ELK 是由三部分组成的一套日志分析系统,
Elasticsearch: 基于json分析搜索引擎,Elasticsearch是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引自动分片,
索引副本机制,restful风格接口,多数据源,自动搜索负载等。
Logstash:动态数据收集管道,Logstash是一个完全开源的工具,它可以对你的日志进行收集、分析,并将其存储供以后使用
Kibana:可视化视图,将elasticsearh所收集的data通过视图展现。kibana 是一个开源和免费的工具,它可以为 Logstash 和
ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助您汇总、分析和搜索重要数据日志。
一、使用docker集成镜像
安装docker
elk集成镜像包 名字是 sebp/elk
1.安装 docke、启动
yum install docke
service docker start
2.下载 sebp/elk
docker pull sebp/elk
无法下载、报错 :
unauthorized: authentication required
这是国外网络的问题
解决1 用网易镜像
vim /etc/docker/daemon.json 这个json文件不存在的,不需要担心,直接编辑
把下面的贴进去,保存,重启即可
{
"registry-mirrors": [ "http://hub-mirror.c.163.com"]
}
# service docker restart
没效果,还是下不来
解决2 用阿里云镜像加速
注册一个阿里云账号,登陆
到这里复制自己的加速地址
然后
安装/升级你的Docker客户端
- 推荐安装
1.10.0以上版本的Docker客户端,参考文档 docker-ce
如何配置镜像加速器
-
针对Docker客户端版本大于1.10.0的用户
您可以通过修改daemon配置文件
/etc/docker/daemon.json来使用加速器:sudo mkdir -p /etc/docker sudo tee /etc/docker/daemon.json <<-‘EOF‘ { "registry-mirrors": ["https://34sii7qf.mirror.aliyuncs.com"] } EOF sudo systemctl daemon-reload sudo systemctl restart docker
下载:
# docker pull sebp/elk
……
617ab16bcfa1: Pull complete
Digest: sha256:b6b8dd20b1a9aaf47b11fe9c66395a462f5e65c50dcff725e9bf83576d4ed241
Status: Downloaded newer image for docker.io/sebp/elk:latest
查看镜像:
[[email protected] docker]# docker images
REPOSITORY TAG IMAGEID CREATED SIZE
docker.io/sebp/elk latest 4b52312ebe8d 12 days ago 1.15 GB
3.启动镜像
# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk
报错:
Couln‘t start Elasticsearch. Exiting.
Elasticsearch log follows below.
原因:
waiting for Elasticsearch to be up (xx/30) counter goes up to 30 and the container exits with Couln‘t start Elasticsearch. Exiting. and Elasticsearch‘s logs are dumped, then read the recommendations in the logs and consider that they must be applied.
In particular, in case (1) above, the message max virtual memory areas vm.max_map_count [65530] likely too low, increase to at least [262144]means that the host‘s limits on mmap counts must be set to at least 262144.
Docker至少得分配3GB的内存;
Elasticsearch至少需要单独2G的内存;
vm.max_map_count至少需要262144,修改vm.max_map_count 参数
解决:
# vi /etc/sysctl.conf
末尾添加一行
vm.max_map_count=262144
查看结果
# sysctl -p
vm.max_map_count = 262144
重新启动:
# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk
/usr/bin/docker-current: Error response from daemon: Conflict. The container name "/elk" is already in use by container ece053f704db663e03355a679e25ec732bd08668dae1a87a89567e0e7c950749. You have to remove (or rename) that container to be able to reuse that name..
See ‘/usr/bin/docker-current run --help‘.
[[email protected] ~]# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk123 sebp/elk
/usr/bin/docker-current: Error response from daemon: Conflict. The container name "/elk123" is already in use by container caf492e3acff7506c5e70b896bd82a33d757816ca3f55911a2aa9aef4cd74670. You have to remove (or rename) that container to be able to reuse that name..
See ‘/usr/bin/docker-current run --help‘.
