在 Docker 上快速安裝 Elastic stack (ELK)

日期:
ELK 是 Elasticsearch(全文搜尋引擎), Logstash(資料擷取、傳送), Kibana(資料圖形化儀表板) 三個工具組合而成的開源集中式日誌管理系統,後來加入了 Beats(輕量資料採集工具) 後改名為 Elastic Stack (也稱作 ELK Stack)。 本次示範使用網友已經整理好的開源專案,使用 docker compose 快速安裝 Elastic stack (ELK)
註: 需要先安裝好 git 和 docker compose

下載專案

    
git clone https://github.com/deviantony/docker-elk

執行後會產生 docker-elk 資料夾,接下來的操作需要進入到 docker-elk 資料夾內。

變更密碼

在 .env 檔案中有放置預設密碼,可以在啟動前先修改預設密碼,預設密碼為 changeme ,可以直接修改,等到後面再調整會有點麻煩。 
    
ELASTIC_VERSION=8.9.2

## Passwords for stack users
#

# User 'elastic' (built-in)
#
# Superuser role, full access to cluster management and data indices.
# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
ELASTIC_PASSWORD='changeme'

# User 'logstash_internal' (custom)
#
# The user Logstash uses to connect and send data to Elasticsearch.
# https://www.elastic.co/guide/en/logstash/current/ls-security.html
LOGSTASH_INTERNAL_PASSWORD='changeme'

# User 'kibana_system' (built-in)
#
# The user Kibana uses to connect and communicate with Elasticsearch.
# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
KIBANA_SYSTEM_PASSWORD='changeme'

# Users 'metricbeat_internal', 'filebeat_internal' and 'heartbeat_internal' (custom)
#
# The users Beats use to connect and send data to Elasticsearch.
# https://www.elastic.co/guide/en/beats/metricbeat/current/feature-roles.html
METRICBEAT_INTERNAL_PASSWORD=''
FILEBEAT_INTERNAL_PASSWORD=''
HEARTBEAT_INTERNAL_PASSWORD=''

# User 'monitoring_internal' (custom)
#
# The user Metricbeat uses to collect monitoring data from stack components.
# https://www.elastic.co/guide/en/elasticsearch/reference/current/how-monitoring-works.html
MONITORING_INTERNAL_PASSWORD=''

# User 'beats_system' (built-in)
#
# The user the Beats use when storing monitoring information in Elasticsearch.
# https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-users.html
BEATS_SYSTEM_PASSWORD=''

取消付費功能試用

Elastic Stack 有提供白金和企業版的訂閱功能,預設會開啟,可以免費試用 30 天,過期後只能使用基礎功能,如果不要開啟試用則需要手動將 docker-elk\elasticsearch\config\elasticsearch.yml 檔案內的第 11 行把 trial 改為 basic 
    
---
## Default Elasticsearch configuration from Elasticsearch base image.
## https://github.com/elastic/elasticsearch/blob/main/distribution/docker/src/docker/config/elasticsearch.yml
#
cluster.name: docker-cluster
network.host: 0.0.0.0

## X-Pack settings
## see https://www.elastic.co/guide/en/elasticsearch/reference/current/security-settings.html
#
xpack.license.self_generated.type: basic
xpack.security.enabled: true

初始化

第一次執行需要先初始化: 
    
docker-compose up setup

正常執行完應該會顯示下方的訊息並且自動停止指令視窗的前景程式(背景還有程式繼續執行) 
    
docker-elk-setup-1 exited with code 0

執行指令

在前景執行(關閉視窗就會終止,方便除錯): 
    
docker-compose up

在背景執行(關閉視窗不會終止): 
    
docker-compose up -d

關閉指令

關閉: 
    
docker-compose down

關閉並刪除全部資料: 
    
docker-compose down -v

預設的連接埠(port)和功能如下:
  • 5044: Logstash Beats input
  • 50000: Logstash TCP input
  • 9600: Logstash monitoring API
  • 9200: Elasticsearch HTTP
  • 9300: Elasticsearch TCP transport
  • 5601: Kibana (管理網頁)

使用

開啟下面的連結 
    
http://localhost:5601


預設帳號: elastic
預設密碼: changeme

常見錯誤處理

如果在 setup 時出現錯誤 
    
docker-compose up setup
time="2023-09-12T00:05:33+08:00" level=warning msg="mount of type `volume` should not define `bind` option"
[+] Running 4/3
 ✔ Network docker-elk_elk                Created                                                                                                                                                0.0s
 ✔ Volume "docker-elk_elasticsearch"     Created                                                                                                                                                0.0s
 ✔ Container docker-elk-elasticsearch-1  Created                                                                                                                                                0.1s
 ✔ Container docker-elk-setup-1          Created                                                                                                                                                0.0s
Attaching to docker-elk-elasticsearch-1, docker-elk-setup-1
Error response from daemon: network 9fa96472cd41d7a6551faeda9689db267fac9c1f5dc4f94aa57d5de57d0938d8 not found

則可以使用 docker network ls 查看 
    
# docker network ls
NETWORK ID     NAME               DRIVER    SCOPE
51c26e0e19e4   bridge             bridge    local
3ae0b816b5a8   elk                bridge    local
1c1dd65eb2c8   host               host      local
dea3c4f0832a   mantisbt_default   bridge    local
550bdd0ac63d   none               null      loca

可能會有 elk 或 docker-elk_elk 之類的,把他刪除即可: 
    
docker network rm 3ae0b816b5a8


註: Elastic stack 目前警報通知已經需要付費才能使用,包含 Email, API, Slack 通知等全部都需要,會提示: this connector requires a gold license

參考資料:
GitHub - docker-elk
elastic - Elastic Stack
elastic - Beats
elastic - Elastic Stack subscriptions
elastic - License Management

留言

張貼留言

如果有任何問題、建議、想說的話或文章題目推薦,都歡迎留言或來信: a@ruyut.com