內(nèi)網(wǎng)地址
192.168.0.94:9200
127.0.0.1:9200
https://127.0.0.1:9200
賬戶 admin 
密碼 123456
#端口
9200 es
kibana
https://127.0.0.1:5601/app/login?nextUrl=%2F
賬戶 admin 
密碼 123456

5601,9200

# 1. 設(shè)置內(nèi)核映射限制參數(shù)
sudo sysctl -w vm.max_map_count=262144
# 2. 永久寫入配置
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
# 3. 使配置生效
sudo sysctl -p

# 創(chuàng)建基礎(chǔ)目錄
sudo mkdir -p /www/es-kibana/{metricbeat/modules.d,metricbeat/config,elasticsearch/config,elasticsearch/data,elasticsearch/logs,kibana/config,kibana/logs}
# 拷貝或新建配置文件
# （如果之前已經(jīng)編輯過，直接 mv 到相應(yīng)目錄即可）
# Elasticsearch 配置
sudo tee /www/es-kibana/elasticsearch/config/elasticsearch.yml > /dev/null << EOF
cluster.name: "es-docker-cluster"
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
bootstrap.memory_lock: true
path.data: /usr/share/elasticsearch/data
path.logs: /usr/share/elasticsearch/logs
# ─── 安全認證 ───────────────────────────
xpack.security.enabled: true
# ─── 開啟匿名訪問（允許無憑據(jù)訪問 ES HTTP 接口） ───────────────────────────
xpack.security.authc.anonymous.username: anonymous_user
xpack.security.authc.anonymous.roles: superuser
xpack.security.authc.anonymous.authz_exception: false
EOF
# Kibana 配置
sudo tee /www/es-kibana/kibana/config/kibana.yml > /dev/null << EOF
server.name: kibana
server.host: "0.0.0.0"
server.port: 5601
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
elasticsearch.username: "elastic"
elasticsearch.password: "123456"
# 會話加密與安全相關(guān)
xpack.security.encryptionKey: "a_very_long_random_string_at_least_32_chars"
xpack.security.session.idleTimeout: "1h"
i18n.locale: "zh-CN"
logging.dest: /usr/share/kibana/logs/kibana.log
EOF
#Metricbeat 配置
sudo tee /www/es-kibana/metricbeat/config/metricbeat.yml > /dev/null << EOF
metricbeat.config.modules:
  path: /usr/share/metricbeat/modules.d/*.yml
  reload.enabled: false
setup.ilm.enabled: false
setup.template.enabled: true
setup.template.name: "metricbeat-mian-stg"
setup.template.pattern: "metricbeat-mian-stg-*"
output.elasticsearch:
  hosts: ["http://elasticsearch:9200"]
  username: "elastic"
  password: "123456"
monitoring.enabled: true
EOF
#啟用默認系統(tǒng)監(jiān)控模塊
sudo tee /www/es-kibana/metricbeat/modules.d/system.yml > /dev/null << EOF
- module: system
  metricsets:
    - cpu
    - load
    - memory
    - network
    - process
    - process_summary
    - uptime
    - filesystem
    - diskio
    - socket_summary
  period: 10s
  processes: ['.*']
  enabled: true
EOF
# 確保目錄權(quán)限（Elasticsearch 默認 UID/GID 都是 1000）
sudo chown -R 1000:1000 /www/es-kibana/elasticsearch/{data,logs}
sudo chown -R 1000:1000 /www/es-kibana/kibana/logs
cd /www/es-kibana

version: '3.8'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
    container_name: elasticsearch
    environment:
      - discovery.type=single-node
      - ELASTIC_PASSWORD=123456
      - bootstrap.memory_lock=true
      - ES_JAVA_OPTS=-Xms1g -Xmx1g
    ulimits:
      memlock:
        soft: -1
        hard: -1
    ports:
      - "9200:9200"
      - "9300:9300"
    volumes:
      - ./elasticsearch/data:/usr/share/elasticsearch/data
      - ./elasticsearch/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
    networks:
      - es-network
  kibana:
    image: docker.elastic.co/kibana/kibana:7.10.2
    container_name: kibana
    environment:
      - SERVER_PORT=5601
      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
      - ELASTICSEARCH_USERNAME=elastic
      - ELASTICSEARCH_PASSWORD=123456
    ports:
      - "5601:5601"
    volumes:
      - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro
      - ./kibana/logs:/usr/share/kibana/logs
    depends_on:
      - elasticsearch
    networks:
      - es-network
  metricbeat:
    image: docker.elastic.co/beats/metricbeat:7.10.2
    container_name: metricbeat
    user: root
    depends_on:
      - elasticsearch
    cap_add:
      - SYS_PTRACE
      - DAC_READ_SEARCH
    volumes:
      - ./metricbeat/config/metricbeat.yml:/usr/share/metricbeat/metricbeat.yml:ro
      - ./metricbeat/modules.d:/usr/share/metricbeat/modules.d:ro
      - /proc:/hostfs/proc:ro
      - /sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro
      - /:/hostfs:ro
    networks:
      - es-network
volumes: {}
networks:
  es-network:
    driver: bridge

cd /www/es-kibana
docker-compose down -v
docker-compose up -d
docker-compose logs -f elasticsearch
docker-compose logs -f kibana
docker-compose logs -f metricbeat

