Filebeat es 同步服務(wù)器日志到es的方法

更新時(shí)間：2025年05月28日 09:50:15 作者：可以吧可以吧

這篇文章主要介紹了Filebeat es 同步服務(wù)器日志到es的方法,本文通過(guò)實(shí)例代碼給大家介紹的非常詳細(xì),對(duì)大家的學(xué)習(xí)或工作具有一定的參考借鑒價(jià)值,需要的朋友參考下吧

資源
es kibana
日志es kibana服務(wù)器安裝docker-compose
設(shè)置系統(tǒng)參數(shù)（在宿主機(jī)執(zhí)行）
目錄準(zhǔn)備
vim docker-compose.yml 配置文件
啟動(dòng)服務(wù)
目錄結(jié)構(gòu)一覽
驗(yàn)證服務(wù)
目錄
調(diào)試 filebeat 配置
生產(chǎn)prd v99_mian配置filebeat
vim filebeat.docker.yml
vim Dockerfile
vim docker-compose.yml
啟動(dòng)構(gòu)建Docker鏡像
驗(yàn)證es

資源

ubuntu es 7.10 kibana7.10 filebeat:7.10.2 metricbeat:7.10.2對(duì)應(yīng)的版本必須相同否在會(huì)有兼容問(wèn)題

es kibana

內(nèi)網(wǎng)地址
192.168.0.94:9200
127.0.0.1:9200
https://127.0.0.1:9200
賬戶(hù) admin 
密碼 123456
#端口
9200 es
kibana
https://127.0.0.1:5601/app/login?nextUrl=%2F
賬戶(hù) admin 
密碼 123456

日志es kibana服務(wù)器安裝docker-compose

開(kāi)放端口

5601,9200

設(shè)置系統(tǒng)參數(shù)（在宿主機(jī)執(zhí)行）

# 1. 設(shè)置內(nèi)核映射限制參數(shù)
sudo sysctl -w vm.max_map_count=262144
# 2. 永久寫(xiě)入配置
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
# 3. 使配置生效
sudo sysctl -p

目錄準(zhǔn)備

# 創(chuàng)建基礎(chǔ)目錄
sudo mkdir -p /www/es-kibana/{metricbeat/modules.d,metricbeat/config,elasticsearch/config,elasticsearch/data,elasticsearch/logs,kibana/config,kibana/logs}
# 拷貝或新建配置文件
# （如果之前已經(jīng)編輯過(guò)，直接 mv 到相應(yīng)目錄即可）
# Elasticsearch 配置
sudo tee /www/es-kibana/elasticsearch/config/elasticsearch.yml > /dev/null << EOF
cluster.name: "es-docker-cluster"
network.host: 0.0.0.0
http.port: 9200
discovery.type: single-node
bootstrap.memory_lock: true
path.data: /usr/share/elasticsearch/data
path.logs: /usr/share/elasticsearch/logs
# ─── 安全認(rèn)證 ───────────────────────────
xpack.security.enabled: true
# ─── 開(kāi)啟匿名訪(fǎng)問(wèn)（允許無(wú)憑據(jù)訪(fǎng)問(wèn) ES HTTP 接口） ───────────────────────────
xpack.security.authc.anonymous.username: anonymous_user
xpack.security.authc.anonymous.roles: superuser
xpack.security.authc.anonymous.authz_exception: false
EOF
# Kibana 配置
sudo tee /www/es-kibana/kibana/config/kibana.yml > /dev/null << EOF
server.name: kibana
server.host: "0.0.0.0"
server.port: 5601
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
elasticsearch.username: "elastic"
elasticsearch.password: "123456"
# 會(huì)話(huà)加密與安全相關(guān)
xpack.security.encryptionKey: "a_very_long_random_string_at_least_32_chars"
xpack.security.session.idleTimeout: "1h"
i18n.locale: "zh-CN"
logging.dest: /usr/share/kibana/logs/kibana.log
EOF
#Metricbeat 配置
sudo tee /www/es-kibana/metricbeat/config/metricbeat.yml > /dev/null << EOF
metricbeat.config.modules:
  path: /usr/share/metricbeat/modules.d/*.yml
  reload.enabled: false
setup.ilm.enabled: false
setup.template.enabled: true
setup.template.name: "metricbeat-mian-stg"
setup.template.pattern: "metricbeat-mian-stg-*"
output.elasticsearch:
  hosts: ["http://elasticsearch:9200"]
  username: "elastic"
  password: "123456"
monitoring.enabled: true
EOF
#啟用默認(rèn)系統(tǒng)監(jiān)控模塊
sudo tee /www/es-kibana/metricbeat/modules.d/system.yml > /dev/null << EOF
- module: system
  metricsets:
    - cpu
    - load
    - memory
    - network
    - process
    - process_summary
    - uptime
    - filesystem
    - diskio
    - socket_summary
  period: 10s
  processes: ['.*']
  enabled: true
EOF
# 確保目錄權(quán)限（Elasticsearch 默認(rèn) UID/GID 都是 1000）
sudo chown -R 1000:1000 /www/es-kibana/elasticsearch/{data,logs}
sudo chown -R 1000:1000 /www/es-kibana/kibana/logs
cd /www/es-kibana

