Docker容器搭建ELK日志分析系统
资源列表
操作系统
配置
主机名
IP
所需软件
CentOS 7.9
2C4G
elk
192.168.93.165
Docker 26.1.2
基础环境
systemctl stop firewalld
systemctl disable firewalld
setenforce 0
sed -i "s/^SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config
hostnamectl set-hostname elk
一、创建容器网络
[ root@elk ~]
44c014de1c02291f28ebcdc734e4bfb820e2a1e2aa61b2758517af60661ee4d7
[ root@elk ~]
44c014de1c02 elk bridge local
二、创建容器挂载目录
[ root@elk ~]
三、构建systemctl镜像
[ root@elk ~]
[ root@elk ~]
[ root@elk systemctl]
FROM centos:7
ENV container docker
RUN ( cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == \
systemd-tmpfiles-setup.service ] || rm -f $i ; done ) ; \
rm -f /lib/systemd/system/multi-user.target.wants/*; \
rm -f /etc/systemd/system/*.wants/*; \
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*; \
rm -f /lib/systemd/system/anaconda.target.wants/*;
VOLUME [ "/sys/fs/cgroup" ]
[ root@elk systemctl]
三、构建Elasticsearch镜像
3.1、构建Elasticsearch
[ root@elk ~]
[ root@elk ~]
[ root@elk elk]
[ root@elk elk]
[ root@elk elasticsearch]
FROM systemctl:elk
COPY jdk-8u202-linux-x64.rpm /root
RUN rpm -ivh /root/jdk-8u202-linux-x64.rpm
RUN echo "export JAVA_HOME=/usr/java/jdk1.8.0_202-amd64/" >> /etc/profile && echo "export CLASSPATH=$JAVA_HOME /lib/tools.jar:$JAVA_HOME /lib/dt.jar" >> /etc/profile && echo "export PATH=$JAVA_HOME /bin:$PATH " >> /etc/profile
RUN source /etc/profile
COPY elasticsearch-5.5.0.rpm /root
RUN rpm -ivh /root/elasticsearch-5.5.0.rpm
COPY elasticsearch.yml /etc/elasticsearch/
RUN mkdir -p /data/elk_data && chown -R elasticsearch:elasticsearch /data/elk_data/ &&
[ root@elk elasticsearch]
cluster.name: es
node.name: ES1
path.data: /data/elk_data
path.logs: /var/log/elasticsearch/
bootstrap.memory_lock: false
network.host: 0.0 .0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: [ "ES1" ]
3.2、构建镜像
[ root@elk elasticsearch]
Dockerfile elasticsearch.yml
elasticsearch-5.5.0.rpm jdk-8u202-linux-x64.rpm
[ root@elk elasticsearch]
3.3、启动容器
[ root@elk elasticsearch]
3.4、进入容器
[ root@elk elasticsearch]
[ root@41f5c697c0c3 ~]
[ root@41f5c697c0c3 /]
[ root@41f5c697c0c3 /]
[ root@41f5c697c0c3 /]
[ root@41f5c697c0c3 ~]
tcp6 0 0 :::9200 :::* LISTEN 168 /java
[ root@41f5c697c0c3 ~]
tcp6 0 0 :::9300
3.5、查看节点信息
[ root@elk ~]
{
"name" : "ES1" ,
"cluster_name" : "es" ,
"cluster_uuid" : "qtJ4glpZQSuJFqU7zSOR1w" ,
"version" : {
"number" : "5.5.0" ,
"build_hash" : "260387d" ,
"build_date" : "2017-06-30T23:16:05.735Z" ,
"build_snapshot" : false,
"lucene_version" : "6.6.0"
} ,
"tagline" : "You Know, for Search"
}
[ root@elk ~]
{
"cluster_name" : "es" ,
"status" : "green" ,
"timed_out" : false,
"number_of_nodes" : 1 ,
"number_of_data_nodes" : 1 ,
"active_primary_shards" : 0 ,
"active_shards" : 0 ,
"relocating_shards" : 0 ,
"initializing_shards" : 0 ,
"unassigned_shards" : 0 ,
"delayed_unassigned_shards" : 0 ,
"number_of_pending_tasks" : 0 ,
"number_of_in_flight_fetch" : 0 ,
"task_max_waiting_in_queue_millis" : 0 ,
"active_shards_percent_as_number" : 100.0
}
四、构建Logstash镜像
收集日志、处理日志、输出日志(把处理好的日志输出给Elasticsearch)
4.1、构建Logstash镜像
[ root@elk ~]
[ root@elk elk]
[ root@elk elk]
[ root@elk logstash]
FROM systemctl:elk
COPY jdk-8u202-linux-x64.rpm /root
