參考文檔:
Docker ELK使用文檔:http://elk-docker.readthedocs.io/
1.拉取鏡像
查看 Docker Hub 的鏡像
docker search elk
拉取鏡像
sudo docker pull sebp/elk
?
?
2.啟動容器
docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -p 4560:4560? ?-it --name elk sebp/elk
elasticsearch用戶擁有的內存權限太小,至少需要262144
切換到root用戶
執行命令:
sysctl -w vm.max_map_count=262144
查看結果:
sysctl -a|grep vm.max_map_count
顯示:
vm.max_map_count = 262144
?
上述方法修改之后,如果重啟虛擬機將失效,所以:
解決辦法:
在?? /etc/sysctl.conf文件最后添加一行
vm.max_map_count=262144
即可永久修改
?重新啟動容器
3.開放端口
5601,9200,5044
firewall-cmd --zone=public? --permanent --add-port=5601/tcp
firewall-cmd --zone=public? --permanent --add-port=9200/tcp
firewall-cmd --zone=public? --permanent --add-port=5044/tcp
firewall-cmd --zone=public? --permanent --add-port=4560/tcp
4.查看是否啟動成功
http://localhost:5601
5.設置容器開機啟動
docker update --restart=always elk
?
6.配置
?
input {tcp {port => 4560codec => json_lines} }filter {json {source => "message"}mutate {remove_field => "level_value"remove_field => "port"remove_field => "host"remove_field => "appName"remove_field => "@version"remove_field => "logger_name"remove_field => "thread_name"remove_field => "createTime"}}output {if [appId] {elasticsearch {hosts => ["localhost"]index => "app_%{appId}"document_type => "appLog"}} }
?
?進入elk容器,進入/etc/logstash/conf.d,刪除所有配置文件,然后 vi?/etc/logstash/conf.d/logstash.conf? 添加新的配置文件
添加下面配置,保存退出。將其它配置刪掉。一定要注意配置文件格式為utf-8,格式需要縮進,否則啟動會報錯 重新啟動docker
常見問題解決:
If Elasticsearch isn't starting...
If the suggestions listed in?Frequently encountered issues?don't help, then an additional way of working out why Elasticsearch isn't starting is to:
-
Start a container with the?
bash?command:$ sudo docker run -it sebp/elk bash -
Start Elasticsearch manually to look at what it outputs:
$ gosu elasticsearch /opt/elasticsearch/bin/elasticsearch
$ gosu kibana /opt/kibana/bin/kibana
)
