当前位置：首页 > news >正文

Filebeat es 同步服务器日志到es

news 2025/5/29 8:46:50

资源

ubuntu es 7.10 kibana7.10 filebeat:7.10.2 metricbeat:7.10.2对应的版本必须相同否在会有兼容问题

es kibana

内网地址
192.168.0.94:9200
127.0.0.1:9200
https://127.0.0.1:9200
账户 admin 
密码 123456
#端口
9200 eskibana
https://127.0.0.1:5601/app/login?nextUrl=%2F
账户 admin 
密码 123456

日志es kibana服务器安装docker-compose

开放端口

5601,9200

设置系统参数（在宿主机执行）

# 1. 设置内核映射限制参数
sudo sysctl -w vm.max_map_count=262144# 2. 永久写入配置
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf# 3. 使配置生效
sudo sysctl -p

目录准备

# 创建基础目录
sudo mkdir -p /www/es-kibana/{metricbeat/modules.d,metricbeat/config,elasticsearch/config,elasticsearch/data,elasticsearch/logs,kibana/config,kibana/logs}# 拷贝或新建配置文件
# （如果之前已经编辑过，直接 mv 到相应目录即可）
# Elasticsearch 配置
sudo tee /www/es-kibana/elasticsearch/config/elasticsearch.yml > /dev/null << EOF
cluster.name: "es-docker-cluster"
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
bootstrap.memory_lock: truepath.data: /usr/share/elasticsearch/data
path.logs: /usr/share/elasticsearch/logs# ─── 安全认证 ───────────────────────────
xpack.security.enabled: true# ─── 开启匿名访问（允许无凭据访问 ES HTTP 接口） ───────────────────────────
xpack.security.authc.anonymous.username: anonymous_user
xpack.security.authc.anonymous.roles: superuser
xpack.security.authc.anonymous.authz_exception: falseEOF# Kibana 配置
sudo tee /www/es-kibana/kibana/config/kibana.yml > /dev/null << EOF
server.name: kibana
server.host: "0.0.0.0"
server.port: 5601elasticsearch.hosts: [ "http://elasticsearch:9200" ]
elasticsearch.username: "elastic"
elasticsearch.password: "123456"# 会话加密与安全相关
xpack.security.encryptionKey: "a_very_long_random_string_at_least_32_chars"
xpack.security.session.idleTimeout: "1h"i18n.locale: "zh-CN"
logging.dest: /usr/share/kibana/logs/kibana.logEOF#Metricbeat 配置
sudo tee /www/es-kibana/metricbeat/config/metricbeat.yml > /dev/null << EOF
metricbeat.config.modules:path: /usr/share/metricbeat/modules.d/*.ymlreload.enabled: falsesetup.ilm.enabled: false
setup.template.enabled: true
setup.template.name: "metricbeat-mian-stg"
setup.template.pattern: "metricbeat-mian-stg-*"output.elasticsearch:hosts: ["http://elasticsearch:9200"]username: "elastic"password: "123456"monitoring.enabled: true
EOF#启用默认系统监控模块
sudo tee /www/es-kibana/metricbeat/modules.d/system.yml > /dev/null << EOF
- module: systemmetricsets:- cpu- load- memory- network- process- process_summary- uptime- filesystem- diskio- socket_summaryperiod: 10sprocesses: ['.*']enabled: true
EOF# 确保目录权限（Elasticsearch 默认 UID/GID 都是 1000）
sudo chown -R 1000:1000 /www/es-kibana/elasticsearch/{data,logs}
sudo chown -R 1000:1000 /www/es-kibana/kibana/logscd /www/es-kibana

vim docker-compose.yml 配置文件

version: '3.8'services:elasticsearch:image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2container_name: elasticsearchenvironment:- discovery.type=single-node- ELASTIC_PASSWORD=123456- bootstrap.memory_lock=true- ES_JAVA_OPTS=-Xms1g -Xmx1gulimits:memlock:soft: -1hard: -1ports:- "9200:9200"- "9300:9300"volumes:- ./elasticsearch/data:/usr/share/elasticsearch/data- ./elasticsearch/logs:/usr/share/elasticsearch/logs- ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ronetworks:- es-networkkibana:image: docker.elastic.co/kibana/kibana:7.10.2container_name: kibanaenvironment:- SERVER_PORT=5601- ELASTICSEARCH_HOSTS=http://elasticsearch:9200- ELASTICSEARCH_USERNAME=elastic- ELASTICSEARCH_PASSWORD=123456ports:- "5601:5601"volumes:- ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro- ./kibana/logs:/usr/share/kibana/logsdepends_on:- elasticsearchnetworks:- es-networkmetricbeat:image: docker.elastic.co/beats/metricbeat:7.10.2container_name: metricbeatuser: rootdepends_on:- elasticsearchcap_add:- SYS_PTRACE- DAC_READ_SEARCHvolumes:- ./metricbeat/config/metricbeat.yml:/usr/share/metricbeat/metricbeat.yml:ro- ./metricbeat/modules.d:/usr/share/metricbeat/modules.d:ro- /proc:/hostfs/proc:ro- /sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro- /:/hostfs:ronetworks:- es-networkvolumes: {}networks:es-network:driver: bridge

