Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]
(注:安装ELK8.4.3,Java版本必须是java17JDK)
一、Elasticsearch8.8.2部署
1、下载elasticsearch镜像:
docker pull docker.elastic.co/elasticsearch/elasticsearch:8.8.2
2、创建docker网络:
docker network create elastic
3、第一次执行容器
docker run -it \
--name elastic --net elastic \
-p 9200:9200 -p 9300:9300 \
-e "discovery.type=single-node" \
docker.elastic.co/elasticsearch/elasticsearch:8.8.2
4、创建Elasticsearch挂载目录
mkdir -p /usr/elk8.8.2/elasticsearch
5、给创建的文件夹授权
sudo chown -R 1000:1000 /usr/elk8.8.2/elasticsearch
6、将容器内的文件复制到主机上
docker cp elastic:/usr/share/elasticsearch/config /usr/elk8.8.2/elasticsearch/
docker cp elastic:/usr/share/elasticsearch/data /usr/elk8.8.2/elasticsearch/
docker cp elastic:/usr/share/elasticsearch/plugins /usr/elk8.8.2/elasticsearch/
docker cp elastic:/usr/share/elasticsearch/logs /usr/elk8.8.2/elasticsearch/
7、删除容器
docker rm -f elastic
8、创建elasticsearch容器,名称elastic,加入网络elastic:
docker run -itd --name elastic --net elastic --restart=always \
-p 9200:9200 -p 9300:9300 \
-v /usr/elk8.8.2/elasticsearch/data:/usr/share/elasticsearch/data \
-v /usr/elk8.8.2/elasticsearch/plugins:/usr/share/elasticsearch/plugins \
-v /usr/elk8.8.2/elasticsearch/logs:/usr/share/elasticsearch/logs \
-v /usr/elk8.8.2/elasticsearch/config:/usr/share/elasticsearch/config \
--log-opt max-size=10m --log-opt max-file=3 \
--ip 172.18.0.2 \
docker.elastic.co/elasticsearch/elasticsearch:8.8.29、查看容器是否创建成功:
docker ps -a
10、查看Elasticsearch分配的IP:
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' elastic
11、通过本机IP用https://访问并登录elasticsearch,登录用户名是elastic,密码需要从Elasticsearch日志里
查看Elasticsearch日志:docker logs -f elastic
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.
ℹ️ Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
Dx2SOh9cHZogN7kILzoR
ℹ️ HTTP CA certificate SHA-256 fingerprint:
c2e324295466cab02f47d06f1ea432e3f42b23e0c63c502d7478682d0bad946c
ℹ️ Configure Kibana to use this cluster:
• Run Kibana and click the configuration link in the terminal when Kibana starts.
• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjguMiIsImFkciI6WyIxNzIuMTguMC4yOjkyMDAiXSwiZmdyIjoiYzJlMzI0Mjk1NDY2Y2FiMDJmNDdkMDZmMWVhNDMyZTNmNDJiMjNlMGM2M2M1MDJkNzQ3ODY4MmQwYmFkOTQ2YyIsImtleSI6IktMR01uNHdCSkRFb2dIMVg5ZEVEOjhFQ0M2b2VoUXZxYjBzRU9DZk1Wc2cifQ==
ℹ️ Configure other nodes to join this cluster:
• Copy the following enrollment token and start new Elasticsearch nodes with `bin/elasticsearch --enrollment-token ` (valid for the next 30 minutes):
eyJ2ZXIiOiI4LjguMiIsImFkciI6WyIxNzIuMTguMC4yOjkyMDAiXSwiZmdyIjoiYzJlMzI0Mjk1NDY2Y2FiMDJmNDdkMDZmMWVhNDMyZTNmNDJiMjNlMGM2M2M1MDJkNzQ3ODY4MmQwYmFkOTQ2YyIsImtleSI6IktyR01uNHdCSkRFb2dIMVg5ZEVNOmlTT05uVHNnUXA2Wjg1MnNoNUN3UVEifQ==
If you're running in Docker, copy the enrollment token and run:
`docker run -e "ENROLLMENT_TOKEN=" docker.elastic.co/elasticsearch/elasticsearch:8.8.2` (注:Elasticsearch部署的时候是有时效性的,时间在30分钟,超过30分钟得重新生成token)
https://192.168.8.184:9200/
登录后就看到了基本信息:
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第1张图片](http://img.e-com-net.com/image/info8/336fc3d1442549ef9fc77444ac55c90a.jpg)
12、进入Elasticsearch容器:
docker exec -it elastic /bin/bash
