docker安装elk6.7.1-搜集nginx-json日志

docker安装elk6.7.1-搜集nginx-json日志

如果对运维课程感兴趣，可以在b站上、A站或csdn上搜索我的账号： 运维实战课程，可以关注我，学习更多免费的运维实战技术视频

0.规划

192.168.171.130 nginx+filebeat

192.168.171.131 nginx+filebeat

192.168.171.128 redis

192.168.171.129 logstash

192.168.171.128 es1

192.168.171.129 es2

192.168.171.132 kibana

1.docker安装es集群-6.7.1 和head插件(在192.168.171.128-es1和192.168.171.129-es2)

在192.168.171.128上安装es6.7.1和es6.7.1-head插件：

1)安装docker19.03.2:

root@localhost \~\]# docker info ....... Server Version: 19.03.2 \[root@localhost \~\]# sysctl -w vm.max_map_count=262144 #设置elasticsearch用户拥有的内存权限太小，至少需要262144 \[root@localhost \~\]# sysctl -a \|grep vm.max_map_count #查看 vm.max_map_count = 262144 \[root@localhost \~\]# vim /etc/sysctl.conf vm.max_map_count=262144 2)安装es6.7.1： 上传相关es的压缩包到/data目录： \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls es-6.7.1.tar.gz es-6.7.1.tar.gz \[root@localhost data\]# tar -zxf es-6.7.1.tar.gz \[root@localhost data\]# cd es-6.7.1 \[root@localhost es-6.7.1\]# ls config image scripts \[root@localhost es-6.7.1\]# ls config/ es.yml \[root@localhost es-6.7.1\]# ls image/ elasticsearch_6.7.1.tar \[root@localhost es-6.7.1\]# ls scripts/ run_es_6.7.1.sh \[root@localhost es-6.7.1\]# docker load -i image/elasticsearch_6.7.1.tar \[root@localhost es-6.7.1\]# docker images \|grep elasticsearch elasticsearch 6.7.1 e2667f5db289 11 months ago 812MB \[root@localhost es-6.7.1\]# cat config/es.yml cluster.name: elasticsearch-cluster node.name: es-node1 network.host: 0.0.0.0 network.publish_host: 192.168.171.128 http.port: 9200 transport.tcp.port: 9300 http.cors.enabled: true http.cors.allow-origin: "\*" node.master: true node.data: true discovery.zen.ping.unicast.hosts: \["192.168.171.128:9300","192.168.171.129:9300"

discovery.zen.minimum_master_nodes: 1

#cluster.name 集群的名称,可以自定义名字,但两个es必须一样，就是通过是不是同一个名称判断是不是一个集群

#node.name 本机的节点名,可自定义,没必要必须hosts解析或配置该主机名

#下面两个是默认基础上新加的，允许跨域访问

#http.cors.enabled: true

#http.cors.allow-origin: '*'