vim docker-compose.yml 配置文件

version: '3.8'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.10.2
    container_name: elasticsearch
    environment:
      - discovery.type=single-node
      - ELASTIC_PASSWORD=123456
      - bootstrap.memory_lock=true
      - ES_JAVA_OPTS=-Xms1g -Xmx1g
    ulimits:
      memlock:
        soft: -1
        hard: -1
    ports:
      - "9200:9200"
      - "9300:9300"
    volumes:
      - ./elasticsearch/data:/usr/share/elasticsearch/data
      - ./elasticsearch/logs:/usr/share/elasticsearch/logs
      - ./elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
    networks:
      - es-network
  kibana:
    image: docker.elastic.co/kibana/kibana:7.10.2
    container_name: kibana
    environment:
      - SERVER_PORT=5601
      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
      - ELASTICSEARCH_USERNAME=elastic
      - ELASTICSEARCH_PASSWORD=123456
    ports:
      - "5601:5601"
    volumes:
      - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro
      - ./kibana/logs:/usr/share/kibana/logs
    depends_on:
      - elasticsearch
    networks:
      - es-network
  metricbeat:
    image: docker.elastic.co/beats/metricbeat:7.10.2
    container_name: metricbeat
    user: root
    depends_on:
      - elasticsearch
    cap_add:
      - SYS_PTRACE
      - DAC_READ_SEARCH
    volumes:
      - ./metricbeat/config/metricbeat.yml:/usr/share/metricbeat/metricbeat.yml:ro
      - ./metricbeat/modules.d:/usr/share/metricbeat/modules.d:ro
      - /proc:/hostfs/proc:ro
      - /sys/fs/cgroup:/hostfs/sys/fs/cgroup:ro
      - /:/hostfs:ro
    networks:
      - es-network
volumes: {}
networks:
  es-network:
    driver: bridge

啟動(dòng)服務(wù)

cd /www/es-kibana
docker-compose down -v
docker-compose up -d
docker-compose logs -f elasticsearch
docker-compose logs -f kibana
docker-compose logs -f metricbeat

目錄結(jié)構(gòu)一覽

/www/es-kibana/
├── docker-compose.yml
├── elasticsearch/
│   └── elasticsearch.yml
├── kibana/
│   └── kibana.yml
├── data/             # Elasticsearch 數(shù)據(jù)目錄（掛載）
└── logs/             # Elasticsearch 日志目錄（掛載）

驗(yàn)證服務(wù)

curl http://localhost:9200
#外網(wǎng)
curl http://127.0.0.1:9200
#kibana 獲取密碼
docker exec -it elasticsearch bin/elasticsearch-setup-passwords auto
elastic
123456

調(diào)試 filebeat 配置

# 修改模板參數(shù)值 上傳的參數(shù)不一致
setup.template.priority
# json解析問(wèn)題調(diào)整
json.keys_under_root: true  # 修改這一行
json.add_error_key: true
json.message_key: json  # 修改這一行
# 先調(diào)試->在調(diào)試docker啟動(dòng)是否正常同步->啟動(dòng)鏡像->啟動(dòng)正式容器

