有的内存权限太小,至少需要262144
切换到root用户
执行命令:
sysctl -w vm.max_map_count=262144
查看结果:
sysctl -a|grep vm.max_map_count
显示:
vm.max_map_count = 262144
上述方法修改之后,如果重启虚拟机将失效,所以:
解决办法:
在 /etc/sysctl.conf文件最后添加一行
vm.max_map_count=262144
即可永久修改
重新启动容器
3.开放端口
5601,9200,5044
firewall-cmd --zone=public --permanent --add-port=5601/tcp
firewall-cmd --zone=public --permanent --add-port=9200/tcp
firewall-cmd --zone=public --permanent --add-port=5044/tcp
firewall-cmd --zone=public --permanent --add-port=4560/tcp
4.查看是否启动成功
5.设置容器开机启动
docker update --restart=always elk
6.配置
input { tcp { port => 4560 codec => json_lines }}filter { json { source => "message" } mutate { remove_field => "level_value" remove_field => "port" remove_field => "host" remove_field => "appName" remove_field => "@version" remove_field => "logger_name" remove_field => "thread_name" remove_field => "createTime" }}output { if [appId] { elasticsearch { hosts => ["localhost"] index => "app_%{appId}" document_type => "appLog" } }}
进入elk容器,进入/etc/logstash/conf.d,删除所有配置文件,然后 vi /etc/logstash/conf.d/logstash.conf 添加新的配置文件
添加下面配置,保存退出。将其它配置删掉。一定要注意配置文件格式为utf-8,格式需要缩进,否则启动会报错 重新启动docker
常见问题解决:
If Elasticsearch isn't starting...
If the suggestions listed in don't help, then an additional way of working out why Elasticsearch isn't starting is to:
-
Start a container with the
bashcommand:$ sudo docker run -it sebp/elk bash
-
Start Elasticsearch manually to look at what it outputs:
$ gosu elasticsearch /opt/elasticsearch/bin/elasticsearch
$ gosu kibana /opt/kibana/bin/kibana