执行创建用户命令:bin/elasticsearch-users useradd Demo
角色授权:
bin/elasticsearch-users roles -a superuser Demo
bin/elasticsearch-users roles -a kibana_system Demo
(Kibana登录的时候就使用Demo的账号和密码进行登录就可以了)
13、设置开机自动启动:
docker update --restart=always 96f7744f5f7a
14、下面是Elasticsearch.yml的配置信息:
cluster.name: "docker-cluster"
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p1215、prometheus监控es
下载镜像:docker pull quay.io/prometheuscommunity/elasticsearch-exporter:latest
运行镜像:docker run --name es_exporter -d -p 9114:9114 --privileged=true --restart=always quay.io/prometheuscommunity/elasticsearch-exporter:latest
二、Kibana8.8.2部署
1、下载kibana镜像:
docker pull docker.elastic.co/kibana/kibana:8.8.2
2、第一次执行容器:
docker run -itd --name kibana --net elastic --restart=always \
-p 5601:5601 --log-driver json-file \
--log-opt max-size=10m --log-opt max-file=3 \
docker.elastic.co/kibana/kibana:8.8.2
3、创建kibana挂载目录
mkdir -p /usr/elk8.8.2/kibana
4、文件授权
sudo chown -R 1000:1000 /usr/elk8.8.2/kibana
5、将容器内的文件复制到主机上
docker cp kibana:/usr/share/kibana/config /usr/elk8.8.2/kibana/
docker cp kibana:/usr/share/kibana/data /usr/elk8.8.2/kibana/
docker cp kibana:/usr/share/kibana/plugins /usr/elk8.8.2/kibana/
docker cp kibana:/usr/share/kibana/logs /usr/elk8.8.2/kibana/
6、删除容器
docker rm -f kibana
7、创建Kibana容器,名称kibana,加入网络elastic
docker run -itd --name kibana --net elastic --restart=always \
-p 5601:5601 --log-driver json-file \
-v /usr/elk8.8.2/kibana/config:/usr/share/kibana/config \
-v /usr/elk8.8.2/kibana/data:/usr/share/kibana/data \
-v /usr/elk8.8.2/kibana/plugins:/usr/share/kibana/plugins \
-v /usr/elk8.8.2/kibana/logs:/usr/share/kibana/logs \
--log-opt max-size=10m --log-opt max-file=3 \
--ip 172.18.0.3 \
docker.elastic.co/kibana/kibana:8.8.28、查看容器是否创建成功:
docker ps -a
9、访问并进入Kibana:
输入本机IP访问http://192.168.8.184:5601/,输入Elasticsearch日志记录下来的enrollment-token,如果出现无法配置Elastic,那就证明enrollment-token已经超过了30分钟,已时效。
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第2张图片](http://img.e-com-net.com/image/info8/93a89051b9204cf08ff161fac018fbf1.jpg)
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第3张图片](http://img.e-com-net.com/image/info8/a16a01f792a345e6beda902ea9efba34.jpg)
此时将采用创建kibana连接Elasticsearch的enrollment-token:
docker exec -it elastic /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
docker exec -it elastic /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana
WARNING: Owner of file [/usr/share/elasticsearch/config/users] used to be [root], but now is [elasticsearch]
WARNING: Owner of file [/usr/share/elasticsearch/config/users_roles] used to be [root], but now is [elasticsearch]
eyJ2ZXIiOiI4LjguMiIsImFkciI6WyIxNzIuMjQuMC4yOjkyMDAiXSwiZmdyIjoiYTU3ODc0NjZiZTE1ZWI3YTZmYTczNjRjMzc3NzRmNjgyYzQyZGIzNzgzOWM3MDU0MjY1MmNlM2U4MTE4ZDAzYyIsI
mtleSI6IlpPVDZVWXdCcERMVmVEeWE1M3lVOjI1Wkd5X1dfUjVPWGlwVG5QTHlGY1EifQ==把产生的enrollment-token复制到多行文本框后,点击Configure Elastic继续操作
10、查看或生成verification-code:
查看Kibana日志可以看到verification-code:
docker logs -f kibana
或者可以执行kibana-verification-code命令,生成verification-code
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第4张图片](http://img.e-com-net.com/image/info8/64dfafce94284a388605d2bb37ee7531.jpg)
11、登录kibana
