elk部署8.12单机版

老规矩，设置内核参数

echo "vm.max_map_count=655360" >> /etc/sysctl.conf
sysctl -p

单节点使用docker-compose，无翻墙能力的请自行更换镜像

root@ops-VMware-Virtual-Platform:/home/ops/elk# tree -I "data"
.
├── docker-compose.yaml
├── elasticsearch
├── filebeat
│   ├── docker-compose.yaml
│   └── filebeat.yml
├── kibana
│   └── kibana.yml
└── logstash
    ├── config
    │   ├── jvm.options
    │   └── logstash.yml
    └── pipeline
        └── logstash.conf

文件目录如上，直接上干货吧

compose文件

root@ops-VMware-Virtual-Platform:/home/ops/elk# cat docker-compose.yaml
version: "3.8"

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.12.2
    container_name: es
    environment:
      - node.name=es-node
      - cluster.name=elk-cluster
      - discovery.type=single-node
      - ES_JAVA_OPTS=-Xms1g -Xmx1g
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=false
      - xpack.security.transport.ssl.enabled=false
    volumes:
      - ./elasticsearch/data:/usr/share/elasticsearch/data
    ports:
      - "9200:9200"
    networks:
      - elk

  logstash:
    image: docker.elastic.co/logstash/logstash:8.12.2
    container_name: logstash
    depends_on:
      - elasticsearch
    volumes:
      - ./logstash/pipeline:/usr/share/logstash/pipeline
      - ./logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml
    ports:
      - "5044:5044"
      - "9600:9600"
    networks:
      - elk

  kibana:
    image: docker.elastic.co/kibana/kibana:8.12.2
    container_name: kibana
    depends_on:
      - elasticsearch
    volumes:
      - ./kibana/kibana.yml:/usr/share/kibana/config/kibana.yml
    ports:
      - "5601:5601"
    networks:
      - elk

networks:
  elk:
    driver: bridge

logstash配置文件

jvm.options（部分关键内容）

## JVM configuration

# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space

-Xms1g
-Xmx1g

################################################################
## Expert settings
################################################################

## ===== Direct Memory（新增，核心）=====
-XX:MaxDirectMemorySize=512m   ### <<< 新增：限制 Netty / Beats 堆外内存 >>>

## ===== GC configuration（修改）=====
-XX:+UseG1GC                  ### <<< 新增：使用 G1，替代 CMS >>>
-XX:MaxGCPauseMillis=200      ### <<< 新增：限制 GC 停顿时间 >>>

##
## All settings below this section are considered
## expert settings. Don't tamper with them unless
## you understand what you are doing
##
################################################################

## GC configuration
#11-13:-XX:+UseConcMarkSweepGC
#11-13:-XX:CMSInitiatingOccupancyFraction=75
#11-13:-XX:+UseCMSInitiatingOccupancyOnly

root@ops-VMware-Virtual-Platform:/home/ops/elk# cat logstash/config/logstash.yml
http.host: "0.0.0.0"
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.hosts: [ "http://elasticsearch:9200" ]
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "密码"

kibana

root@ops-VMware-Virtual-Platform:/home/ops/elk# cat kibana/kibana.yml
server.name: kibana
server.host: 0.0.0.0

elasticsearch.hosts:
  - http://elasticsearch:9200
elasticsearch.username: kibana_system
elasticsearch.password: "密码"
i18n.locale: zh-CN

重置 elastic 用户密码（就是kibana登录密码）

/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic

输出类似：

This tool will reset the password of the [elastic] user. Password reset successfully. New value: xxxxxxxxxxxxxx

👉 记住这个密码，这是后面 Logstash / Kibana 都要用的。

---

重置 logstash_system 用户密码

/usr/share/elasticsearch/bin/elasticsearch-reset-password -u logstash_system

这个用户 专门给 Logstash monitoring 用

不是你 output 里那个 elastic，但你 logstash.yml 里用到了它

然后改你的：

# logstash/config/logstash.yml xpack.monitoring.elasticsearch.username: "logstash_system" xpack.monitoring.elasticsearch.password: "新密码"

改完 必须重启 logstash 容器。

---

重置 kibana_system 用户密码（推荐）

/usr/share/elasticsearch/bin/elasticsearch-reset-password -u kibana_system

然后修改：

# kibana/kibana.yml elasticsearch.username: kibana_system elasticsearch.password: 新密码

👉 推荐用 kibana_system，而不是 elastic

然后是filebeat，这里用docker部署，也可以直接安装部署

root@ops-VMware-Virtual-Platform:/home/ops/elk# cat filebeat/filebeat.yml
filebeat.inputs:
- type: filestream
  id: docker
  paths:
    - /var/lib/docker/containers/*/*.log
  parsers:
    - container: ~

  fields:
    env: prod
  fields_under_root: true
  max_bytes: 1048576

processors:
- add_docker_metadata:
    host: "unix:///var/run/docker.sock"

- drop_event:
    when:
      not:
        has_fields: ['env']

output.logstash:
  hosts: ["192.168.1.10:5044"]
  bulk_max_size: 512
  compression_level: 1
  worker: 1

root@ops-VMware-Virtual-Platform:/home/ops/elk# cat filebeat/docker-compose.yaml
version: "3"
services:
  filebeat:
    image: docker.elastic.co/beats/filebeat:8.12.2
    container_name: filebeat
    user: root
    volumes:
    - ./filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
    - /var/lib/docker/containers:/var/lib/docker/containers
    - /var/run/docker.sock:/var/run/docker.sock:ro
    command: ["--strict.perms=false", "-e", "-d", "filestream,harvester"]