https://hub.docker.com/r/sebp/elk/

https://abc.htmltoo.com/thread-44944.htm

 ================ 注 意 项 目 ==================

vi /etc/sysctl.conf

vm.max_map_count=655360

sysctl -p

==========================================

应用: elk -> 添加服务: elk

镜像: sebp/elk:latest    (elasticserach+logstash+kibana+filebeat(数据采集的数据))

or  140.cndo.org:5000/os:elk-20181022

卷:

/etc/localtime:/etc/localtime:ro

/data/file:/data/file

端口: 

9201-9200

9202-5601

tcp9203-5044

9204-9100

vi  /etc/profile
export PATH=/data/logstash-6.3.2/bin:$PATH
source /etc/profile

cd /opt/logstash/
./bin/logstash-plugin install logstash-codec-fluent logstash-codec-json logstash-codec-netflow logstash-codec-rubydebug
./bin/logstash-plugin install logstash-input-file logstash-filter-dissect logstash-input-elasticsearch logstash-input-redis logstash-input-beats
./bin/logstash-plugin install logstash-filter-grok logstash-filter-geoip logstash-filter-kv logstash-filter-json logstash-filter-urldecode logstash-filter-useragent
./bin/logstash-plugin install logstash-output-rabbitmq logstash-output-influxdb logstash-output-opentsdb logstash-output-redis

测试logstash:
logstash -e 'input { stdin { } } output { stdout {codec=>rubydebug} }'
然后你会发现终端在等待你的输入。没问题，敲入 Hello World，回车，然后看看会返回什么结果！
logstash -t -f etc/ # 测试配置文件是否正确
logstash -f etc/ # 加载etc文件夹下所有 *.conf 的文本文件，启动
nohup bin/logstash -f etc/ &  # 后台运行
ps -ef |grep logstash # 查找进程 ID
kill -9  id  # 停止

vi /opt/logstash/patterns/nginx

WZ ([^ ]*) 
NGINXACCESS %{IP:remote_ip} \- \- \[%{HTTPDATE:timestamp}\] "%{WORD:method} %{WZ:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:status} %{NUMBER:bytes} %{QS:referer} %{QS:agent} %{QS:xforward}

cd /etc/logstash/conf.d/

vi 02-beats-input.conf

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt"
    ssl_key => "/etc/pki/tls/private/logstash-beats.key"
  }
}

vi 10-syslog.conf

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

vi  11-nginx.conf

filter {
  if [type] == "nginx-access" {
    grok {
      match => { "message" => "%{NGINXACCESS}" }
    }
  }
}

vi 30-output.conf

output {
  elasticsearch {
   hosts => ["localhost"]
   manage_template => false
   index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
   document_type => "%{[@metadata][type]}"
  }
}

-----------调试规则----------

vi  02-beats-input.conf.file

input {
      file {
        #这里根据自己日志命名使用正则匹配所有域名访问日志
        path => [ "/data/docker/nginx/logs/nginx_*.log" ]
        start_position => "beginning"
     }
}

vi 30-output.conf.influxdb

output {
      influxdb {
      db => "filebeat"
          host => "209.cndo.org"
          port => "8086"
          user => "ihunter"
          password => "wdqdmm@m"
          coerce_values => {
             "request" => "varchar"
             "status" => "varchar"
          }
      data_points => {
         "request" => "%{request}"
         "status" => "%{status}"
         "referer"=>"%{referer}"
         "agent"=>"%{agent}"
         "method"=>"%{method}"
         "remote_ip"=>"%{remote_ip}"
         "bytes"=>"%{bytes}"
         "host"=>"%{host}"
         "timestamp"=>"%{timestamp}"
      }
stdout { codec => rubydebug }
}

参考网址:

https://blog.csdn.net/qq_24879495/article/details/77963940