##注意：容器里有两个端口，9200是:ES节点和外部通讯使用,9300是:ES节点之间通讯使用

root@localhost es-6.7.1\]# cat scripts/run_es_6.7.1.sh #!/bin/bash docker run -e ES_JAVA_OPTS="-Xms1024m -Xmx1024m" -d --net=host --restart=always -v /data/es-6.7.1/config/es.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /data/es6.7.1_data:/usr/share/elasticsearch/data -v /data/es6.7.1_logs:/usr/share/elasticsearch/logs --name es6.7.1 elasticsearch:6.7.1 #注意：容器里有两个端口，9200是:ES节点和外部通讯使用,9300是:ES节点之间通讯使用 \[root@localhost es-6.7.1\]# mkdir /data/es6.7.1_data \[root@localhost es-6.7.1\]# mkdir /data/es6.7.1_logs \[root@localhost es-6.7.1\]# chmod -R 777 /data/es6.7.1_data/ #需要es用户能写入，否则无法映射 \[root@localhost es-6.7.1\]# chmod -R 777 /data/es6.7.1_logs/ #需要es用户能写入，否则无法映射 \[root@localhost es-6.7.1\]# sh scripts/run_es_6.7.1.sh \[root@localhost es-6.7.1\]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 988abe7eedac elasticsearch:6.7.1 "/usr/local/bin/dock..." 23 seconds ago Up 19 seconds es6.7.1 \[root@localhost es-6.7.1\]# netstat -anput \|grep 9200 tcp6 0 0 :::9200 :::\* LISTEN 16196/java \[root@localhost es-6.7.1\]# netstat -anput \|grep 9300 tcp6 0 0 :::9300 :::\* LISTEN 16196/java \[root@localhost es-6.7.1\]# cd 浏览器访问es服务：[http://192.168.171.128:9200/](http://192.168.171.128:9200/ "http://192.168.171.128:9200/")  3)安装es6.7.1-head插件： 上传相关es-head插件的压缩包到/data目录 \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls es-6.7.1-head.tar.gz es-6.7.1-head.tar.gz \[root@localhost data\]# tar -zxf es-6.7.1-head.tar.gz \[root@localhost data\]# cd es-6.7.1-head \[root@localhost es-6.7.1-head\]# ls conf image scripts \[root@localhost es-6.7.1-head\]# ls conf/ app.js Gruntfile.js \[root@localhost es-6.7.1-head\]# ls image/ elasticsearch-head_6.7.1.tar \[root@localhost es-6.7.1-head\]# ls scripts/ run_es-head.sh \[root@localhost es-6.7.1-head\]# docker load -i image/elasticsearch-head_6.7.1.tar \[root@localhost es-6.7.1-head\]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE elasticsearch 6.7.1 e2667f5db289 11 months ago 812MB elasticsearch-head 6.7.1 b19a5c98e43b 3 years ago 824MB \[root@localhost es-6.7.1-head\]# vim conf/app.js ..... this.base_uri = this.config.base_uri \|\| this.prefs.get("app-base_uri") \|\| "http://192.168.171.128:9200"; #修改为本机ip .... \[root@localhost es-6.7.1-head\]# vim conf/Gruntfile.js .... connect: { server: { options: { hostname: '\*', #添加 port: 9100, base: '.', keepalive: true } } .... \[root@localhost es-6.7.1-head\]# cat scripts/run_es-head.sh #!/bin/bash docker run -d --name es-head-6.7.1 --net=host --restart=always -v /data/es-6.7.1-head/conf/Gruntfile.js:/usr/src/app/Gruntfile.js -v /data/es-6.7.1-head/conf/app.js:/usr/src/app/_site/app.js elasticsearch-head:6.7.1 #容器端口是9100,是es的管理端口 \[root@localhost es-6.7.1-head\]# sh scripts/run_es-head.sh \[root@localhost es-6.7.1-head\]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES c46189c3338b elasticsearch-head:6.7.1 "/bin/sh -c 'grunt s..." 42 seconds ago Up 37 seconds es-head-6.7.1 988abe7eedac elasticsearch:6.7.1 "/usr/local/bin/dock..." 9 minutes ago Up 9 minutes es6.7.1 \[root@localhost es-6.7.1-head\]# netstat -anput \|grep 9100 tcp6 0 0 :::9100 :::\* LISTEN 16840/grunt 浏览器访问es-head插件：[http://192.168.171.128:9100/](http://192.168.171.128:9100/ "http://192.168.171.128:9100/")  ****在192.168.171.129上安装es6.7.1和es6.7.1-head插件：**** 1)安装docker19.03.2: \[root@localhost \~\]# docker info Client: Debug Mode: false Server: Containers: 2 Running: 2 Paused: 0 Stopped: 0 Images: 2 Server Version: 19.03.2 \[root@localhost \~\]# sysctl -w vm.max_map_count=262144 #设置elasticsearch用户拥有的内存权限太小，至少需要262144 \[root@localhost \~\]# sysctl -a \|grep vm.max_map_count #查看 vm.max_map_count = 262144 \[root@localhost \~\]# vim /etc/sysctl.conf vm.max_map_count=262144 2)安装es6.7.1： 上传相关es的压缩包到/data目录： \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls es-6.7.1.tar.gz es-6.7.1.tar.gz \[root@localhost data\]# tar -zxf es-6.7.1.tar.gz \[root@localhost data\]# cd es-6.7.1 \[root@localhost es-6.7.1\]# ls config image scripts \[root@localhost es-6.7.1\]# ls config/ es.yml \[root@localhost es-6.7.1\]# ls image/ elasticsearch_6.7.1.tar \[root@localhost es-6.7.1\]# ls scripts/ run_es_6.7.1.sh \[root@localhost es-6.7.1\]# docker load -i image/elasticsearch_6.7.1.tar \[root@localhost es-6.7.1\]# docker images \|grep elasticsearch elasticsearch 6.7.1 e2667f5db289 11 months ago 812MB \[root@localhost es-6.7.1\]# vim config/es.yml cluster.name: elasticsearch-cluster node.name: es-node2 network.host: 0.0.0.0 network.publish_host: 192.168.171.129 http.port: 9200 transport.tcp.port: 9300 http.cors.enabled: true http.cors.allow-origin: "\*" node.master: true node.data: true discovery.zen.ping.unicast.hosts: \["192.168.171.128:9300","192.168.171.129:9300"

discovery.zen.minimum_master_nodes: 1

#cluster.name 集群的名称,可以自定义名字,但两个es必须一样，就是通过是不是同一个名称判断是不是一个集群

#node.name 本机的节点名,可自定义,没必要必须hosts解析或配置该主机名

#下面两个是默认基础上新加的，允许跨域访问

#http.cors.enabled: true

#http.cors.allow-origin: '*'