[[email protected] ~]# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk1 sebp/elk
* Starting periodic command scheduler cron [ OK ]
* Starting Elasticsearch Server [ OK ]
waiting for Elasticsearch to be up (1/30)
waiting for Elasticsearch to be up (2/30)
waiting for Elasticsearch to be up (3/30)
waiting for Elasticsearch to be up (4/30)
waiting for Elasticsearch to be up (5/30)
waiting for Elasticsearch to be up (6/30)
waiting for Elasticsearch to be up (7/30)
waiting for Elasticsearch to be up (8/30)
waiting for Elasticsearch to be up (9/30)
waiting for Elasticsearch to be up (10/30)
Waiting for Elasticsearch cluster to respond (1/30)
logstash started.
* Starting Kibana5 [ OK ]
==> /var/log/elasticsearch/elasticsearch.log <==
[2018-04-03T06:58:14,192][INFO ][o.e.d.DiscoveryModule ] [JI2Uv6k] using discovery type [zen]
[2018-04-03T06:58:15,132][INFO ][o.e.n.Node ] initialized
[2018-04-03T06:58:15,132][INFO ][o.e.n.Node ] [JI2Uv6k] starting ...
[2018-04-03T06:58:15,358][INFO ][o.e.t.TransportService ] [JI2Uv6k] publish_address {172.17.0.2:9300}, bound_addresses {[::]:9300}
[2018-04-03T06:58:15,378][INFO ][o.e.b.BootstrapChecks ] [JI2Uv6k] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2018-04-03T06:58:18,517][INFO ][o.e.c.s.MasterService ] [JI2Uv6k] zen-disco-elected-as-master ([0] nodes joined), reason: new_master {JI2Uv6k}{JI2Uv6kAQ1ymPZoVhL5AAg}{Rr9Wa_H-RKGaBC4IDpjAMA}{172.17.0.2}{172.17.0.2:9300}
[2018-04-03T06:58:18,529][INFO ][o.e.c.s.ClusterApplierService] [JI2Uv6k] new_master {JI2Uv6k}{JI2Uv6kAQ1ymPZoVhL5AAg}{Rr9Wa_H-RKGaBC4IDpjAMA}{172.17.0.2}{172.17.0.2:9300}, reason: apply cluster state (from master [master {JI2Uv6k}{JI2Uv6kAQ1ymPZoVhL5AAg}{Rr9Wa_H-RKGaBC4IDpjAMA}{172.17.0.2}{172.17.0.2:9300} committed version [1] source [zen-disco-elected-as-master ([0] nodes joined)]])
[2018-04-03T06:58:18,563][INFO ][o.e.h.n.Netty4HttpServerTransport] [JI2Uv6k] publish_address {172.17.0.2:9200}, bound_addresses {[::]:9200}
[2018-04-03T06:58:18,563][INFO ][o.e.n.Node ] [JI2Uv6k] started
[2018-04-03T06:58:18,577][INFO ][o.e.g.GatewayService ] [JI2Uv6k] recovered [0] indices into cluster_state
==> /var/log/logstash/logstash-plain.log <==
==> /var/log/kibana/kibana5.log <==
4.验证、测试
打开浏览器,输入:http://<your-host>:5601,看到如下界面说明安装成功
端口之间关系
5601 (Kibana web interface). 前台界面
9200 (Elasticsearch JSON interface) 搜索.
5044 (Logstash Beats interface, receives logs from Beats such as Filebea 日志传输
测试:
测试传递一条信息
1、使用命令:docker exec -it <container-name> /bin/bash 进入容器内
2、执行命令:/opt/logstash/bin/logstash -e ‘input { stdin { } } output { elasticsearch { hosts => ["localhost"] } }‘
报错:如果看到这样的报错信息 Logstash could not be started because there is already another instance using the configured data directory.
If you wish to run multiple instances, you must change the "path.data" setting.