RUN rpm -ivh /root/jdk-8u202-linux-x64.rpm && echo "export JAVA_HOME=/usr/java/jdk1.8.0_202-amd64/" >> /etc/profile && echo "export CLASSPATH=$JAVA_HOME /lib/tools.jar:$JAVA_HOME /lib/dt.jar" >> /etc/profile && echo "export PATH=$JAVA_HOME /bin:$PATH " >> /etc/profile && source /etc/profile
COPY logstash-5.5.1.rpm /root/
RUN rpm -ivh /root/logstash-5.5.1.rpm && ln -s /usr/share/logstash/bin/logstash /usr/local/bin/
4.2、构建镜像
[ root@elk logstash]
Dockerfile jdk-8u202-linux-x64.rpm logstash-5.5.1.rpm
[ root@elk logstash]
4.3、启动容器
[ root@elk logstash]
[ root@ec3e7bdf85c2 ~]
[ root@ec3e7bdf85c2 ~]
4.4、进入容器收集日志
4.4.1、安装Apache
[root@elk ~]# yum -y install httpd
[root@elk ~]# systemctl start httpd && systemctl enable httpd
# 多访问几次,让httpd访问日志有内容
[root@elk ~]# curl 127.0.0.1
[root@elk ~]# curl 127.0.0.1
[root@elk ~]# curl 127.0.0.1
[root@elk ~]# curl 127.0.0.1
# 查看日志内容
[root@elk ~]# cat /var/log/httpd/access_log
127.0.0.1 - - [04/Jun/2024:05:17:37 -0400] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jun/2024:05:17:37 -0400] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jun/2024:05:17:37 -0400] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jun/2024:05:17:38 -0400] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jun/2024:05:17:38 -0400] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jun/2024:05:17:38 -0400] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"
127.0.0.1 - - [04/Jun/2024:05:17:39 -0400] "GET / HTTP/1.1" 403 4897 "-" "curl/7.29.0"
4.4.2、收集Apache日志
[ root@elk logstash]
[ root@ec3e7bdf85c2 /]
[ root@ec3e7bdf85c2 conf.d]
input {
file {
path = > "/var/log/httpd/access_log"
type = > "access"
start_position = > "beginning"
}
file {
path = > "/var/log/httpd/error_log"
type = > "error"
start_position = > "beginning"
}
}
output{
if [ type] == "access" {
elasticsearch {
hosts = > [ "192.168.93.165:9200" ]
index = > "apache_access-%{+YYYY.MM.dd}"
}
}
if [ type] == "error" {
elasticsearch {
hosts = > [ "192.168.93.165:9200" ]
index = > "apache_error-%{+YYYY.MM.dd}"
}
}
}
[ root@ec3e7bdf85c2 ~]
[ root@elk ~]
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open apache_error-2024.06.04 aMWtWv-OStmiKOvnUz2btQ 5 1 12 0 45 .3kb 45 .3kb
yellow open apache_access-2024.06.04 9UaofAv1T5GPWyANz5D55w 5 1 7 0 28kb 28kb
五、构建Kibana镜像
5.1、构建Kibana镜像
[ root@elk ~]
[ root@elk elk]
[ root@elk elk]
[ root@elk kibana]
FROM systemctl:elk
COPY jdk-8u202-linux-x64.rpm /root
RUN rpm -ivh /root/jdk-8u202-linux-x64.rpm
RUN echo "export JAVA_HOME=/usr/java/jdk1.8.0_202-amd64/" >> /etc/profile && echo "export CLASSPATH=$JAVA_HOME /lib/tools.jar:$JAVA_HOME /lib/dt.jar" >> /etc/profile && echo "export PATH=$JAVA_HOME /bin:$PATH " >> /etc/profile
RUN source /etc/profile
COPY kibana-5.5.1-x86_64.rpm /root
RUN rpm -ivh /root/kibana-5.5.1-x86_64.rpm
COPY kibana.yml /etc/kibana/
EXPOSE 5601
[ root@elk kibana]
server.port: 5601
server.host: "0.0.0.0"
elasticsearch.url: "http://192.168.93.165:9200"
kibana.index: ".kibana"
5.2、构建镜像
[ root@elk kibana]
Dockerfile jdk-8u202-linux-x64.rpm kibana-5.5.1-x86_64.rpm kibana.yml
[ root@elk kibana]
5.3、启动容器
[ root@elk kibana]
5.4、进入容器
[ root@elk kibana]
[ root@2db31a060306 /]
[ root@2db31a060306 /]
[ root@2db31a060306 /]
tcp 0 0 0.0 .0.0:5601 0.0 .0.0:* LISTEN 54 /node
5.5、验证Kibana
通过浏览器访问http://192.168.93.165:5601,第一次登录需要添加一个Elasticsearch索引,添加前面两个Apache的