docker-compose部署ELK

# docker-compose部署ELK，并在脚本内非交互式设置密码

使用方式：
将下面两个文件上传到服务器, 执行 sh elk.sh 即可，执行完后会输出两条命令，原样敲一下就行了。

# elk.sh

大部分的命令都在这个文件里面

#创建es挂载目录
mkdir -p /opt/comps/elk/elasticsearch/{plugins,data,logs,config}
#赋予777权限
chmod 777 /opt/comps/elk/elasticsearch/{plugins,data,logs,config}
#创建kibana挂载目录
mkdir -p /opt/comps/elk/kibana/{config,plugins}
#赋予777权限
chmod 777 /opt/comps/elk/kibana/{config,plugins}
#创建logstash挂载目录
mkdir -p /opt/comps/elk/logstash/{config,pipeline}
#赋予777权限
chmod 777 /opt/comps/elk/logstash/{config,pipeline}
#创建filebeat挂载目录
mkdir -p /opt/comps/elk/filebeat/{config,logs}
#赋予777权限
chmod 777 /opt/comps/elk/filebeat/{config,logs}

# 将ES常用插件放进插件文件夹  有ES插件可以和脚本放一起mv到指定的插件目录里面去，记得解压！
# mv ./elasticsearch-analysis-ik-7.17.6 /opt/comps/elk/elasticsearch/plugins
# mv ./ingest-attachment-7.17.6 /opt/comps/elk/elasticsearch/plugins

#################################################################
# tee命令和echo命令的区别在于，tee写入文件之后会将写的内容输出到屏幕上
# << 符号表示将以下所有行定义的输入作为文本传递给tee命令。'EOF' 是自定义的标记，表示输入的结束。'- ' 表示忽略输入时开头的tab字符，保证输入内容整齐排版。
# tee -a xxxx 表示追加内容，不加 -a就是覆盖输入
#################################################################

# 写入elasticsearch配置文件
sudo tee /opt/comps/elk/elasticsearch/config/elasticsearch.yml <<-'EOF'
network.host: 0.0.0.0
# 跨域配置
http.cors.enabled: true
http.cors.allow-origin: "*"
EOF

# 写入kibana配置文件
sudo tee /opt/comps/elk/kibana/config/kibana.yml <<-'EOF'
server.host: "0.0.0.0"
server.shutdownTimeout: "10s"
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
monitoring.ui.container.elasticsearch.enabled: true
EOF

# 写入logstash.conf
# logstash对外开放了三个端口，这样可以将不同类型的日志投送到不同的端口，对日志进行分类管理，
# 比如运行日志，安全日志，操作日志等等。具体配置如下：
sudo tee /opt/comps/elk/logstash/pipeline/logstash.conf <<-'EOF'
input {
  tcp {
    # 模式指定为server模式
    mode => "server"
    # server模式时 ip地址是本机
    host => "0.0.0.0"
    # 指定监听端口
    port => 4560
    # 指定输入数据的解码器 使用json格式
    codec => json_lines
    # 日志的类型
    type => info
	}
  tcp {
    mode => "server"
    host => "0.0.0.0"
    port => 4570
    codec => json_lines
    type => operation
  }
  tcp {
    mode => "server"
    host => "0.0.0.0"
    port => 4580
    codec => json_lines
    type => security
  }
}
output {
  stdout {
    codec => rubydebug # 可以在logstash控制台输出日志 默认就是rubydebug
  }
  
  if [type] == "info" {
    elasticsearch {
      hosts => "elasticsearch:9200"
      user => "elastic"
      password => "qwer1234"
      index => "info-log-%{+YYYY.MM.dd}"
    }
  }

  if [type] == "operation" {
    elasticsearch {
      hosts => "elasticsearch:9200"
      user => "elastic"
      password => "qwer1234"
      index => "operation-log-%{+YYYY.MM.dd}"
    }
  }

  if [type] == "security" {
    elasticsearch {
      hosts => "elasticsearch:9200"
      user => "elastic"
      password => "qwer1234"
      index => "security-log-%{+YYYY.MM.dd}"
    }
  }
} 
EOF
# 留存一下简单配置
# input {
#   tcp {
#     mode => "server"
#     host => "0.0.0.0"
#     port => 4560
#     codec => json_lines
#   }
# }
# output {
#   elasticsearch {
#     hosts => "http://elasticsearch:9200"
#     user => "elastic"
#     password => "qwer1234"
#     index => "%{[spring.application.name]}-%{+YYYY.MM.dd}"
#   }
# }

# 写入logstash.yml
sudo tee /opt/comps/elk/logstash/config/logstash.yml <<-'EOF'
http.host: "0.0.0.0"
xpack.monitoring.elasticsearch.hosts: [ "http://elasticsearch:9200" ]
xpack.monitoring.elasticsearch.username: "elastic"
xpack.monitoring.elasticsearch.password: "qwer1234"
EOF