##注意：容器里有两个端口，9200是:ES节点和外部通讯使用,9300是:ES节点之间通讯使用

root@localhost es-6.7.1\]# cat scripts/run_es_6.7.1.sh #!/bin/bash docker run -e ES_JAVA_OPTS="-Xms1024m -Xmx1024m" -d --net=host --restart=always -v /data/es-6.7.1/config/es.yml:/usr/share/elasticsearch/config/elasticsearch.yml -v /data/es6.7.1_data:/usr/share/elasticsearch/data -v /data/es6.7.1_logs:/usr/share/elasticsearch/logs --name es6.7.1 elasticsearch:6.7.1 #注意：容器里有两个端口，9200是:ES节点和外部通讯使用,9300是:ES节点之间通讯使用 \[root@localhost es-6.7.1\]# mkdir /data/es6.7.1_data \[root@localhost es-6.7.1\]# mkdir /data/es6.7.1_logs \[root@localhost es-6.7.1\]# chmod -R 777 /data/es6.7.1_data/ #需要es用户能写入，否则无法映射 \[root@localhost es-6.7.1\]# chmod -R 777 /data/es6.7.1_logs/ #需要es用户能写入，否则无法映射 \[root@localhost es-6.7.1\]# sh scripts/run_es_6.7.1.sh \[root@localhost es-6.7.1\]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a3b0a0187db8 elasticsearch:6.7.1 "/usr/local/bin/dock..." 9 seconds ago Up 7 seconds es6.7.1 \[root@localhost es-6.7.1\]# netstat -anput \|grep 9200 tcp6 0 0 :::9200 :::\* LISTEN 14171/java \[root@localhost es-6.7.1\]# netstat -anput \|grep 9300 tcp6 0 0 :::9300 :::\* LISTEN 14171/java \[root@localhost es-6.7.1\]# cd 浏览器访问es服务：[http://192.168.171.129:9200/](http://192.168.171.128:9200/ "http://192.168.171.129:9200/")  3)安装es6.7.1-head插件： 上传相关es-head插件的压缩包到/data目录 \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls es-6.7.1-head.tar.gz es-6.7.1-head.tar.gz \[root@localhost data\]# tar -zxf es-6.7.1-head.tar.gz \[root@localhost data\]# cd es-6.7.1-head \[root@localhost es-6.7.1-head\]# ls conf image scripts \[root@localhost es-6.7.1-head\]# ls conf/ app.js Gruntfile.js \[root@localhost es-6.7.1-head\]# ls image/ elasticsearch-head_6.7.1.tar \[root@localhost es-6.7.1-head\]# ls scripts/ run_es-head.sh \[root@localhost es-6.7.1-head\]# docker load -i image/elasticsearch-head_6.7.1.tar \[root@localhost es-6.7.1-head\]# docker images REPOSITORY TAG IMAGE ID CREATED SIZE elasticsearch 6.7.1 e2667f5db289 11 months ago 812MB elasticsearch-head 6.7.1 b19a5c98e43b 3 years ago 824MB \[root@localhost es-6.7.1-head\]# vim conf/app.js ..... this.base_uri = this.config.base_uri \|\| this.prefs.get("app-base_uri") \|\| "http://192.168.171.129:9200"; #修改为本机ip .... \[root@localhost es-6.7.1-head\]# vim conf/Gruntfile.js .... connect: { server: { options: { hostname: '\*', #添加 port: 9100, base: '.', keepalive: true } } .... \[root@localhost es-6.7.1-head\]# cat scripts/run_es-head.sh #!/bin/bash docker run -d --name es-head-6.7.1 --net=host --restart=always -v /data/es-6.7.1-head/conf/Gruntfile.js:/usr/src/app/Gruntfile.js -v /data/es-6.7.1-head/conf/app.js:/usr/src/app/_site/app.js elasticsearch-head:6.7.1 #容器端口是9100,是es的管理端口 \[root@localhost es-6.7.1-head\]# sh scripts/run_es-head.sh \[root@localhost es-6.7.1-head\]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f4f5c967754b elasticsearch-head:6.7.1 "/bin/sh -c 'grunt s..." 12 seconds ago Up 7 seconds es-head-6.7.1 a3b0a0187db8 elasticsearch:6.7.1 "/usr/local/bin/dock..." 7 minutes ago Up 7 minutes es6.7.1 \[root@localhost es-6.7.1-head\]# netstat -anput \|grep 9100 tcp6 0 0 :::9100 :::\* LISTEN 14838/grunt 浏览器访问es-head插件：[http://192.168.171.129:9100/](http://192.168.171.128:9100/ "http://192.168.171.129:9100/")  同样在机器192.168.171.128的head插件也能查看到状态，因为插件管理工具都是一样的，如下： [http://192.168.171.128:9100/](http://192.168.171.128:9100/ "http://192.168.171.128:9100/")  ****2.docker安装redis4.0.10（在192.168.171.128上）**** 上传redis4.0.10镜像： \[root@localhost \~\]# ls redis_4.0.10.tar redis_4.0.10.tar \[root@localhost \~\]# docker load -i redis_4.0.10.tar \[root@localhost \~\]# docker images \|grep redis gmprd.baiwang-inner.com/redis 4.0.10 f713a14c7f9b 13 months ago 425MB \[root@localhost \~\]# mkdir -p /data/redis/conf #创建配置文件目录 \[root@localhost \~\]# vim /data/redis/conf/redis.conf #自定义配置文件 protected-mode no port 6379 