docker安装ELK
sudo docker run -m 2000M -p 5601:5601 -p 9200:9200 -p 5044:5044 -d -it --name elk sebp/elk
sudo docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -d -it --name elk sebp/elk
进入容器
docker exec -it elk bash
修改
cd /etc/logstash/conf.d/
vim 02-beats-input.conf
input {
tcp {
port => 5044
codec => json_lines
}
}
output {
elasticsearch {
action => "index"
index => "%{[appname]}-%{+YYYY.MM.dd}"
hosts => ["localhost:9200"]
ilm_enabled => true
ilm_policy => "del"
}
}
删除多余out文件
rm 30-output.conf
Index Management中添加
"index_patterns": [
"logstash-*",
"tillo*"
],
"settings": {
"index": {
"lifecycle": {
"name": "del"
},
"number_of_shards": "1",
"refresh_interval": "5s"
}
}
重启logstash配置将生效
service logstash restart
elk可能出现的报错解决:
sysctl -w vm.max_map_count=262144
spring boot 配置
log配置
<appender name="LOGSTASH"
class="net.logstash.logback.appender.LogstashTcpSocketAppender">
<destination>172.31.20.141:5044</destination>
<!-- encoder必须配置,有多种可选 -->
<encoder charset="UTF-8"
class="net.logstash.logback.encoder.LogstashEncoder">
<!-- "appname":"xxx" 的作用是指定创建索引的名字时用,并且在生成的文档中会多了这个字段 -->
<customFields>{"appname":"tillo_approvice_service_prod"}</customFields>
</encoder>
</appender>
<logger name="org.apache.zookeeper.ClientCnxn" level="ERROR"/>
<logger name="org.springframework.core.env.PropertySourcesPropertyResolver" level="INFO"/>
<root level="ERROR">
<appender-ref ref="CONSOLE"/>
<appender-ref ref="logfile"/>
<appender-ref ref="LOGSTASH"/>
</root>
maven 配置
<dependency>
<groupId>net.logstash.logback</groupId>
<artifactId>logstash-logback-encoder</artifactId>
<version>5.3</version>
</dependency>