# 写入filebeat.yml
sudo tee /opt/comps/elk/filebeat/config/filebeat.yml <<-'EOF'
# 定义应用的input类型、以及存放的具体路径
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /opt/filebeat/log/logapp/*.log #日志输出地址
  tags: ["zhangsan-log"]
#============================= Filebeat modules ===============================
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
# ============================== logstash =====================================  
output.logstash:
  hosts: ["logstash:5044"]
  enabled: true
EOF


docker network create zhangsan

docker-compose -f elk.yml up -d

echo "下面使用 非交互模式设置es的 多个用户密码,并重启 "
echo "多次实践下，下面两条命令，你需要等待es ！！！！完全！！！ 启动之后，手动执行"
echo "======================================================================="
echo 'docker exec elasticsearch /bin/bash -c  "/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive << EOF
y
qwer1234
qwer1234
qwer1234
qwer1234
qwer1234
qwer1234
qwer1234
qwer1234
qwer1234
qwer1234
qwer1234
qwer1234
EOF
"'
echo "========================================================================"

echo "docker-compose -f elk.yml restart"

echo "========================================================================"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182

# elk.yml

version: '3'

services:
  elasticsearch:
    image: elasticsearch:7.17.6
    container_name: elasticsearch
    restart: always
    privileged: true
    ports:
      - "9200:9200"
      - "9300:9300"
    environment:
      # 设置集群名称
      cluster.name: elasticsearch
      # 以单一节点模式启动
      discovery.type: single-node
      ES_JAVA_OPTS: "-Xms128m -Xmx256m"
      # es的密码
      ELASTIC_PASSWORD: qwer1234
      # 开启ES密码验证访问
      xpack.security.enabled: true
    volumes:
      - /etc/localtime:/etc/localtime
      - /opt/comps/elk/elasticsearch/plugins:/usr/share/elasticsearch/plugins
      - /opt/comps/elk/elasticsearch/data:/usr/share/elasticsearch/data
      - /opt/comps/elk/elasticsearch/logs:/usr/share/elasticsearch/logs
      - /opt/comps/elk/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
    networks:
      - zhangsan

  kibana:
    image: kibana:7.17.6
    container_name: kibana
    restart: always
    privileged: true
    ports:
      - "5601:5601"
    depends_on:
      # kibana在elasticsearch启动之后再启动
      - elasticsearch
    environment:
      #设置系统语言文中文
      I18N_LOCALE: zh-CN
      # 这里不能使用elastic用户名
      ELASTICSEARCH_USERNAME: kibana_system
      ELASTICSEARCH_PASSWORD: qwer1234
      # 你访问kibana的地址，也就是你浏览器上敲的那个
      SERVER_PUBLICBASEURL: http://43.137.2.182:5601
    volumes:
      - /etc/localtime:/etc/localtime
      - /opt/comps/elk/kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml
    networks:
      - zhangsan

  logstash:
    image: logstash:7.17.6
    container_name: logstash
    restart: always
    privileged: true
    ports:
      - "4560:4560"
      - "4570:4570"
      - "4580:4580"
      - "5044:5044"
    volumes:
      - /etc/localtime:/etc/localtime
      - /opt/comps/elk/logstash/pipeline/logstash.conf:/usr/share/logstash/pipeline/logstash.conf
      - /opt/comps/elk/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml
    depends_on:
      - elasticsearch
    networks:
      - zhangsan

  filebeat:
    container_name: filebeat
    restart: always
    privileged: true
    image: elastic/filebeat:7.17.6
    user: "root"
    depends_on:
      - elasticsearch
      - logstash
      - kibana
    volumes:
      - /etc/localtime:/etc/localtime
      - /opt/comps/elk/filebeat/config/filebeat.yml:/usr/share/filebeat/filebeat.yml
      - /opt/comps/elk/filebeat/logs:/var/log/logapp
    networks:
      - zhangsan

networks:
  zhangsan:
    # 声明external=true 启动时会查找指定的网络，没找到会报错，为false时会默认创建项目名_default网络
    external: true

启动命令：sh elk.sh

# 常用命令补充

-f 指定 yml 的文件，也就是说你的文件不必叫 docker-compose.yml, 例如： docker-compose -f /opt/qqqqq/elk/elk.yml restart

docker-compose up: 构建并启动容器

docker-compose down: 停止并删除容器

docker-compose build: 仅构建容器，不启动它们

docker-compose restart: 重启容器

docker-compose logs: 查看容器日志

docker-compose ps: 列出所有正在运行的容器

docker-compose stop: 停止容器运行

docker-compose start: 启动容器运行

docker-compose exec: 进入正在运行的容器，并执行命令

docker-compose pull: 更新镜像，并重新创建容器

编辑

#随笔

上次更新: 2023/05/30, 06:56:38

← docker-compose常用语法 Swarm中常用概念→