bind 0.0.0.0 tcp-backlog 511 timeout 0 tcp-keepalive 300 supervised no pidfile "/usr/local/redis/redis_6379.pid" loglevel notice logfile "/opt/redis/logs/redis.log" databases 16 save 900 1 save 300 10 save 60 10000 stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes dbfilename "dump.rdb" dir "/" slave-serve-stale-data yes slave-read-only yes repl-diskless-sync no repl-diskless-sync-delay 5 repl-disable-tcp-nodelay no slave-priority 100 requirepass 123456 appendonly yes dir "/opt/redis/data" logfile "/opt/redis/logs/redis.log" appendfilename "appendonly.aof" appendfsync everysec no-appendfsync-on-rewrite no auto-aof-rewrite-percentage 100 auto-aof-rewrite-min-size 64mb aof-load-truncated yes lua-time-limit 5000 slowlog-log-slower-than 10000 slowlog-max-len 128 latency-monitor-threshold 0 notify-keyspace-events "" hash-max-ziplist-entries 512 hash-max-ziplist-value 64 list-max-ziplist-size -2 list-compress-depth 0 set-max-intset-entries 512 zset-max-ziplist-entries 128 zset-max-ziplist-value 64 hll-sparse-max-bytes 3000 activerehashing yes client-output-buffer-limit normal 0 0 0 client-output-buffer-limit slave 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 hz 10 aof-rewrite-incremental-fsync yes maxclients 4064 #appendonly yes 是开启数据持久化 #dir "/opt/redis/data" #持久化到的容器里的目录 #logfile "/opt/redis/logs/redis.log" #持久化到的容器里的目录,此处写的必须是文件路径,目录路径不行 \[root@localhost \~\]# docker run -d --net=host --restart=always --name=redis4.0.10 -v /data/redis/conf/redis.conf:/opt/redis/conf/redis.conf -v /data/redis_data:/opt/redis/data -v /data/redis_logs:/opt/redis/logs gmprd.baiwang-inner.com/redis:4.0.10 \[root@localhost \~\]# docker ps \|grep redis 735fb213ee41 gmprd.baiwang-inner.com/redis:4.0.10 "redis-server /opt/r..." 9 seconds ago Up 8 seconds redis4.0.10 \[root@localhost \~\]# netstat -anput \|grep 6379 tcp 0 0 0.0.0.0:6379 0.0.0.0:\* LISTEN 16988/redis-server \[root@localhost \~\]# ls /data/redis_data/ appendonly.aof \[root@localhost \~\]# ls /data/redis_logs/ redis.log \[root@localhost \~\]# docker exec -it redis4.0.10 bash \[root@localhost /\]# redis-cli -a 123456 127.0.0.1:6379\> set k1 v1 OK 127.0.0.1:6379\> keys \* 1) "k1" 127.0.0.1:6379\> get k1 "v1" 127.0.0.1:6379\> quit \[root@localhost /\]# exit ****3.docker安装nginx1.15.9和配置json日志格式和filebeat6.7.1 （192.168.171.130和192.168.171.131）**** 在192.168.171.130上： 安装nginx1.15.9: \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls nginx1.15.9.tar.gz nginx1.15.9.tar.gz \[root@localhost data\]# tar -zxf nginx1.15.9.tar.gz \[root@localhost data\]# cd nginx1.15.9 \[root@localhost nginx1.15.9\]# ls conf image scripts \[root@localhost nginx1.15.9\]# ls conf/ nginx.conf \[root@localhost nginx1.15.9\]# ls image/ nginx1.15.9-0711.tar \[root@localhost nginx1.15.9\]# ls scripts/ run_nginx.sh \[root@localhost nginx1.15.9\]# docker load -i image/nginx1.15.9-0711.tar \[root@localhost nginx1.15.9\]# docker images \|grep nginx nginx 1.15.9 881bd08c0b08 12 months ago 109MB \[root@localhost nginx1.15.9\]# cat conf/nginx.conf user root; worker_processes 4; events { worker_connections 10240; } http { include mime.types; default_type application/octet-stream; log_format json '{ "@timestamp": "$time_iso8601", ' '"remote_addr": "$remote_addr", ' '"remote_user": "$remote_user", ' '"body_bytes_sent": "$body_bytes_sent", ' '"request_time": "$request_time", ' '"status": "$status", ' '"request_uri": "$request_uri", ' '"request_method": "$request_method", ' '"http_referrer": "$http_referer", ' '"http_x_forwarded_for": "$http_x_forwarded_for", ' '"http_user_agent": "$http_user_agent"}'; access_log /var/log/nginx/access.log json; client_max_body_size 128m; sendfile on; keepalive_timeout 65; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_comp_level 4; gzip_types text/plain text/javascript application/x-javascript text/css application/xml application/xml+rss; ssi on; server_tokens off; server { listen 80; #listen 5080 ssl; #ssl_certificate /data/ssl/server.crt; #ssl_certificate_key /data/ssl/server.key; #ssl_session_timeout 5m; server_name localhost; location / { root registry/static_root; index index.html index.htm; } location = /404.html { root html; index 404.html; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } } \[root@localhost nginx1.15.9\]# cat scripts/run_nginx.sh #!