关于elk:Docker安装ELK8x

Docker装置ELK集成镜像

一、下载ELK镜像

搜寻镜像
docker search sebp/elk

[root@www ~]# docker search sebp/elkNAME        DESCRIPTION                                     STARS     OFFICIAL   AUTOMATEDsebp/elk    Collect, search and visualise log data with …   1169                 [OK]sebp/elkx   Collect, search and visualise log data with …   43                   [OK]

下载镜像
docker pull sebp/elk

[root@www ~]# docker pull sebp/elkUsing default tag: latestlatest: Pulling from sebp/elkDigest: sha256:c5f1d0f845ab217ef509b8c6565d0c4a5dd8dea063a411b60dfb7c4508312acaStatus: Image is up to date for sebp/elk:latestdocker.io/sebp/elk:latest

二、批改系统配置

批改eleasticsearch用户权限

vim /etc/security/limits.conf

# 在最初面追加上面内容elk hard nofile 65536elk soft nofile 65536

能够解决ELK启动报: ERROR: Elasticsearch did not exit normally - check the logs at /var/log/elasticsearch/elasticsearch.log错的问题

更改零碎vm.max_map_count设置值

max_map_count文件蕴含限度一个过程能够领有的VMA(虚拟内存区域)的数量
这个值须要调大一些
长期调整: sysctl -w vm.max_map_count=262144
永恒调整: vim /etc/sysctl.conf

# 在开端加上一行vm.max_map_count=262144

更新配置
sysctl -p

查看更改后的值
sysctl -a | grep vm.max_map_count

# 查看[root@localhost /]# sysctl -a | grep vm.max_map_countvm.max_map_count = 262144

调大后能够打消elk启动时的谬误: bootstrap check failure [1] of [1]: max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]

三、拉取配置文件到宿主机

创立配置目录

为了不便批改， 将Docker容器中的配置映射到宿主机

# 创立elk配置文件目录mkdir -p /data/elk/elasticsearchmkdir -p /data/elk/logstashmkdir -p /data/elk/kibanamkdir -p /data/elk/elasticsearch/datamkdir -p /data/elk/elasticsearch/config# 创立elk日志文件目录（不胜利）# mkdir -p /data/elk/log/elasticsearch# mkdir -p /data/elk/log/logstash# mkdir -p /data/elk/log/kibana# 创立文件(通过开启一个容器获取初始配置文件)docker run -p 5601:5601 -p 9200:9200  -p 5044:5044 \    -it \    -e TZ="Asia/Shanghai" \    -e ES_HEAP_SIZE="4g"  \    -e ES_JAVA_OPTS="-Xms8g -Xmx8g" \    -e "discovery.type=single-node" \    -e LS_HEAP_SIZE="4g" --name elk sebp/elk# 从容器中复制出ELK配置docker cp elk:/var/lib/elasticsearch/ /data/elk/elasticsearch/datadocker cp elk:/etc/elasticsearch/ /data/elk/elasticsearch/configdocker cp elk:/opt/logstash/config /data/elk/logstash/configdocker cp elk:/etc/logstash/conf.d /data/elk/logstash/conf.ddocker cp elk:/opt/kibana/config /data/elk/kibana/configdocker cp elk:/opt/kibana/data /data/elk/kibana/datamv /data/elk/elasticsearch/config/elasticsearch/* /data/elk/elasticsearch/configrm -rf /data/elk/elasticsearch/config/elasticsearch/mv /data/elk/elasticsearch/data/elasticsearch/* /data/elk/elasticsearch/datarm -rf /data/elk/elasticsearch/data/elasticsearch/# 复制实现后批改目录权限cd /data/elkchown -R 991:991 elasticsearch*chown -R 992:992 logstash*chown -R 993:993 kibana*# 改日志目录权限#cd /data/elk/log#chown -R 991:991 elasticsearch*#chown -R 992:992 logstash*#chown -R 993:993 kibana*#chmod 644 -R /data/elk/log# 删除容器docker stop elkdocker rm elk

四、创立容器

批改配置(可选)

本机是16G， 给eleasticsearch分一半
vim /data/elk/elasticsearch/config/jvm.options

# 找到#-Xms4g#-Xmx4g# 改为-Xms8g-Xmx8g

启动一个新的ELK容器

docker run -p 5601:5601 -p 9200:9200  -p 5044:5044 \    -v /data/elk/logstash/config:/opt/logstash/config \    -v /data/elk/logstash/conf.d:/etc/logstash/conf.d \    -v /data/elk/elasticsearch/config:/etc/elasticsearch   \    -v /data/elk/elasticsearch/data:/var/lib/elasticsearch \    -v /data/elk/kibana/config:/opt/kibana/config \    -v /data/elk/kibana/data:/opt/kibana/data \    -it \    -e TZ="Asia/Shanghai" \    -e ES_HEAP_SIZE="4g"  \    -e ES_JAVA_OPTS="-Xms8g -Xmx8g" \    -e "discovery.type=single-node" \    -e LS_HEAP_SIZE="4g" --name elk sebp/elk

## 日志映射还有权限问题。。。 临时不加#    -v /data/elk/log/kibana:/var/log/kibana \#    -v /data/elk/log/logstash:/var/log/logstash \#    -v /data/elk/log/elasticsearch:/var/log/elasticsearch \

查看容器日志
docker logs -f -t --tail=100 elk
进入docker容器
docker exec -it elk /bin/bash

参考链接：启动ELK出错的一些解决方案
Logstash文档: https://www.elastic.co/guide/en/logstash/current/index.html
ElasticSearch文档: https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html