/www/es-kibana/
├── docker-compose.yml
├── elasticsearch/
│   └── elasticsearch.yml
├── kibana/
│   └── kibana.yml
├── data/             # Elasticsearch 數(shù)據(jù)目錄（掛載）
└── logs/             # Elasticsearch 日志目錄（掛載）

curl http://localhost:9200
#外網(wǎng)
curl http://127.0.0.1:9200
#kibana 獲取密碼
docker exec -it elasticsearch bin/elasticsearch-setup-passwords auto
elastic
123456

mkdir -p /www/filebeat/logs && cd /www/filebeat/logs

# 修改模板參數(shù)值 上傳的參數(shù)不一致
setup.template.priority
# json解析問題調(diào)整
json.keys_under_root: true  # 修改這一行
json.add_error_key: true
json.message_key: json  # 修改這一行
# 先調(diào)試->在調(diào)試docker啟動是否正常同步->啟動鏡像->啟動正式容器

mkdir -p /www/filebeat/
mkdir -p /www/filebeat/modules.d
/www/filebeat/
├── docker-compose.yml
├── Dockerfile
└── filebeat.docker.yml

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false
filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /var/log/v99mian/**/*.log
      - /var/log/nginx/**/*.log
    json.keys_under_root: true
    json.add_error_key: true
    json.overwrite_keys: true
    fields:
      log_source: mian
processors:
  - decode_json_fields:
      fields: ["message"]
      target: ""
      overwrite_keys: true
  - timestamp:
      field: "@timestamp"
      layouts:
        - '2006-01-02T15:04:05.000Z07:00'
      timezone: "UTC"
  - add_host_metadata: {}
  - add_cloud_metadata: {}
  - add_docker_metadata: {}
  - add_kubernetes_metadata: {}
output.elasticsearch:
  hosts: ["127.0.0.1:9200"]
  username: "elastic"
  password: "123456"
  ssl.verification_mode: "none"
setup.template.name: "metricbeat-mian-prd"
setup.template.pattern: "metricbeat-*"
setup.template.priority: 260
setup.ilm.enabled: true
setup.ilm.rollover_alias: "metricbeat-mian-prd"
setup.ilm.pattern: "{now/d}-000001"
setup.ilm.policy_name: "metricbeat-mian-prd-policy"
setup.ilm.policy:
  policy:
    phases:
      hot:
        actions:
          rollover:
            max_age: "1d"
            max_size: "50gb"
      delete:
        min_age: "30d"
        actions:
          delete: {}
setup.template.settings:
  index.mapping.total_fields.limit: 2000
  index.mapping.ignore_malformed: true
  index.number_of_shards: 1
  index.number_of_replicas: 0

FROM docker.elastic.co/beats/filebeat:7.10.2
# 切換到 root（確保有權(quán)限修改配置文件屬主）
USER root
# 復(fù)制配置文件到鏡像中
COPY filebeat.docker.yml /usr/share/filebeat/filebeat.yml
# 如果 modules.d 目錄下有自定義模塊，也一并復(fù)制
COPY modules.d /usr/share/filebeat/modules.d
# 確保 filebeat 用戶可以讀取配置
RUN chown -R root:filebeat /usr/share/filebeat/filebeat.yml \
 && chmod 0644 /usr/share/filebeat/filebeat.yml
# 切回非 root 用戶
USER filebeat
# 掛載日志目錄
VOLUME ["/var/log/mian"]
VOLUME ["/var/log/nginx"]
# 啟動命令
CMD ["filebeat", "-e", "--strict.perms=false", "-c", "/usr/share/filebeat/filebeat.yml"]

version: '3.8'
services:
  filebeat:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: filebeat-mian
    restart: always
    user: root
    volumes:
      - /var/log/v99mian:/var/log/v99mian:ro
      - /var/log/nginx:/var/log/nginx:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro

cd /www/filebeat
docker-compose down -v
docker-compose up -d
docker-compose up --build -d #調(diào)試啟動
docker ps         # 查看容器運行狀態(tài)
docker logs -f filebeat-mian   # 實時查看輸出日志

curl -u elastic:123456 \
  'http://127.0.0.1:9200/metricbeat-v99mian-prd-*/_search?size=5&pretty'
curl -u elastic:123456 'http://127.0.0.1:9200/_cluster/health?pretty'
curl -u elastic:123456 'http://127.0.0.1:9200/_cat/indices?v'