/bin/bash docker run -d --net=host --restart=always --name=nginx -v /data/nginx1.15.9/conf/nginx.conf:/etc/nginx/nginx.conf -v /data/nginx/logs:/var/log/nginx -v /data/nginx/registry:/etc/nginx/registry nginx:1.15.9 \[root@localhost nginx1.15.9\]# sh scripts/run_nginx.sh \[root@localhost nginx1.15.9\]# docker ps \|grep nginx a920b3487d8d nginx:1.15.9 "nginx -g 'daemon of..." 20 seconds ago Up 19 seconds nginx \[root@localhost nginx1.15.9\]# netstat -anput \|grep 80 tcp 0 0 0.0.0.0:80 0.0.0.0:\* LISTEN 27454/nginx: master \[root@localhost nginx1.15.9\]# ls /data/nginx logs registry \[root@localhost nginx1.15.9\]# ls /data/nginx/logs/ access.log error.log \[root@localhost nginx1.15.9\]# ls /data/nginx/registry/ 空 \[root@localhost nginx1.15.9\]# mkdir /data/nginx/registry/static_root \[root@localhost nginx1.15.9\]# echo 111 \> /data/nginx/registry/static_root/index.html \[root@localhost nginx1.15.9\]# curl localhost 111 \[root@localhost nginx1.15.9\]# curl localhost 111 \[root@localhost nginx1.15.9\]# curl localhost 111 \[root@localhost nginx1.15.9\]# curl 192.168.171.130 111 \[root@localhost nginx1.15.9\]# cat /data/nginx/logs/access.log { "@timestamp": "2020-03-08T11:01:12+00:00", "remote_addr": "127.0.0.1", "remote_user": "-", "body_bytes_sent": "14", "request_time": "0.000", "status": "200", "request_uri": "/", "request_method": "GET", "http_referrer": "-", "http_x_forwarded_for": "-", "http_user_agent": "curl/7.29.0"} { "@timestamp": "2020-03-08T11:01:13+00:00", "remote_addr": "127.0.0.1", "remote_user": "-", "body_bytes_sent": "14", "request_time": "0.000", "status": "200", "request_uri": "/", "request_method": "GET", "http_referrer": "-", "http_x_forwarded_for": "-", "http_user_agent": "curl/7.29.0"} { "@timestamp": "2020-03-08T11:01:43+00:00", "remote_addr": "127.0.0.1", "remote_user": "-", "body_bytes_sent": "14", "request_time": "0.000", "status": "200", "request_uri": "/", "request_method": "GET", "http_referrer": "-", "http_x_forwarded_for": "-", "http_user_agent": "curl/7.29.0"} { "@timestamp": "2020-03-08T11:03:44+00:00", "remote_addr": "192.168.171.130", "remote_user": "-", "body_bytes_sent": "14", "request_time": "0.000", "status": "200", "request_uri": "/", "request_method": "GET", "http_referrer": "-", "http_x_forwarded_for": "-", "http_user_agent": "curl/7.29.0"} \[root@localhost nginx1.15.9\]# cd 安装filebeat6.7.1： \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls filebeat6.7.1.tar.gz filebeat6.7.1.tar.gz \[root@localhost data\]# tar -zxf filebeat6.7.1.tar.gz \[root@localhost data\]# cd filebeat6.7.1 \[root@localhost filebeat6.7.1\]# ls conf image scripts \[root@localhost filebeat6.7.1\]# ls conf/ filebeat.yml filebeat.yml.bak \[root@localhost filebeat6.7.1\]# ls image/ filebeat_6.7.1.tar \[root@localhost filebeat6.7.1\]# ls scripts/ run_filebeat6.7.1.sh \[root@localhost filebeat6.7.1\]# docker load -i image/filebeat_6.7.1.tar \[root@localhost filebeat6.7.1\]# docker images \|grep filebeat docker.elastic.co/beats/filebeat 6.7.1 04fcff75b160 11 months ago 279MB \[root@localhost filebeat6.7.1\]# cat conf/filebeat.yml filebeat.inputs: - type: log enabled: true paths: - /usr/share/filebeat/logs/\*.log fields: log_source: nginx-access-log-171.130 filebeat.config.modules: path: ${path.config}/modules.d/\*.yml reload.enabled: false setup.template.settings: index.number_of_shards: 3 setup.kibana: #下面是直接写入es中: #output.elasticsearch: # hosts: \["192.168.171.128:9200"

#下面是写入redis中:

#下面的filebeat-common是自定的key,要和logstash中从redis里对应的key要要一致,多个节点的nginx的都可以该key写入,但需要定义log_source以作为区分,logstash读取的时候以区分的标志来分开存放索引到es中

output.redis:

hosts: ["192.168.171.128"]

port: 6379

password: "123456"

key: "filebeat-common"

db: 0

datatype: list

processors:

• add_host_metadata: ~

• add_cloud_metadata: ~

#注意：因为默认情况下,宿主机日志路径和容器内日志路径是不一致的，所以配置文件里配置的路径如果是宿主机日志路径,容器里则找不到

##所以采取措施是:配置文件里配置成容器里的日志路径,再把宿主机的日志目录和容器日志目录做一个映射就可以了

#/usr/share/filebeat/logs/*.log 是容器里的日志路径

root@localhost filebeat6.7.1\]# cat scripts/run_filebeat6.7.1.sh #!/bin/bash docker run -d --name filebeat6.7.1 --net=host --restart=always --user=root -v /data/filebeat6.7.1/conf/filebeat.yml:/usr/share/filebeat/filebeat.yml -v /data/nginx/logs:/usr/share/filebeat/logs docker.elastic.co/beats/filebeat:6.7.1 #注意：因为默认情况下,宿主机日志路径和容器内日志路径是不一致的，所以配置文件里配置的路径如果是宿主机日志路径,容器里则找不到 #所以采取措施是:配置文件里配置成容器里的日志路径,再把宿主机的日志目录和容器日志目录做一个映射就可以了 \[root@localhost filebeat6.7.1\]# sh scripts/run_filebeat6.7.1.sh #运行后则开始收集日志到redis \[root@localhost filebeat6.7.1\]# docker ps \|grep filebeat 63d423126963 docker.elastic.co/beats/filebeat:6.7.1 "/usr/local/bin/dock..." 9 seconds ago Up 7 seconds filebeat6.7.1 \[root@localhost filebeat6.7.1\]# cd 在192.168.171.131上： 安装nginx1.15.9: \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls nginx1.15.9.tar.gz nginx1.15.9.tar.gz \[root@localhost data\]# tar -zxf nginx1.15.9.tar.gz \[root@localhost data\]# cd nginx1.15.9 \[root@localhost nginx1.15.9\]# ls conf image scripts \[root@localhost nginx1.15.9\]# ls conf/ nginx.conf \[root@localhost nginx1.15.9\]# ls image/ nginx1.15.9-0711.tar \[root@localhost nginx1.15.9\]# ls scripts/ run_nginx.sh \[root@localhost nginx1.15.9\]# docker load -i image/nginx1.15.9-0711.tar \[root@localhost nginx1.15.9\]# docker images \|grep nginx nginx 1.15.9 881bd08c0b08 12 months ago 109MB \[root@localhost nginx1.15.9\]# cat conf/nginx.conf user root; worker_processes 4; events { worker_connections 10240; } http { include mime.types; default_type application/octet-stream; log_format json '{ "@timestamp": "$time_iso8601", ' '"remote_addr": "$remote_addr", ' '"remote_user": "$remote_user", ' '"body_bytes_sent": "$body_bytes_sent", ' '"request_time": "$request_time", ' '"status": "$status", ' '"request_uri": "$request_uri", ' '"request_method": "$request_method", ' '"http_referrer": "$http_referer", ' '"http_x_forwarded_for": "$http_x_forwarded_for", ' '"http_user_agent": "$http_user_agent"}'; access_log /var/log/nginx/access.log json; client_max_body_size 128m; sendfile on; keepalive_timeout 65; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_comp_level 4; gzip_types text/plain text/javascript application/x-javascript text/css application/xml application/xml+rss; ssi on; server_tokens off; server { listen 80; #listen 5080 ssl; #ssl_certificate /data/ssl/server.crt; #ssl_certificate_key /data/ssl/server.key; #ssl_session_timeout 5m; server_name localhost; location / { root registry/static_root; index index.html index.htm; } location = /404.html { root html; index 404.html; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } } \[root@localhost nginx1.15.9\]# cat scripts/run_nginx.sh #!/bin/bash docker run -d --net=host --restart=always --name=nginx -v /data/nginx1.15.9/conf/nginx.conf:/etc/nginx/nginx.conf -v /data/nginx/logs:/var/log/nginx -v /data/nginx/registry:/etc/nginx/registry nginx:1.15.9 \[root@localhost nginx1.15.9\]# sh scripts/run_nginx.sh \[root@localhost nginx1.15.9\]# docker ps \|grep nginx 95f424816b9c nginx:1.15.9 "nginx -g 'daemon of..." 16 seconds ago Up 15 seconds nginx \[root@localhost nginx1.15.9\]# netstat -anput \|grep 80 tcp 0 0 0.0.0.0:80 0.0.0.0:\* LISTEN 21698/nginx: master \[root@localhost nginx1.15.9\]# ls /data/nginx logs registry \[root@localhost nginx1.15.9\]# ls /data/nginx/logs/ access.log error.log \[root@localhost nginx1.15.9\]# ls /data/nginx/registry/ 空 \[root@localhost nginx1.15.9\]# mkdir /data/nginx/registry/static_root \[root@localhost nginx1.15.9\]# echo 222 \> /data/nginx/registry/static_root/index.html \[root@localhost nginx1.15.9\]# curl localhost 222 \[root@localhost nginx1.15.9\]# curl localhost 222 \[root@localhost nginx1.15.9\]# curl 192.168.171.131 222 \[root@localhost nginx1.15.9\]# cat /data/nginx/logs/access.log { "@timestamp": "2020-03-08T11:27:09+00:00", "remote_addr": "127.0.0.1", "remote_user": "-", "body_bytes_sent": "14", "request_time": "0.000", "status": "200", "request_uri": "/", "request_method": "GET", "http_referrer": "-", "http_x_forwarded_for": "-", "http_user_agent": "curl/7.29.0"} { "@timestamp": "2020-03-08T11:27:11+00:00", "remote_addr": "127.0.0.1", "remote_user": "-", "body_bytes_sent": "14", "request_time": "0.000", "status": "200", "request_uri": "/", "request_method": "GET", "http_referrer": "-", "http_x_forwarded_for": "-", "http_user_agent": "curl/7.29.0"} { "@timestamp": "2020-03-08T11:27:34+00:00", "remote_addr": "192.168.171.131", "remote_user": "-", "body_bytes_sent": "14", "request_time": "0.000", "status": "200", "request_uri": "/", "request_method": "GET", "http_referrer": "-", "http_x_forwarded_for": "-", "http_user_agent": "curl/7.29.0"} \[root@localhost nginx1.15.9\]# cd 安装filebeat6.7.1： \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls filebeat6.7.1.tar.gz filebeat6.7.1.tar.gz \[root@localhost data\]# tar -zxf filebeat6.7.1.tar.gz \[root@localhost data\]# cd filebeat6.7.1 \[root@localhost filebeat6.7.1\]# ls conf image scripts \[root@localhost filebeat6.7.1\]# ls conf/ filebeat.yml filebeat.yml.bak \[root@localhost filebeat6.7.1\]# ls image/ filebeat_6.7.1.tar \[root@localhost filebeat6.7.1\]# ls scripts/ run_filebeat6.7.1.sh \[root@localhost filebeat6.7.1\]# docker load -i image/filebeat_6.7.1.tar \[root@localhost filebeat6.7.1\]# docker images \|grep filebeat docker.elastic.co/beats/filebeat 6.7.1 04fcff75b160 11 months ago 279MB \[root@localhost filebeat6.7.1\]# cat conf/filebeat.yml filebeat.inputs: - type: log enabled: true paths: - /usr/share/filebeat/logs/\*.log fields: log_source: nginx-access-log-171.131 filebeat.config.modules: path: ${path.config}/modules.d/\*.yml reload.enabled: false setup.template.settings: index.number_of_shards: 3 setup.kibana: #下面是直接写入es中: #output.elasticsearch: # hosts: \["192.168.171.128:9200"

