端口开放说明:

如果端口忘记开放,可以用nginx进行转发。
cat > Dockerfile<<EOF
FROM centos:7
RUN yum clean all
RUN yum repolist
RUN yum -y install vim iproute net-tools psmisc openssh-server initscripts openssh-clients wget java-1.8.0-openjdk git
RUN sshd-keygen
RUN sed -ir ‘/StrictHostKeyChecking/cStrictHostKeyChecking no’ /etc/ssh/ssh_config
RUN echo “123456”|passwd –stdin root
ENV EnvironmentFile=/etc/sysconfig/sshd
EXPOSE 22 9100 9200 9300 9600 6379 27017 1-10000
CMD [“/usr/sbin/sshd”, “-D”]
EOF

———————————————-

docker build -t myos:elk .

———————————————-

docker network create –subnet=192.168.4.0/24 -o com.docker.network.bridge.name=elk elk

———————————————-

docker run -d –ip 192.168.4.51 –network elk –name elk51 -h elk51 –privileged myos:elk init
docker run -d –ip 192.168.4.52 –network elk –name elk52 -h elk52 –privileged myos:elk init
docker run -d –ip 192.168.4.53 –network elk –name elk53 -h elk53 -p 9100:9100 -p 9200:9200 -p 5601:5601 –privileged myos:elk init
———————————————-
ssh-keygen -N “” -t rsa -b 2048 -f “/root/.ssh/id_rsa”

———————————————-
ansible elk -m authorized_key -a “user=root exclusive=true manage_dir=true key=’$(< /root/.ssh/id_rsa.pub)'” -k
———————————————-

ElasticSearch

yum -y install java-1.8.0-openjdk
——————————————————————————-
rpm –import https://artifacts.elastic.co/GPG-KEY-elasticsearch
——————————————————————————-
cat >/etc/yum.repos.d/elastic.repo <<EOF
[elastic-6.x]
name=Elastic repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
——————————————————————————-
yum -y install elasticsearch
——————————————————————————-
vim /etc/elasticsearch/elasticsearch.yml
cluster.name: elk-cluster 集群名字,通过这个名字做集群之间的发现
node.name: node-51 当前节点的名字 ,
network.host: 192.168.4.51
http.port: 9200
discover.zen.ping.unicast.host: [“每个节点或ip”, “每个节点或ip”,”每个节点或ip”] ,奇数台,防止脑裂,3个节点有相互选举的法定人数
discover.zen.minimum_master_nodes: 2 最小master节点数,一般设置为2个主节点,为了防止数据丢失
红色部分是拷贝配置到其他机器上时要改的地方
他的习惯是restart后,看一下日志。看日志路径
能看到通过9300去发现彼此的

——————————————————————————-

ES插件安装

wget https://npm.taobao.org/mirrors/node/latest-v4.x/node-v4.4.7-linux-x64.tar.gz
tar -zxvf node-v4.4.7-linux-x64.tar.gz
# vi /etc/profile
NODE_HOME=/usr/local/node-v4.4
PATH=$NODE_HOME/bin:$PATH
export NODE_HOME PATH
source /etc/profile

git clone git://github.com/mobz/elasticsearch-head.git
cd elasticsearch-head
默认只在本地监听9100,改下面的文件配置开放

vim Gruntfile.js

server: {
options: {
port: 9100,
base: ‘.’,
keepalive: true,
hostname: ‘*’
}

npm install
npm run start
es5.x之后要授权,有个跨域的限制,不加的话,这里9100连接访问后,我们去访问会发现9200那里会有问题
vim /etc/elasticsearch/elasticsearch.yml  加入下面两行,允许跨域连接
http.cors.enabled: true
http.cors.allow-origin: “*”
然后重起elasticsearch服务。
http://elk:9100
本来未连接的地方改为下面,回车后过一会就会好了
http://47.244.174.241:9200/
——————————————————————————

 kibana

kibana端口在上面elk53端口已经开放了,直接装在上面那台机器吧。

yum -y install kibana

vim /etc/kibana/kibana.yml
server.port: 5601
//若把端口改为80,可以成功启动kibana,但ss时没有端口,没有监听80端口,服务里面写死了,不能用80端口,只能是5601这个端口
server.host: “0.0.0.0”
//服务器监听地址
elasticsearch.hosts: [“http://192.168.4.53:9200”]
//声明地址,从哪里查,集群里面随便选一个
kibana.index: “.kibana”
//kibana自己创建的索引
kibana.defaultAppId: “discover”
//打开kibana页面时,默认打开的页面discover
elasticsearch.pingTimeout: 1500
//ping检测超时时间
elasticsearch.requestTimeout: 30000
//请求超时
elasticsearch.startupTimeout: 5000
//启动超时

Logstash 

docker run -d –ip 192.168.4.54 –network elk –name elk54 -h elk54  –privileged myos:elk init

配置上面的yum源

yum -y install logstash

input{
        stdin{ codec => "json" }
        beats{
            port => 5044
}
	  file {
	    path          => [ "/tmp/a.log", "/var/tmp/b.log" ]
	   sincedb_path   => "/dev/null"
	   start_position => "beginning"
	   type           => "testlog"
	  }
	  tcp {
	     host => "0.0.0.0"
	     port => "8888"
	     type => "tcplog"
	}
	   udp {
	     host => "0.0.0.0"
	     port => "9999"
	     type => "udplog"
	}
	  syslog {
	     port => "514"
	     type => "syslog"
	  }
}



filter{
	if [type] == "apachelog"{
	   grok{
		match => ["message", "%{COMBINEDAPACHELOG}"]
	      }
	   }
}


output{
      stdout{ codec => "rubydebug" }
      if [type] == "apachelog"{
      elasticsearch {
          hosts => ["192.168.4.51:9200", "192.168.4.52:9200"]
          index => "filelog"
          flush_size => 2000
          idle_flush_time => 10
      }
  }
}

 

——————————————————————————-

filebeat安装

还是要用上面配置好的源
yum -y install filebeat
vim/etc/filebeat/filebeat.yml  下面几个要更改
paths:
– /var/log/httpd/access_log
document_type: apachelog
elasticsearch:
hosts: [“localhost:9200”]
logstash:
hosts: [“192.168.1.67:5044”]
systemctl restart filebeat

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注