启动服务

cd /www/es-kibana
docker-compose down -v
docker-compose up -d
docker-compose logs -f elasticsearch
docker-compose logs -f kibana
docker-compose logs -f metricbeat

目录结构一览

/www/es-kibana/
├── docker-compose.yml
├── elasticsearch/
│   └── elasticsearch.yml
├── kibana/
│   └── kibana.yml
├── data/             # Elasticsearch 数据目录（挂载）
└── logs/             # Elasticsearch 日志目录（挂载）

验证服务

curl http://localhost:9200
#外网
curl http://127.0.0.1:9200
#kibana 获取密码
docker exec -it elasticsearch bin/elasticsearch-setup-passwords auto
elastic
123456

调试 filebeat 配置

# 修改模板参数值 上传的参数不一致
setup.template.priority
# json解析问题调整
json.keys_under_root: true  # 修改这一行
json.add_error_key: true
json.message_key: json  # 修改这一行
# 先调试->在调试docker启动是否正常同步->启动镜像->启动正式容器

生产prd v99_mian配置filebeat

vim filebeat.docker.yml

filebeat.config:modules:path: ${path.config}/modules.d/*.ymlreload.enabled: falsefilebeat.inputs:- type: logenabled: truepaths:- /var/log/v99mian/**/*.log- /var/log/nginx/**/*.logjson.keys_under_root: truejson.add_error_key: truejson.overwrite_keys: truefields:log_source: mianprocessors:- decode_json_fields:fields: ["message"]target: ""overwrite_keys: true- timestamp:field: "@timestamp"layouts:- '2006-01-02T15:04:05.000Z07:00'timezone: "UTC"- add_host_metadata: {}- add_cloud_metadata: {}- add_docker_metadata: {}- add_kubernetes_metadata: {}output.elasticsearch:hosts: ["127.0.0.1:9200"]username: "elastic"password: "123456"ssl.verification_mode: "none"setup.template.name: "metricbeat-mian-prd"
setup.template.pattern: "metricbeat-*"
setup.template.priority: 260setup.ilm.enabled: true
setup.ilm.rollover_alias: "metricbeat-mian-prd"
setup.ilm.pattern: "{now/d}-000001"
setup.ilm.policy_name: "metricbeat-mian-prd-policy"
setup.ilm.policy:policy:phases:hot:actions:rollover:max_age: "1d"max_size: "50gb"delete:min_age: "30d"actions:delete: {}setup.template.settings:index.mapping.total_fields.limit: 2000index.mapping.ignore_malformed: trueindex.number_of_shards: 1index.number_of_replicas: 0

vim Dockerfile

FROM docker.elastic.co/beats/filebeat:7.10.2# 切换到 root（确保有权限修改配置文件属主）
USER root# 复制配置文件到镜像中
COPY filebeat.docker.yml /usr/share/filebeat/filebeat.yml# 如果 modules.d 目录下有自定义模块，也一并复制
COPY modules.d /usr/share/filebeat/modules.d# 确保 filebeat 用户可以读取配置
RUN chown -R root:filebeat /usr/share/filebeat/filebeat.yml \&& chmod 0644 /usr/share/filebeat/filebeat.yml# 切回非 root 用户
USER filebeat# 挂载日志目录
VOLUME ["/var/log/mian"]
VOLUME ["/var/log/nginx"]# 启动命令
CMD ["filebeat", "-e", "--strict.perms=false", "-c", "/usr/share/filebeat/filebeat.yml"]

vim docker-compose.yml

version: '3.8'services:filebeat:build:context: .dockerfile: Dockerfilecontainer_name: filebeat-mianrestart: alwaysuser: rootvolumes:- /var/log/v99mian:/var/log/v99mian:ro- /var/log/nginx:/var/log/nginx:ro- /var/run/docker.sock:/var/run/docker.sock:ro

启动构建Docker镜像

cd /www/filebeat
docker-compose down -v
docker-compose up -ddocker-compose up --build -d #调试启动
docker ps         # 查看容器运行状态
docker logs -f filebeat-mian   # 实时查看输出日志

验证es

curl -u elastic:123456 \'http://127.0.0.1:9200/metricbeat-v99mian-prd-*/_search?size=5&pretty'curl -u elastic:123456 'http://127.0.0.1:9200/_cluster/health?pretty'
curl -u elastic:123456 'http://127.0.0.1:9200/_cat/indices?v'

查看全文

http://www.xdnf.cn/news/669223.html