解决:请执行命令:service logstash stop 然后在执行就可以了。
再次执行:看到:Successfully started Logstash API endpoint {:port=>9600} 即可
3.输入测试信息 :this is a test 
4、打开浏览器,输入:http://<your-host>:9200/_search?pretty 如图,就会看到我们刚刚输入的日志内容
ELK 是由三部分组成的一套日志分析系统,
Elasticsearch: 基于json分析搜索引擎,Elasticsearch是个开源分布式搜索引擎,它的特点有:分布式,零配置,自动发现,索引自动分片,
索引副本机制,restful风格接口,多数据源,自动搜索负载等。
Logstash:动态数据收集管道,Logstash是一个完全开源的工具,它可以对你的日志进行收集、分析,并将其存储供以后使用
Kibana:可视化视图,将elasticsearh所收集的data通过视图展现。kibana 是一个开源和免费的工具,它可以为 Logstash 和
ElasticSearch 提供的日志分析友好的 Web 界面,可以帮助您汇总、分析和搜索重要数据日志。
一、使用docker集成镜像
安装docker
elk集成镜像包 名字是 sebp/elk
1.安装 docke、启动
yum install docke
service docker start
2.下载 sebp/elk
docker pull sebp/elk
无法下载、报错 :
unauthorized: authentication required
这是国外网络的问题
解决1 用网易镜像
vim /etc/docker/daemon.json 这个json文件不存在的,不需要担心,直接编辑
把下面的贴进去,保存,重启即可
{
"registry-mirrors": [ "http://hub-mirror.c.163.com"]
}
# service docker restart
没效果,还是下不来
解决2 用阿里云镜像加速
注册一个阿里云账号,登陆
到这里复制自己的加速地址
然后
安装/升级你的Docker客户端
- 推荐安装
1.10.0以上版本的Docker客户端,参考文档 docker-ce
如何配置镜像加速器
-
针对Docker客户端版本大于1.10.0的用户
您可以通过修改daemon配置文件
/etc/docker/daemon.json来使用加速器:sudo mkdir -p /etc/docker sudo tee /etc/docker/daemon.json <<-‘EOF‘ { "registry-mirrors": ["https://34sii7qf.mirror.aliyuncs.com"] } EOF sudo systemctl daemon-reload sudo systemctl restart docker
下载:
# docker pull sebp/elk
……
617ab16bcfa1: Pull complete
Digest: sha256:b6b8dd20b1a9aaf47b11fe9c66395a462f5e65c50dcff725e9bf83576d4ed241
Status: Downloaded newer image for docker.io/sebp/elk:latest
查看镜像:
[[email protected] docker]# docker images
REPOSITORY TAG IMAGEID CREATED SIZE
docker.io/sebp/elk latest 4b52312ebe8d 12 days ago 1.15 GB
3.启动镜像
# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk
报错:
Couln‘t start Elasticsearch. Exiting.
Elasticsearch log follows below.
原因:
waiting for Elasticsearch to be up (xx/30) counter goes up to 30 and the container exits with Couln‘t start Elasticsearch. Exiting. and Elasticsearch‘s logs are dumped, then read the recommendations in the logs and consider that they must be applied.
In particular, in case (1) above, the message max virtual memory areas vm.max_map_count [65530] likely too low, increase to at least [262144]means that the host‘s limits on mmap counts must be set to at least 262144.
Docker至少得分配3GB的内存;
Elasticsearch至少需要单独2G的内存;
vm.max_map_count至少需要262144,修改vm.max_map_count 参数
解决:
# vi /etc/sysctl.conf
末尾添加一行
vm.max_map_count=262144
查看结果
# sysctl -p
vm.max_map_count = 262144
重新启动:
# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk
/usr/bin/docker-current: Error response from daemon: Conflict. The container name "/elk" is already in use by container ece053f704db663e03355a679e25ec732bd08668dae1a87a89567e0e7c950749. You have to remove (or rename) that container to be able to reuse that name..
See ‘/usr/bin/docker-current run --help‘.
[[email protected] ~]# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk123 sebp/elk
/usr/bin/docker-current: Error response from daemon: Conflict. The container name "/elk123" is already in use by container caf492e3acff7506c5e70b896bd82a33d757816ca3f55911a2aa9aef4cd74670. You have to remove (or rename) that container to be able to reuse that name..
See ‘/usr/bin/docker-current run --help‘.
