elk: elasticsearch+kibana+logstash
自从elk升级8.0以后,强制使用上了SSL(可以关闭),踩了不少的坑,花了不少时间折腾。
使用的版本8.0.0
共3个部分,这是第3部分,logstash8
_________________________________________________________________________________________________
1. 安装docker
2. 安装logstash
docker pull logstash:8.0.0
3. 运行logstash, 不加载目录
docker run -p5044:5044 -p9600:9600 -d –name logstash logstash:8.0.0
运行后,复制目录到宿主机
#docker cp 0000:/usr/share/logstash /mnt/md0/appdata/mydocker
0000是container_id, /mnt/md0/appdata/mydocker是本地目录,这两个地方换成自己的
完成后,停止容器
docker stop 0000
删除容器
docker rm 0000
4.运行正式的logstash
docker run –restart=always –log-driver json-file –log-opt max-size=100m –log-opt max-file=2 -p5044:5044 -p9600:9600 -v /mnt/md0/appdata/mydocker/logstash/config:/usr/share/logstash/config -v /mnt/md0/appdata/mydocker/logstash/data:/usr/share/logstash/data -v /mnt/md0/appdata/mydocker/logstash/logs:/usr/share/logstash/logs -v /mnt/md0/appdata/mydocker/logstash/config.d:/usr/share/logstash/config.d -v /mnt/md0/appdata/mydocker/logstash/pipeline:/usr/share/logstash/pipeline -v /mnt/md0/appdata/mydocker/logstash/jar:/usr/share/logstash/jar -e TZ=Asia/Shanghai -d –name logstash logstash:8.0.0
5.进入config目录,修改host和连接的密码,这里偷懒,就把密钥文件放在jar目录下了
查看elastic的IP,
#docker inspect –format ‘{{ .NetworkSettings.IPAddress }}’ es
查看最后一节
6. 在config.d目录下,新建logstash2.conf
input {
generator {
message => “stonetest001”
count => 1
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => [“https://172.17.0.5:9200”]
index => “data-%{+YYYY.MM.dd}”
cacert => “/usr/share/logstash/jar/http_ca.crt”
user => “elastic”
password => “111111”
#ssl_certificate_verification => true
#truststore => “/usr/share/logstash/jar/http.p12”
#truststore_password => “F5tj__WeSyqCCTb19jdUaw”
}
}
进入容器 docker exec -it 0000 bash
/usr/share/logstash/bin/logstash -f /usr/share/logstash/config.d/logstash2.conf
如有错误, 方案1:
Logstash could not be started because there is already another instance using the configured data directory. If you wish to run multiple instances, you must change the “path.data” setting.
问题原因是:
之前运行的instance有缓冲,默认保存在data目录下
解决方法:
cd data
ls -a
rm -f .lock
方案2(随便指定一个目录, 试过了不行):
/usr/share/logstash/bin/logstash -f /usr/share/logstash/config.d/logstash2.conf –path.settings=/etc/logstash
7.完成后验证
浏览器访问kibana进行验证, 登陆后,在菜单 Management > Dev Tools ,在页面中点击运行
如果hits段中有数据,说明成功了!
8.附上logstash.yml
#http.host: “0.0.0.0”
#xpack.monitoring.elasticsearch.hosts: [ “https://172.17.0.5:9200” ]
http.host: “0.0.0.0”
xpack.monitoring.elasticsearch.hosts: [ “https://172.17.0.5:9200” ]
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: “logstash_system”
xpack.monitoring.elasticsearch.password: “111111”
#你的ca.pem 的所在路径
xpack.monitoring.elasticsearch.ssl.certificate_authority: “/usr/share/logstash/jar/http_ca.crt”
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
# 探嗅 es节点,设置为 false
xpack.monitoring.elasticsearch.sniffing: false