利用docker

非法入侵

一、搭建环境
172.19.2.51：elasticsearch+kibana+logstash+kopf
172.19.2.50：elasticsearch+nginx+filebeat
172.19.2.49：elasticsearch其中nginx的访问日志为我们要采集的内容，用filebeat传输，所以nginx和filebeat都没有在docker中运行
其他所有组件都在docker中运行，版本为5
二、172.19.2.51安装elk组件
1、安装docker-compose
curl -L https://github.com/docker/compose/releases/download/1.3.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
vim /etc/profile
export PATH="$PATH:/usr/local/bin"
source /etc/profile
echo $PATH2、调整单进程的虚拟内存数，如果不调启动容器会报错
sysctl -a | grep vm.max_map_count
sysctl -w vm.max_map_count=2621443、创建配置文件目录和文件
创建elasticsearch数据存储目录
mkdir -pv /root/elk/elasticsearch创建elasticsearch配置文件目录
mkdir -pv /root/elk/es创建kibana配置文件目录
mkdir -pv /root/elk/kibana创建logstash配置文件目录
mkdir -pv /root/elk/logstash创建elasticsearch配置文件
vim /root/elk/es/elasticsearch.yml
network.bind_host: 0.0.0.0
network.host: 172.19.2.51
cluster.name: es-cluster
node.name: "es-node1"
node.master: true
discovery.zen.minimum_master_nodes: 1
discovery.zen.ping.unicast.hosts:
   -  172.19.2.51
   -  172.19.2.50
   -  172.19.2.49创建kibana配置文件
vim /root/elk/kibana/kibana.yml
port: 5601
host: "0.0.0.0"
elasticsearch_url: "http://172.19.2.50:9100"
elasticsearch_preserve_host: true
kibana_index: ".kibana"
default_app_id: "discover"
request_timeout: 300000
shard_timeout: 0
verify_ssl: true
bundled_plugin_ids:
- plugins/dashboard/index
- plugins/discover/index
- plugins/doc/index
- plugins/kibana/index
- plugins/markdown_vis/index
- plugins/metric_vis/index
- plugins/settings/index
- plugins/table_vis/index
- plugins/vis_types/index
- plugins/visualize/index创建logstash配置文件
vim /root/elk/logstash/logstash.conf
input {
  beats {
        port => 20000
        codec => "json"
    }
}
output {
  elasticsearch {
    hosts => "172.19.2.50:9100"
    index => "nginx" }
}创建docker-compose配置文件
vim /root/elk/docker-compose.yml
elasticsearch:
  image: elasticsearch:5
  command: elasticsearch
  environment:
    - "ES_JAVA_OPTS=-Xmx1g -Xms1g"
  volumes:
    - ./elasticsearch:/usr/share/elasticsearch/data
    - ./es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
  ports:
    - "9200:9200"
    - "9300:9300"
logstash:
  image: logstash:latest
  command: logstash -w 4 -f /etc/logstash/conf.d/logstash.conf
  environment:
    - LS_HEAP_SIZE=2048m
  volumes:
    - ./logstash/logstash.conf:/etc/logstash/conf.d/logstash.conf
  ports:
    - "20000:20000"
kibana:
  image: kibana:latest
  volumes:
    - ./kibana/kibana.yml:/etc/kibana/kibana.yml
  ports:
    - "5601:5601"
kopf:
  image: lmenezes/elasticsearch-kopf
  ports:
    - "80:80"
  environment:
    - KOPF_SERVER_NAME=kopf
    - KOPF_ES_SERVERS=172.19.2.50:91004、启动docker-compose
cd /root/elk
docker-compose up
docker-compose ps三、172.19.2.51安装elasticsearch和nginx+filebeat
1、安装docker-compose
curl -L https://github.com/docker/compose/releases/download/1.3.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
vim /etc/profile
export PATH="$PATH:/usr/local/bin"
source /etc/profile
echo $PATH2、调整单进程的虚拟内存数
sysctl -a | grep vm.max_map_count
sysctl -w vm.max_map_count=2621443、创建配置文件目录和文件
创建elasticsearch数据存储目录
mkdir -pv /root/elk/elasticsearch创建elasticsearch配置文件目录
mkdir -pv /root/elk/es创建elasticsearch配置文件
vim /root/elk/es/elasticsearch.yml
network.bind_host: 0.0.0.0
network.host: 172.19.2.50
cluster.name: es-cluster
node.name: "es-node2"
node.master: true
discovery.zen.minimum_master_nodes: 1
discovery.zen.ping.unicast.hosts:
   -  172.19.2.51
   -  172.19.2.50
   -  172.19.2.49创建docker-compose配置文件
vim /root/elk/docker-compose.yml
elasticsearch:
  image: elasticsearch:5
  command: elasticsearch
  environment:
    - "ES_JAVA_OPTS=-Xmx1g -Xms1g"
  volumes:
    - ./elasticsearch:/usr/share/elasticsearch/data