#下面是写入redis中:

#下面的filebeat-common是自定的key,要和logstash中从redis里对应的key要要一致,多个节点的nginx的都可以该key写入,但需要定义log_source以作为区分,logstash读>取的时候以区分的标志来分开存放索引到es中

output.redis:

hosts: ["192.168.171.128"]

port: 6379

password: "123456"

key: "filebeat-common"

db: 0

datatype: list

processors:

• add_host_metadata: ~

• add_cloud_metadata: ~

#注意：因为默认情况下,宿主机日志路径和容器内日志路径是不一致的，所以配置文件里配置的路径如果是宿主机日志路径,容器里则找不到

##所以采取措施是:配置文件里配置成容器里的日志路径,再把宿主机的日志目录和容器日志目录做一个映射就可以了

#/usr/share/filebeat/logs/*.log 是容器里的日志路径

root@localhost filebeat6.7.1\]# cat scripts/run_filebeat6.7.1.sh #!/bin/bash docker run -d --name filebeat6.7.1 --net=host --restart=always --user=root -v /data/filebeat6.7.1/conf/filebeat.yml:/usr/share/filebeat/filebeat.yml -v /data/nginx/logs:/usr/share/filebeat/logs docker.elastic.co/beats/filebeat:6.7.1 #注意：因为默认情况下,宿主机日志路径和容器内日志路径是不一致的，所以配置文件里配置的路径如果是宿主机日志路径,容器里则找不到 #所以采取措施是:配置文件里配置成容器里的日志路径,再把宿主机的日志目录和容器日志目录做一个映射就可以了 \[root@localhost filebeat6.7.1\]# sh scripts/run_filebeat6.7.1.sh #运行后则开始收集日志到redis \[root@localhost filebeat6.7.1\]# docker ps \|grep filebeat 06cda99b62ef docker.elastic.co/beats/filebeat:6.7.1 "/usr/local/bin/dock..." 9 seconds ago Up 8 seconds filebeat6.7.1 \[root@localhost filebeat6.7.1\]# cd 到redis里查看是否以写入日志：（192.168.171.128） \[root@localhost \~\]# docker exec -it redis4.0.10 bash \[root@localhost /\]# redis-cli -a 123456 127.0.0.1:6379\> KEYS \* 1)"filebeat-common" 127.0.0.1:6379\> quit \[root@localhost /\]# exit ****4.docker安装logstash6.7.1（在192.168.171.129上）------从redis读出日志，写入es集群**** \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls logstash6.7.1.tar.gz logstash6.7.1.tar.gz \[root@localhost data\]# tar -zxf logstash6.7.1.tar.gz \[root@localhost data\]# cd logstash6.7.1 \[root@localhost logstash6.7.1\]# ls config image scripts \[root@localhost logstash6.7.1\]# ls config/ GeoLite2-City.mmdb log4j2.properties logstash.yml pipelines.yml_bak startup.options jvm.options logstash-sample.conf pipelines.yml redis_out_es_in.conf \[root@localhost logstash6.7.1\]# ls image/ logstash_6.7.1.tar \[root@localhost logstash6.7.1\]# ls scripts/ run_logstash6.7.1.sh \[root@localhost logstash6.7.1\]# docker load -i image/logstash_6.7.1.tar \[root@localhost logstash6.7.1\]# docker images \|grep logstash logstash 6.7.1 1f5e249719fc 11 months ago 778MB \[root@localhost logstash6.7.1\]# cat config/pipelines.yml #确认配置，引用的conf目录 # This file is where you define your pipelines. You can define multiple. # For more information on multiple pipelines, see the documentation: # https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html - pipeline.id: main path.config: "/usr/share/logstash/config/\*.conf" #容器内的目录 pipeline.workers: 3 \[root@localhost logstash6.7.1\]# cat config/redis_out_es_in.conf #查看和确认配置 input { redis { host =\> "192.168.171.128" port =\> "6379" password =\> "123456" db =\> "0" data_type =\> "list" key =\> "filebeat-common" } } filter { json { source =\> "message" remove_field =\> \["message"