[[email protected] ~]# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk1 sebp/elk
* Starting periodic command scheduler cron [ OK ]
* Starting Elasticsearch Server [ OK ]
waiting for Elasticsearch to be up (1/30)
waiting for Elasticsearch to be up (2/30)
waiting for Elasticsearch to be up (3/30)
waiting for Elasticsearch to be up (4/30)
waiting for Elasticsearch to be up (5/30)
waiting for Elasticsearch to be up (6/30)
waiting for Elasticsearch to be up (7/30)
waiting for Elasticsearch to be up (8/30)
waiting for Elasticsearch to be up (9/30)
waiting for Elasticsearch to be up (10/30)
Waiting for Elasticsearch cluster to respond (1/30)
logstash started.
* Starting Kibana5 [ OK ]
==> /var/log/elasticsearch/elasticsearch.log <==
[2018-04-03T06:58:14,192][INFO ][o.e.d.DiscoveryModule ] [JI2Uv6k] using discovery type [zen]
[2018-04-03T06:58:15,132][INFO ][o.e.n.Node ] initialized
[2018-04-03T06:58:15,132][INFO ][o.e.n.Node ] [JI2Uv6k] starting ...
[2018-04-03T06:58:15,358][INFO ][o.e.t.TransportService ] [JI2Uv6k] publish_address {172.17.0.2:9300}, bound_addresses {[::]:9300}
[2018-04-03T06:58:15,378][INFO ][o.e.b.BootstrapChecks ] [JI2Uv6k] bound or publishing to a non-loopback address, enforcing bootstrap checks
[2018-04-03T06:58:18,517][INFO ][o.e.c.s.MasterService ] [JI2Uv6k] zen-disco-elected-as-master ([0] nodes joined), reason: new_master {JI2Uv6k}{JI2Uv6kAQ1ymPZoVhL5AAg}{Rr9Wa_H-RKGaBC4IDpjAMA}{172.17.0.2}{172.17.0.2:9300}
[2018-04-03T06:58:18,529][INFO ][o.e.c.s.ClusterApplierService] [JI2Uv6k] new_master {JI2Uv6k}{JI2Uv6kAQ1ymPZoVhL5AAg}{Rr9Wa_H-RKGaBC4IDpjAMA}{172.17.0.2}{172.17.0.2:9300}, reason: apply cluster state (from master [master {JI2Uv6k}{JI2Uv6kAQ1ymPZoVhL5AAg}{Rr9Wa_H-RKGaBC4IDpjAMA}{172.17.0.2}{172.17.0.2:9300} committed version [1] source [zen-disco-elected-as-master ([0] nodes joined)]])
[2018-04-03T06:58:18,563][INFO ][o.e.h.n.Netty4HttpServerTransport] [JI2Uv6k] publish_address {172.17.0.2:9200}, bound_addresses {[::]:9200}
[2018-04-03T06:58:18,563][INFO ][o.e.n.Node ] [JI2Uv6k] started
[2018-04-03T06:58:18,577][INFO ][o.e.g.GatewayService ] [JI2Uv6k] recovered [0] indices into cluster_state
==> /var/log/logstash/logstash-plain.log <==
==> /var/log/kibana/kibana5.log <==
4.验证、测试
打开浏览器,输入:http://<your-host>:5601,看到如下界面说明安装成功
端口之间关系
5601 (Kibana web interface). 前台界面
9200 (Elasticsearch JSON interface) 搜索.
5044 (Logstash Beats interface, receives logs from Beats such as Filebea 日志传输
测试:
测试传递一条信息
1、使用命令:docker exec -it <container-name> /bin/bash 进入容器内
2、执行命令:/opt/logstash/bin/logstash -e ‘input { stdin { } } output { elasticsearch { hosts => ["localhost"] } }‘
报错:如果看到这样的报错信息 Logstash could not be started because there is already another instance using the configured data directory.
If you wish to run multiple instances, you must change the "path.data" setting.
解决:请执行命令:service logstash stop 然后在执行就可以了。
再次执行:看到:Successfully started Logstash API endpoint {:port=>9600} 即可
3.输入测试信息 :this is a test
4、打开浏览器,输入:http://<your-host>:9200/_search?pretty 如图,就会看到我们刚刚输入的日志内容
原文地址:https://www.cnblogs.com/zafu/p/12134213.html