学海无涯
go,go,go

ELFK部署安装(七)-收集docker日志

#配置方法
#安装docker
rm -fr /etc/yum.repos.d/local.repo
curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/docker-ce.repo https://mirrors.ustc.edu.cn/docker-ce/linux/centos/docker-ce.repo
sed -i 's#download.docker.com#mirrors.tuna.tsinghua.edu.cn/docker-ce#g' /etc/yum.repos.d/docker-ce.repo
yum install docker-ce -y
systemctl start docker
cat >/etc/docker/daemon.json<<'EOF'
{
  "registry-mirrors": ["https://registry.docker-cn.com"]
  }
EOF
systemctl restart docker

#运行nginx镜像
docker pull nginx端口
#80端口被占用使用
docker run --name nginx -p 81:80 -d nginx
docker ps
#查看docker镜像内日志
docker logs -f nginx
[root@centos7 ~]# docker logs -f nginx
192.168.2.241 - - [16/Dec/2019:02:54:43 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-"
2019/12/16 02:54:43 [error] 6#6: *1 open() "/usr/share/nginx/html/favicon.ico" failed (2: No such file or directory), client: 192.168.2.241, server: localhost, request: "GET /favicon.ico HTTP/1.1", host: "192.168.2.196:81", referrer: "http://192.168.2.196:81/"
192.168.2.241 - - [16/Dec/2019:02:54:43 +0000] "GET /favicon.ico HTTP/1.1" 404 555 "http://192.168.2.196:81/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36" "-

#在宿主机进入docker进行存放日志目录,最后一级目录一般以容器的名称命名目录
cd /var/lib/docker/containers/0552e0aa1b0559e49965e93f30dd1687c16ec3693db9e59ed71261861cf60478/
[root@centos7 0552e0aa1b0559e49965e93f30dd1687c16ec3693db9e59ed71261861cf60478]# ls
0552e0aa1b0559e49965e93f30dd1687c16ec3693db9e59ed71261861cf60478-json.log 日志文件

#在宿主机查看容器的ID使用容器的名称
[root@centos7 ~]# docker inspect nginx|grep -w "Id"
        "Id": "0552e0aa1b0559e49965e93f30dd1687c16ec3693db9e59ed71261861cf60478",
#重新配置filebeat的配置文件,通过docker的目录和docker的id拿取确定那个日志文件是docker的日志文件
cat >/etc/filebeat/filebeat.yml<<'EOF'
filebeat.inputs:
- type: docker
  containers.ids: 
    - '0552e0aa1b0559e49965e93f30dd1687c16ec3693db9e59ed71261861cf60478'

setup.kibana:
  host: "192.168.2.197:5601"
  

output.elasticsearch:
  hosts: ["192.168.2.197:9200"]
  indices:
  - index: "docker-access-%{[beat.version]}-%{+yyyy.MM}"
    when.contains:
      stream: "stdout"
  - index: "docker-error-%{[beat.version]}-%{+yyyy.MM}"
    when.contains:
      stream: "stderr"
  
setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
setup.template.overwrite: true
EOF
==========================================================================================
配置文件说明
filebeat.inputs:
- type: docker
  containers.ids:  这里填写docker容器的id一般在日志目录或者通过命令获取
    - '0552e0aa1b0559e49965e93f30dd1687c16ec3693db9e59ed71261861cf60478'

setup.kibana:
  host: "192.168.2.197:5601"
  

output.elasticsearch:
  hosts: ["192.168.2.197:9200"]
  indices:
  - index: "docker-access-%{[beat.version]}-%{+yyyy.MM}"
    when.contains:
      stream: "stdout"    通过es查看filebeat发的字段,字段里面有stream字段:其中正确的字段为stdout,错误的为stderr区分正确和错误的日志写入到不同的索引
  - index: "docker-error-%{[beat.version]}-%{+yyyy.MM}"
    when.contains:
      stream: "stderr"    通过es查看filebeat发的字段,字段里面有stream字段:其中正确的字段为stdout,错误的为stderr区分正确和错误的日志写入到不同的索引
  
setup.template.name: "docker"
setup.template.pattern: "docker-*"
setup.template.enabled: false
setup.template.overwrite: true
==========================================================================================

#重启filebeat
systemctl restart filebeat.service

er进行区分access和error日志的字段

#在网页访问产生日志

赞(0) 打赏
未经允许不得转载:YYQ运维技术博客_运维的工作学习之路 » ELFK部署安装(七)-收集docker日志
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

运维devops

联系我们关于本博客

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