}

geoip {

source => "remote_addr"

target => "geoip"

database => "/usr/share/logstash/config/GeoLite2-City.mmdb"

add_field => ["[geoip][coordinates]", "%{[geoip][longitude]}"]

add_field => ["[geoip][coordinates]", "%{[geoip][latitude]}"]

}

mutate {

convert => ["[geoip][coordinates]", "float"]

}

#date {

locale => "en"

match => ["time_local", "dd/MMM/yyyy:HH:mm:ss Z"]

#}

}

#上面filter还有一个作用是引入地理坐标数据库,可分析ip在全球的分布

#默认target是@timestamp，所以time_local会更新@timestamp时间。

#上面filter的date插件作用: 当第一次收集或使用缓存写入时候,会发现入库时间比日志实际时间有延时,导致时间不准确,最好加入date插件,

#使得入库时间和日志实际时间保持一致.上面因为nginx配置文件配置成json格式时候，已经覆盖了入库时间，已经和日志实际时间保持了一致，所以上面date可以不用

output {

if [fields][log_source] == 'nginx-access-log-171.130' {

elasticsearch {

hosts => ["192.168.171.128:9200"]

index => "logstash-nginx-access-log-171.130-%{+YYYY.MM.dd}"

}

}

if [fields][log_source] == 'nginx-access-log-171.131' {

elasticsearch {

hosts => ["192.168.171.128:9200"]

index => "logstash-nginx-access-log-171.131-%{+YYYY.MM.dd}"

}

}

}

root@localhost logstash6.7.1\]# cat scripts/run_logstash6.7.1.sh #!/bin/bash docker run -d --name logstash6.7.1 --net=host --restart=always -v /data/logstash6.7.1/config:/usr/share/logstash/config logstash:6.7.1 \[root@localhost logstash6.7.1\]# sh scripts/run_logstash6.7.1.sh #从redis读取日志，写入es \[root@localhost logstash6.7.1\]# docker ps \|grep logstash 725e1136bcef logstash:6.7.1 "/usr/local/bin/dock..." About a minute ago Up About a minute logstash6.7.1 到es集群查看，如下：  到redis查看，数据已经读取走，为空了： \[root@localhost \~\]# docker exec -it redis4.0.10 bash \[root@localhost /\]# redis-cli -a 123456 127.0.0.1:6379\> KEYS \* (empty list or set) 127.0.0.1:6379\> quit ****5.docker安装kibana6.7.1（在192.168.171.132上）从es中读取日志展示出来**** \[root@localhost \~\]# cd /data/ \[root@localhost data\]# ls kibana6.7.1.tar.gz kibana6.7.1.tar.gz \[root@localhost data\]# tar -zxf kibana6.7.1.tar.gz \[root@localhost data\]# cd kibana6.7.1 \[root@localhost kibana6.7.1\]# ls config image scripts \[root@localhost kibana6.7.1\]# ls config/ kibana.yml \[root@localhost kibana6.7.1\]# ls image/ kibana_6.7.1.tar \[root@localhost kibana6.7.1\]# ls scripts/ run_kibana6.7.1.sh \[root@localhost kibana6.7.1\]# docker load -i image/kibana_6.7.1.tar \[root@localhost kibana6.7.1\]# docker images \|grep kibana kibana 6.7.1 860831fbf9e7 11 months ago 677MB \[root@localhost kibana6.7.1\]# cat config/kibana.yml # # \*\* THIS IS AN AUTO-GENERATED FILE \*\* # # Default Kibana configuration for docker target server.name: kibana server.host: "0" elasticsearch.hosts: \[ "http://192.168.171.128:9200"

xpack.monitoring.ui.container.elasticsearch.enabled: true

root@localhost kibana6.7.1\]# cat scripts/run_kibana6.7.1.sh #!/bin/bash docker run -d --name kibana6.7.1 --net=host --restart=always -v /data/kibana6.7.1/config/kibana.yml:/usr/share/kibana/config/kibana.yml kibana:6.7.1 \[root@localhost kibana6.7.1\]# sh scripts/run_kibana6.7.1.sh #运行，从es读取展示到kibana中 \[root@localhost kibana6.7.1\]# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 01a60ab36f01 kibana:6.7.1 "/usr/local/bin/kiba..." 35 seconds ago Up 33 seconds kibana6.7.1 \[root@localhost kibana6.7.1\]# netstat -anput \|grep 5601 #kibana端口 tcp 0 0 0.0.0.0:5601 0.0.0.0:\* LISTEN 2547/node 浏览器访问kibana： [http://192.168.171.132:5601](http://192.168.171.132:5601 "http://192.168.171.132:5601")  kibana创建索引（尽量和es里索引名对应，方便查找）------查询和展示es里的数据 先创建-\*索引: 点击management，如下：   输入索引名：logstash-nginx-access-log-\*，点击下一步，如下：  选择时间戳： @timestamp，点击创建索引，如下：  查看日志，点击discover，如下： #注意：由于之前搭建时候nginx测试访问日志量少，后面又多访问了几次两个nginx，方便测试。  点击箭头，即可展开，如下：   如果对运维课程感兴趣，可以在b站上、A站或csdn上搜索我的账号： 运维实战课程，可以关注我，学习更多免费的运维实战技术视频