    - ./es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
  ports:
    - "9200:9200"
    - "9300:9300"修改nginx配置文件（此nginx用来返带elasticsearch集群的9200端口至9100，即es集群的3台主机的9200端口都通过172.19.2.50:9200访问，同时我们采集此nginx的80端口访问日志）
vim /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    log_format  logstash_json  '{ "@timestamp": "$time_local", '
                               '"@fields": { '
                               '"remote_addr": "$remote_addr", '
                               '"remote_user": "$remote_user", '
                               '"body_bytes_sent": "$body_bytes_sent", '
                               '"request_time": "$request_time", '
                               '"status": "$status", '
                               '"request": "$request", '
                               '"request_method": "$request_method", '
                               '"http_referrer": "$http_referer", '
                               '"body_bytes_sent":"$body_bytes_sent", '
                               '"http_x_forwarded_for": "$http_x_forwarded_for", '
                               '"http_user_agent": "$http_user_agent" } }';
    access_log  /var/log/nginx/access.log  logstash_json;
    sendfile        on;
    keepalive_timeout  65;
    upstream els {
        server 172.19.2.49:9200 weight=1 max_fails=2 fail_timeout=1;
        server 172.19.2.50:9200 weight=1 max_fails=2 fail_timeout=1;
        server 172.19.2.51:9200 weight=1 max_fails=2 fail_timeout=1;
        }
    server {
        listen       9100;
        access_log  /var/log/nginx/accessels.log  logstash_json;
        location / {
            proxy_pass   http://els/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            }
        }
    include /etc/nginx/conf.d/*.conf;
}4、安装和配置filebeat
cd /root/
curl -L -O https://download.elastic.co/beats/filebeat/filebeat-1.3.0-x86_64.rpm
rpm -vi filebeat-1.3.0-x86_64.rpm
vim /etc/filebeat/filebeat.yml
filebeat:
  prospectors:
    -
      paths:
        - /var/log/nginx/access.log
      input_type: log
      multiline:
        negate: true
        match: after
      tail_files: false
  registry_file: /var/lib/filebeat/registry
output:
  logstash:
    hosts: ["172.19.2.51:20000"]
    worker: 4
shipper:
logging:
  files:
    rotateeverybytes: 10485760 # = 10MB5、启动docker-compose，启动nginx，启动filebeat
cd /root/elk
docker-compose up
service nginx start
service filebeat start四、172.19.2.49安装elasticsearch节点
1、安装docker-compose
curl -L https://github.com/docker/compose/releases/download/1.3.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
vim /etc/profile
export PATH="$PATH:/usr/local/bin"
source /etc/profile
echo $PATH2、调整单进程的虚拟内存数
sysctl -a | grep vm.max_map_count
sysctl -w vm.max_map_count=2621443、创建配置文件目录和文件
创建elasticsearch数据存储目录
mkdir -pv /root/elk/elasticsearch创建elasticsearch配置文件目录
mkdir -pv /root/elk/es创建elasticsearch配置文件
vim /root/elk/es/elasticsearch.yml
network.bind_host: 0.0.0.0
network.host: 172.19.2.49
cluster.name: es-cluster
node.name: "es-node3"
node.master: true
discovery.zen.minimum_master_nodes: 1
discovery.zen.ping.unicast.hosts:
   -  172.19.2.51
   -  172.19.2.50
   -  172.19.2.49创建docker-compose配置文件
vim /root/elk/docker-compose.yml
elasticsearch:
  image: elasticsearch:5
  command: elasticsearch
  environment:
    - "ES_JAVA_OPTS=-Xmx1g -Xms1g"
  volumes:
    - ./elasticsearch:/usr/share/elasticsearch/data
    - ./es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
  ports:
    - "9200:9200"
    - "9300:9300"4、启动docker-compose
cd /root/elk
docker-compose up五、ELK插件访问地址
1、kopf
http://172.19.2.51/#!/cluster
2、kibana
http://172.19.2.51:5601/
3、所有配置文件已上传git
https://github.com/xsllqs/Blogfile/tree/master/elk