创建挂载目录

mkdir -p /docker/elk/elasticsearch/{plugins,data}
mkdir -p /docker/elk/logstash

给目录授权

chmod 777 /docker/elk/elasticsearch/data

创建logstash配置文件

vim /docker/elk/logstash/logstash.conf
input {
tcp {
mode => "server"
host => "0.0.0.0"
port => 4560
codec => json_lines
}
}
output {
elasticsearch {
hosts => "es:9200"
index => "logstash-service-%{+YYYY.MM.dd}"
}
}

创建docker-compose配置文件

vim /docker/elk/docker-compose.yml
version: '3'
services:
elasticsearch:
image: elasticsearch:6.4.0
container_name: elasticsearch
environment:
- "cluster.name=elasticsearch" #设置集群名称为elasticsearch
- "discovery.type=single-node" #以单一节点模式启动
- "ES_JAVA_OPTS=-Xms512m -Xmx512m" #设置使用jvm内存大小
volumes:
- /docker/elk/elasticsearch/plugins:/usr/share/elasticsearch/plugins #插件文件挂载
- /docker/elk/elasticsearch/data:/usr/share/elasticsearch/data #数据文件挂载
ports:
- 9200:9200
- 9300:9300
kibana:
image: kibana:6.4.0
container_name: kibana
links:
- elasticsearch:es #可以用es这个域名访问elasticsearch服务
depends_on:
- elasticsearch #kibana在elasticsearch启动之后再启动
environment:
- "elasticsearch.hosts=http://es:9200" #设置访问elasticsearch的地址
ports:
- 5601:5601
logstash:
image: logstash:6.4.0
container_name: logstash
volumes:
- /docker/elk/logstash/logstash.conf:/usr/share/logstash/pipeline/logstash.conf #挂载logstash的配置文件
depends_on:
- elasticsearch #kibana在elasticsearch启动之后再启动
links:
- elasticsearch:es #可以用es这个域名访问elasticsearch服务
ports:
- 4560:4560

进入docker-compose.yml所在目录,执行命令

cd /docker/elk
docker-compose up -d

es版本在7.0之后,如果不去更改es的默认配置,es集群的默认最大分片数是1000,所以你需要调大es的默认分片数从而来来容纳更多的数据,不然超过1000后就不会记录到系统日志。

在Kiabana的dev-tools中执行

查看配置

GET /_cluster/settings?pretty

设置临时值,重启后失效

PUT /_cluster/settings
{
"transient": {
"cluster": {
"max_shards_per_node":900000
}
}
}

设置永久值

PUT /_cluster/settings
{
"persistent": {
"cluster": {
"max_shards_per_node":900000
}
}
}

或者直接修改 elasticsearch.yml的配置文件,设置成你想要的值,然后再重启。通过配置文件修改的参数是永久生效的

cluster.max_shards_per_node: 900000