docker日志1

docker日志elk

elk是三个软件的合称：ELasticsearch、Logstash、Kibana

ELasticsearch

一个近乎失明查询的全文搜索引擎，ELasticsearch的设计目标就是要能够处理和搜索巨量的日志数据

Logstash

读取原始日志，并对其进行分析和过滤，然后将其转发给其他组件（比如ELasticsearch）进行索引或存储，Logstash支持丰富的input和output类型，能够处理各种应用的日志

Kibana

一个基于javascript的web图形界面程序，专门用于可视化ELasticsearch的数据。Kibana能够查询ELasticsearch并通过丰富的图标展示结果用户可以创建dashboard来监控系统日志

日志处理流程

 logstash负责从各个docker容器中提取日志，logstash将日志转发到 ELasticsearch进行索引和保存，kibana分析和可视化数据

安装elk套件

vm.max_map_count至少需要262144 

[root@localhost ~]# cat /etc/sysctl.conf 
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
vm.max_map_count = 262144

执行sysctl -p查看

[root@localhost ~]# sysctl -p
vm.max_map_count = 262144

下载elk镜像

[root@localhost ~]# docker pull sebp/elk

启动堆栈，运行具有2gb堆大小的elasticsarch和具有1gb堆大小的logstash

[root@localhost ~]# docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -dit -e ES_HEAP_SIZE="2g" -e LS_HEAP_SIZE="1g" --name elk sebp/elk
1f42b594233c71663345143af7c1ca3c5042caf7c646b059e2f8b6ef9f9c3f7e

此命令发布以下端口，这些端口是正确操作elk堆栈所需要的的：

5601（kibana web界面）

9200（elasticsearch json接口）

5044（logstash beats界面，从beats接收日志，如filebeat）

打开浏览器，访问kibana web

 安装filebeat

rpm -iv filebeat-7.7.0-x86_64.rpm

配置filebeat

文件里面要写出监控那些日志、将日志发送到哪里

#=========================== Filebeat inputs =============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    #- /var/log/*.log
    - /var/lib/docker/containers/*/*.log
    - /var/log/messages

在paths中我们配置了两条路径

1.、- /var/lib/docker/containers/*/*.log 是所有容器的日志文件

2、 /var/log/massages 查看httpd容器日志所在位置

接下来告诉filebeat 将这些日志发送给elk 。filebeat可以将日志发送给elasticsearch 进行索引和保存

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.172.129:9200"]

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "192.168.172.129:5601"

启动filebeat

启动elasticsearch模块

filebeat modules enable elasticsearch

初始化filebeat

filebeat setup

systemctl start filebeat
systemctl enable filebeat

现在可以查看收集到的日志了

 万能数据收集齐fluentd

安装fluentd

运行一个fluentd容器

[root@localhost ~]# docker run -d -P -v /data:/fluentd/log fluent/fluentd

重新编辑配置文件/etc/filebeat/filebeat.yml 将/data添加到监控路径中，删除其他的输入日志即可

#=========================== Filebeat inputs =============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    #- /var/log/*.log
    #- /var/lib/docker/containers/*/*.log
    #- /var/log/messages
    - /data/*.log

重启filebeat

systemctl restart filebeat

监控容器日志，启动测试容器

docker run -dit  --log-driver=fluentd --log-opt fluentd-address=localhost:32768 --log-opt tag="container-A"  busybox sh -c 'while true; do echo "this is a log from A"; sleep 10; done;'

docker run -dit  --log-driver=fluentd --log-opt fluentd-address=localhost:32768 --log-opt tag="container-B"  busybox sh -c 'while true; do echo "this is a log from B"; sleep 10; done;'

--log-driver=flunentd 告诉docker使用fluentd的logging driver
--log-opt fluentd-address=localhost:32768 将容器日志发送到fluentd的数据端口。
--log-opt tag="container-B" 在日志中添加一个可选的tag，用于用于区分不同容器