sebp/elkx 的安装

sebp/elkx 是一个自带X-Pack的镜像，目前最新版本为6.0
作者地址：https://hub.docker.com/r/sebp/elkx/
为了使用这个镜像，我研究了许多天，根据作者的描述为：

---

Usage notes
This image extends the sebp/elk image, so unless otherwise noted below the documentation for the seb/elk image applies.

Bootstrap mode
This image uses the default configuration of X-Pack, meaning that out of the box, as from version 6, the built-in users (especially the elastic superuser, and the basic kibana user) no longer have default passwords.

To define passwords (and create additional users as needed), a container first needs to be started in bootstrap mode in order to assign a bootstrap password to the elastic superuser.

As described in the official X-Pack documentation:

The bootstrap password is a transient password that enables you to run the tools that set all the built-in user passwords.

To set the bootstrap password for elastic, start a container with the ELASTIC_BOOTSTRAP_PASSWORD environment variable set to the chosen password.

Once the container has started, only Elasticsearch will be running, and the user can use the elastic account (with the bootstrap password) to change its own password and assign passwords to the built-in users, for instance:

by manually docker exec-ing into the running container and using the setup-passwords tool,

or by manually or programmatically using the user management REST APIs.

Once all the passwords have been assigned, stop the container, and start the container in normal mode as described below.

---

使用引导模式引导容器，再修改密码一次才能引用，但是我对于这种描述毫无办法，后来在作者的评论里面，找到了相关设置方法，记下吧，只怕以后不记得了

---

• 使用docker-compose.yml（关于怎样使用docker-compose就不再描述了）
• 创建docker-compose.yml

elkx:  image: sebp/elkx  ports:    - "5601:5601"    - "9200:9200"    - "5044:5044"  environment:    - ELASTIC_BOOTSTRAP_PASSWORD="changeme"

• 运行

$ docker-compose upCreating elkxdocker_elkx_1Attaching to elkxdocker_elkx_1elkx_1  | ERROR: Setting [bootstrap.pass] does not exist in the keystore.elkx_1  |  * Starting periodic command scheduler cronelkx_1  |    ...done.elkx_1  |  * Starting Elasticsearch Serverelkx_1  |    ...done.elkx_1  | waiting for Elasticsearch to be up (1/30)...

• 提示出错内容，作者解释如下”In another shell, open a bash session in the running container (replacing with the right value), and use X-Pack’s setup-passwords tool to set the passwords for the built-in users”
• 进入容器，并安以下顺序进行操作即可

$ docker exec -it <name of the running container> bash# $ES_HOME/bin/x-pack/setup-passwords interactiveInitiating the setup of reserved user elastic,kibana,logstash_system passwords.You will be prompted to enter passwords as the process progresses.Please confirm that you would like to continue [y/N]yEnter password for [elastic]: changemeReenter password for [elastic]: changemeEnter password for [kibana]: changemeReenter password for [kibana]: changemeEnter password for [logstash_system]: changemeReenter password for [logstash_system]: changemeChanged password for user [kibana]Changed password for user [logstash_system]Changed password for user [elastic]

• 编辑logstash.yml文件

#vi /opt/logstash/config/logstash.yml#在文件尾插入如下内容xpack.monitoring.elasticsearch.username: "logstash_system"xpack.monitoring.elasticsearch.password: "changeme"

• 停止容器，并编辑docker-compose.yml，内容如下：

elkx:  image: sebp/elkx  ports:    - "5601:5601"    - "9200:9200"    - "5044:5044"  environment:    - ELASTICSEARCH_USER=elastic    - ELASTICSEARCH_PASSWORD=changeme    - LOGSTASH_USER=elastic    - LOGSTASH_PASSWORD=changeme    - KIBANA_USER=kibana    - KIBANA_PASSWORD=changeme

• 重新运行：docker-compose up
• 待运行完成即可完成访问：https://ip:5601

Filebeat 的配置

• 安装Filebeat，不再描述安装（本文是使用rpm安装的方式）
• 编辑filebeat.yml文件

filebeat.prospectors: - type: log  enabled: true  paths:    - /var/log/*.log    #- c:\programdata\elasticsearch\logs\*

• 如果直接输出至ES，编辑以下内容

output.elasticsearch:  hosts: ["192.168.1.42:9200"]

• 如果使用Logstash

#----------------------------- Logstash output --------------------------------output.logstash:  hosts: ["127.0.0.1:5044"]

• sebp/elk自带使用了证书加密链接logstash，这就是我遇到最大的坑了，使用了各种方法报错
• 1.使用境像自带的证书
• cat /etc/logstash/conf.d# cat 02-beats-input.conf

input {  beats {    port => 5044    ssl => true    ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt"    ssl_key => "/etc/pki/tls/private/logstash-beats.key"  }}

• 查看02-beats-input.conf`内容如上述，你可以看到.crt与.key证书的路径，拷贝logstash-beats.crt至客户端任意路径，如本文路径为/ca/logstash-beats.crt
• 编辑客户端的filebeat.yml
• 这里特别注意：使用镜像自带的证书，hosts要使用elk名称，不能使用IP地址，如没本地DNS服务器，请本地指定/etc/hosts自定义一个，否则会一直报错

#----------------------------- Logstash output --------------------------------output.logstash:  # The Logstash hosts  hosts: ["elk:5044"]  # Optional SSL. By default is off.  # List of root certificates for HTTPS server verifications  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]  # Certificate for SSL client authentication  #ssl.certificate: "/etc/pki/client/cert.pem"  # Client Certificate Key  #ssl.key: "/etc/pki/client/cert.key"  ssl.certificate_authorities: ["/ca/logstash-beats.crt"]

• 重启客户端：/etc/init.d/filebeat restart
• 服务器及客户端完成安装
• ## 配置Kibana ##
• 打开管理地址：http://ip:5601
  
• 选择Management-kibana-Index Patterns，创建“filebeat-*”
• 
• 如无意外，就会看到以下数据
•