ELK远程日志log监控

Master机器运行命令：

mkdir -p /var/log/logstash

mkdir -p /var/log/kibana

mkdir -p /var/log/elasticsearch

docker run -v /tmp:/tmp -v /log:/log -v /var/log:/var/log -p 5601:5601 -p 9200:9200 -p 9300:9300 -p 5044:5044 -p 5000:5000 --name elk sebp/elk

 

Slave中只开启lagstash并将相关log指向主ELK服务器：

mkdir -p /var/log/logstash
docker run -v /tmp:/tmp -v /log:/log -v /var/log:/var/log -p 5044:5044 -p 5000:5000 -e ELASTICSEARCH_START=0 -e KIBANA_START=0 --name elk sebp/elk

 

启动后logstash会报错，因为默认指向本地的elasticsearch服务，登录到docker更改配置文件：

docker exec -it elk /bin/bash

vi /etc/logstash/conf.d/30-output.conf

output {

elasticsearch {
hosts => ["<your-host-name>"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

docker restart elk

此时slave的logstash可以正常运行。

 

添加监控文件： 

vi /tmp/first-pipeline.conf

input {
file {
path => ["/tmp/dstat.log","/var/log/messages","/log/*.log"]
start_position => beginning
ignore_older => 0
}
}
output {
elasticsearch {
hosts => [ "<your-host-name>:9200" ]
}
}

 

使用以下命令启动logstash：

docker exec -it elk /opt/logstash/bin/logstash -f /tmp/first-pipeline.conf

 

打开http://<your-host-name>:5601,可以显示以下监控画面即可。