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第5张图片](http://img.e-com-net.com/image/info8/182dac427d0d48259577f824c17a5f4c.jpg)
重置elastic密码:docker exec -it elastic /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic
选择y继续
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第6张图片](http://img.e-com-net.com/image/info8/2daf36e4081b4a09a4afadf77c7484b9.jpg)
然后输入用户名:elastic,密码就是生成出来的New value后面的密码值
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第7张图片](http://img.e-com-net.com/image/info8/5fe33add09de490e9e45a551c364f8e5.jpg)
12、修改密码:
点击右上角的头像选择Edit profile,选择Change password,然后输入上一步生成的密码_puJyZzE4d3id0gsT4RG,然后再输入自己创建的新密码,选择Change password
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第8张图片](http://img.e-com-net.com/image/info8/d4efbbc3441342a5a08702a03879f1e2.jpg)
13、添加中文语言:
进入kibana容器:docker exec -it kibana bash
添加中文: echo "i18n.locale: zh-CN" >> config/kibana.yml
退出容器进行重启:
exit
docker restart kibana
14、设置开机自动启动:
docker update --restart=always e1d516dd1601
15、刷新浏览器页面进行就可以看到中文版的登录页面了,然后使用刚才自己设置的密码进行登录
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第9张图片](http://img.e-com-net.com/image/info8/71c85c2cd2f240f9ad64401612385623.jpg)
登录后的页面也变成了中文界面
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第10张图片](http://img.e-com-net.com/image/info8/c6bbf098963f489f8398e14bea00801a.jpg)
15、下面的是kibana.yml的配置信息
server.host: 0.0.0.0
server.shutdownTimeout: 5s
elasticsearch.hosts: ['https://172.18.0.2:9200']
monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE3MDM0ODQyNTcxNjk6RVcwcWdYaXJU
QUstcS16Y1o4VmNRZw
elasticsearch.ssl.certificateAuthorities: [/usr/share/kibana/data/ca_1703484258615.crt]
xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: el
asticsearch, hosts: ['https://172.18.0.2:9200'], ca_trusted_fingerprint: c2e324295466cab02f47d06f1ea432e3f42b23e0c63c50
2d7478682d0bad946c}]
i18n.locale: zh-CN16、prometheus监控kibana
下载镜像:
运行镜像:docker run -d --name kibana_exporter -e ELASTICSEARCH_HOSTS=http://192.168.8.184:9200 --network=es-net -p 1015:5601 kibana_exporter:8.4.3
docker run -d --name kibana_exporter -e ELASTICSEARCH_HOSTS=http://192.168.8.184:9200 --network=es-net -p 9675:9675 monitoringartist/kibana_exporter:latest
三、Logstash8.8.2部署
1、下载kibana镜像:
docker pull docker.elastic.co/logstash/logstash:8.8.2
2、创建Logstash容器,名称kibana,加入网络elastic
docker run -itd --name logstash -p 9600:9600 -p 5044:5044 docker.elastic.co/logstash/logstash:8.8.2
3、创建Logstash挂载目录
mkdir -p /usr/elk8.8.2/logstash
4、文件授权
sudo chown -R 1000:1000 /usr/elk8.8.2/logstash
5、将容器内的文件复制到主机上
docker cp logstash:/usr/share/logstash/config /usr/elk8.8.2/logstash/
docker cp logstash:/usr/share/logstash/pipeline /usr/elk8.8.2/logstash/
6、编辑信息logstash.yml
需要把es里的config下的certs复制到logstash下的config/certs目录里http_ca.crt
vim usr/elk8.8.2/logstash/config/logstash.yml
#(如果es没有设置账号密码,这里也不设置账号密码,如果es加了账号密码,这里需要增加es的认证和账号密码)
http.host: "0.0.0.0"
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.hosts: ["https://172.18.0.2:9200"]
xpack.monitoring.elasticsearch.username: "Test"
xpack.monitoring.elasticsearch.password: "sloveb55"
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/usr/share/logstash/config/certs/http_ca.crt"
#下面这一行去es记录的信息里可以找到,找HTTP CA certificate SHA-256 fingerprint的密文
#xpack.monitoring.elasticsearch.ssl.ca_trusted_fingerprint: "c2e324295466cab02f47d06f1ea432e3f42b23e0c63c502d7478682d0bad946c"7、编辑pipelines.yml
- pipeline.id: main
path.config: "/usr/share/logstash/pipeline"8、编辑日志配置信息logstash.conf
vim usr/elk8.8.2/logstash/pipeline/logstash.conf
input {
syslog {
type => "system-syslog"
port => 5044
}
}
filter{
}
output {
elasticsearch {
hosts => ["https://172.18.0.2:9200"]
index => "system-syslog-%{+YYYY.MM.dd}"
user => "Test"
password => "sloveb55"
codec => plain {
charset => "US-ASCII"
}
ssl_certificate_authorities => "/usr/share/logstash/config/certs/http_ca.crt"
}
}8、删除容器
docker rm -f logstash
9、创建Logstash容器,名称Logstash,加入网络elastic
docker run -itd --name logstash --net elastic --restart=always \
-p 9600:9600 -p 5044:5044 \
-v /usr/elk8.8.2/logstash/config:/usr/share/logstash/config \
-v /usr/elk8.8.2/logstash/pipeline:/usr/share/logstash/pipeline \
--log-opt max-size=10m --log-opt max-file=3 \
--ip 172.18.0.4 \
docker.elastic.co/logstash/logstash:8.8.210、开放端口
firewall-cmd --zone=public --add-port=5044/tcp --permanent && firewall-cmd --reload
firewall-cmd --zone=public --add-port=9600/tcp --permanent && firewall-cmd --reload
systemctl restart firewalld
11、查看容器是否创建成功:
docker ps -a
12、在Kibana里的索引管理里将看到刚才我们收集的日志
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第11张图片](http://img.e-com-net.com/image/info8/2a5fc285f4394e4299cb0c01e548805a.jpg)
13、然后在Analytics的Discover里将看到具体的日志文件
![Docker 安装 Elasticsearch8.8.2\kibana8.8.2\Logstash8.8.2\Filebeat:8.8.2[亲测可用]_第12张图片](http://img.e-com-net.com/image/info8/d9b19d2b9c934f5097000199294b330f.jpg)
四、Filebeat:8.8.2部署
1、下载镜像:
docker pull kibana:8.4.3
2、创建Filebeat容器
docker run -itd \
--name filebeat \
--network host \
-e TZ=Asia/Shanghai \
elastic/filebeat:8.8.2 \
filebeat -e -c /usr/share/filebeat/filebeat.yml3、创建Filebeat挂载目录:
mkdir -p /usr/elk8.8.2/filebeat/log
4、将容器内的文件复制到主机上
docker cp filebeat:/usr/share/filebeat/filebeat.yml /usr/elk8.8.2/filebeat/
docker cp filebeat:/usr/share/filebeat/data /usr/elk8.8.2/filebeat/
docker cp filebeat:/usr/share/filebeat/logs /usr/elk8.8.2/filebeat/
5、修改配置文件
vim /usr/elk8.8.2/filebeat/filebeat.yml
filebeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
processors:
- add_cloud_metadata: ~
- add_docker_metadata: ~
output.logstash:
enabled: true
# The Logstash hosts
hosts: ["172.18.0.4:5044"]
filebeat.inputs:
- type: log
enabled: true
paths:
- /usr/share/filebeat/target/*/*/*.log. # 这个路径是需要收集的日志路径,是docker容器中的路径
scan_frequency: 10s
exclude_lines: ['HEAD']
exclude_lines: ['HTTP/1.1']
multiline.pattern: '^[[:space:]]+(at|\.{3})\b|Exception|捕获异常'
multiline.negate: false
multiline.match: after6、文件授权
sudo chown -R 1000:1000 /usr/elk8.8.2/filebeat
7、删除容器
docker rm -f filebeat
8、重新创建脚本
docker run -itd --name filebeat --restart=always \
--network host -e TZ=Asia/Shanghai \
-v /usr/elk8.8.2/filebeat/log:/usr/share/filebeat/target \
-v /usr/elk8.8.2/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml \
-v /usr/elk8.8.2/filebeat/data:/usr/share/filebeat/data \
-v /usr/elk8.8.2/filebeat/logs:/usr/share/filebeat/logs \
elastic/filebeat:8.8.2 \
filebeat -e -c /usr/share/filebeat/filebeat.yml