生產(chǎn)prd v99_mian配置filebeat

mkdir -p /www/filebeat/
mkdir -p /www/filebeat/modules.d
/www/filebeat/
├── docker-compose.yml
├── Dockerfile
└── filebeat.docker.yml

vim filebeat.docker.yml

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false
filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - /var/log/v99mian/**/*.log
      - /var/log/nginx/**/*.log
    json.keys_under_root: true
    json.add_error_key: true
    json.overwrite_keys: true
    fields:
      log_source: mian
processors:
  - decode_json_fields:
      fields: ["message"]
      target: ""
      overwrite_keys: true
  - timestamp:
      field: "@timestamp"
      layouts:
        - '2006-01-02T15:04:05.000Z07:00'
      timezone: "UTC"
  - add_host_metadata: {}
  - add_cloud_metadata: {}
  - add_docker_metadata: {}
  - add_kubernetes_metadata: {}
output.elasticsearch:
  hosts: ["127.0.0.1:9200"]
  username: "elastic"
  password: "123456"
  ssl.verification_mode: "none"
setup.template.name: "metricbeat-mian-prd"
setup.template.pattern: "metricbeat-*"
setup.template.priority: 260
setup.ilm.enabled: true
setup.ilm.rollover_alias: "metricbeat-mian-prd"
setup.ilm.pattern: "{now/d}-000001"
setup.ilm.policy_name: "metricbeat-mian-prd-policy"
setup.ilm.policy:
  policy:
    phases:
      hot:
        actions:
          rollover:
            max_age: "1d"
            max_size: "50gb"
      delete:
        min_age: "30d"
        actions:
          delete: {}
setup.template.settings:
  index.mapping.total_fields.limit: 2000
  index.mapping.ignore_malformed: true
  index.number_of_shards: 1
  index.number_of_replicas: 0

vim Dockerfile

FROM docker.elastic.co/beats/filebeat:7.10.2
# 切換到 root（確保有權(quán)限修改配置文件屬主）
USER root
# 復(fù)制配置文件到鏡像中
COPY filebeat.docker.yml /usr/share/filebeat/filebeat.yml
# 如果 modules.d 目錄下有自定義模塊，也一并復(fù)制
COPY modules.d /usr/share/filebeat/modules.d
# 確保 filebeat 用戶(hù)可以讀取配置
RUN chown -R root:filebeat /usr/share/filebeat/filebeat.yml \
 && chmod 0644 /usr/share/filebeat/filebeat.yml
# 切回非 root 用戶(hù)
USER filebeat
# 掛載日志目錄
VOLUME ["/var/log/mian"]
VOLUME ["/var/log/nginx"]
# 啟動(dòng)命令
CMD ["filebeat", "-e", "--strict.perms=false", "-c", "/usr/share/filebeat/filebeat.yml"]

vim docker-compose.yml

version: '3.8'
services:
  filebeat:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: filebeat-mian
    restart: always
    user: root
    volumes:
      - /var/log/v99mian:/var/log/v99mian:ro
      - /var/log/nginx:/var/log/nginx:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro

啟動(dòng)構(gòu)建Docker鏡像

cd /www/filebeat
docker-compose down -v
docker-compose up -d
docker-compose up --build -d #調(diào)試啟動(dòng)
docker ps         # 查看容器運(yùn)行狀態(tài)
docker logs -f filebeat-mian   # 實(shí)時(shí)查看輸出日志

驗(yàn)證es

curl -u elastic:123456 \
  'http://127.0.0.1:9200/metricbeat-v99mian-prd-*/_search?size=5&pretty'
curl -u elastic:123456 'http://127.0.0.1:9200/_cluster/health?pretty'
curl -u elastic:123456 'http://127.0.0.1:9200/_cat/indices?v'

到此這篇關(guān)于Filebeat es 同步服務(wù)器日志到es的文章就介紹到這了,更多相關(guān)Filebeat es 同步服務(wù)器日志內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: