參考文檔:
Docker ELK使用文檔:http://elk-docker.readthedocs.io/
1.拉取鏡像
查看 Docker Hub 的鏡像
docker search elk
拉取鏡像
sudo docker pull sebp/elk
2.啟動容器
docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -p 4560:4560 -v /etc/localtime:/etc/localtime -it --name elk sebp/elk
elasticsearch用戶擁有的內存權限太小,至少需要262144
切換到root用戶
執行命令:
sysctl -w vm.max_map_count=262144
查看結果:
sysctl -a|grep vm.max_map_count
顯示:
vm.max_map_count = 262144
上述方法修改之后,如果重啟虛擬機將失效,所以:
解決辦法:
在 /etc/sysctl.conf文件最后添加一行
vm.max_map_count=262144
即可永久修改
重新啟動容器
3.開放端口
5601,9200,5044
firewall-cmd --zone=public --permanent --add-port=5601/tcp
firewall-cmd --zone=public --permanent --add-port=9200/tcp
firewall-cmd --zone=public --permanent --add-port=5044/tcp
firewall-cmd --zone=public --permanent --add-port=4560/tcp
4.查看是否啟動成功
5.設置容器開機啟動
docker update --restart=always elk
6.配置
input { tcp { port => 4560 codec => json_lines } } filter { json { source => "message" } mutate { remove_field => "level_value" remove_field => "port" remove_field => "host" remove_field => "appName" remove_field => "@version" remove_field => "logger_name" remove_field => "thread_name" remove_field => "createTime" } } output { if [appId] { elasticsearch { hosts => ["localhost"] index => "app_%{appId}" document_type => "appLog" } } }
進入elk容器,進入/etc/logstash/conf.d,刪除所有配置文件,然后 vi /etc/logstash/conf.d/logstash.conf 添加新的配置文件
添加下面配置,保存退出。將其它配置刪掉。一定要注意配置文件格式為utf-8,格式需要縮進,否則啟動會報錯 重新啟動docker
常見問題解決:
If Elasticsearch isn't starting...
If the suggestions listed in Frequently encountered issues don't help, then an additional way of working out why Elasticsearch isn't starting is to:
-
Start a container with the
bashcommand:$ sudo docker run -it sebp/elk bash -
Start Elasticsearch manually to look at what it outputs:
$ gosu elasticsearch /opt/elasticsearch/bin/elasticsearch
$ gosu kibana /opt/kibana/bin/kibana