docker部署nginx+elk+filebeat部署日志平台

1.使用sebp/elk的镜像部署elk
# docker run -itd --name elk -p 5044:5044 -v /data/elastic/:/var/lib/elasticsearch sebp/elk
//-p 5044 5044端口是logstash接受filebeat发送的日志端口，对外暴露
//-v /data/elastic挂在本地目录到elastic的日志存储目录
//由于elk对elastic的9200端口和kibana的5601端口不设置验证，所有后面使用nginx代理的方式进行访问验证
2.进入容器elk，配置
# docker exec -it elk bash
2.1配置elastic
# sed '/^#/d' /etc/elasticsearch/elasticsearch.yml
cluster.name: ych-ELK
node.name: ELK-node
path.repo: /var/backups
network.host: 0.0.0.0
http.port: 9200
http.cors.enabled: true
http.cors.allow-origin: "*"
2.2配置logstash的其中一个配置文件
# sed '/^#/d' /etc/logstash/conf.d/203.conf 
input {
  beats {
    port => 5044
  }
}
output {
  if "203-nginx" in [tags] {
           elasticsearch {
                     hosts => ["127.0.0.1:9200"]
                     index => "203-nginx-%{+YYYY.MM}"
                     manage_template => true
     }
  }
  else if "203-zabbix" in [tags] {
           elasticsearch {
                     hosts => ["127.0.0.1:9200"]
                     index => "203-zabbix-%{+YYYY.MM}"
                     manage_template => true
           }
  }
}
//203.conf配置两个index，注意tags跟filebeat配置文件中的tags对应，index跟kibana页面的index对应
2.2配置kibana
# sed -e '/^#/d' -e '/^$/d' /opt/kibana/config/kibana.yml 
server.host: "0.0.0.0"
elasticsearch.url: "http://localhost:9200"
2.4重启elk容器
# docker restart elk
3.配置filebeat
3.1配置filebeat客户端
# vim /etc/filebeat/filebeat.yml 
filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/nginx/access.log
  exclude_lines: ['TRACE']
  encoding: "utf-8"
  tags: "203-nginx"

- input_type: log
  paths:
    - /tmp/zabbix_agentd.log
  exclude_lines: ['TRACE']
  encoding: "utf-8"
  tags: "203-zabbix"

output.logstash:
  hosts: ["192.168.10.222:5044"]
//配置两个日志目录，对应两个tags，输出到elk的服务端logstash
3.2重启客户端filebeat
# /etc/init.d/filebeat restart
4.配置nginx
4.1nginx vhost配置
# vim /root/default.conf 
server {
  listen  9200;
  location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/site_pass;
    proxy_pass http://172.17.0.2:9200;
    proxy_set_header Host $host:9200;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Via "nginx";
  }
}

server {
  listen 5601;
  server_name localhost;
  location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/site_pass;
    proxy_pass http://172.17.0.2:5601;
    proxy_set_header Host $host:5601;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Via "nginx";
  }
}
//分别代理9200和5601端口到elk容器的对应端口，注意elk容器IP
4.2添加网页验证
# vim /root/site_pass
elk:rwE.z8.AYeh9c
//验证信息通过htpasswd生成
4.3启动nginx容器
# docker run -itd --name nginx -p 9200:9200 -p 5601:5601 -v /root/default.conf:/etc/nginx/conf.d/default.conf -v /root/site:/etc/nginx_pass nginx
//映射9200和5601端口，挂载本地vhost和验证信息配置文件
5.kibana添加index