系统版本为ubuntu 24.04

相关组件，filebeat:8.10.2 ，kibana:8.10.2 ，elasticsearch:8.10.2 

先运行docker network create 命令创建网络，我创建的名字是logging

docker network create logging

docker-compose文件

root@monitor:/home/monitor/efk# cat docker-compose.yml 
version: '3'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:8.10.2
    container_name: elasticsearch
    networks:
      - logging
    volumes:
      - elasticsearch-data:/usr/share/elasticsearch/data
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - ES_JAVA_OPTS=-Xms512m -Xmx1g
    ports:
      - "9200:9200"

  kibana:
    image: docker.elastic.co/kibana/kibana:8.10.2
    container_name: kibana
    networks:
      - logging
    environment:
      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
      - I18N_LOCALE=zh-CN
    ports:
      - "5601:5601"

  filebeat:
    image: docker.elastic.co/beats/filebeat:8.10.2
    container_name: filebeat
    networks:
      - logging
    volumes:
      - /etc/filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml
      - /var/log:/var/log
    user: root
    command: filebeat -e -strict.perms=false
    depends_on:
      - elasticsearch

networks:
  logging:

volumes:
  elasticsearch-data:
    driver: local

然后根据绑定的数据卷，进到filebeat的yml文件目录下

root@monitor:/home/monitor/efk# cd /etc/filebeat/
root@monitor:/etc/filebeat# ls
filebeat.yml

可以看到filebeta.yml文件已经自动创建了，手动修改它，先将里面的内容清空，添加如下内容

root@monitor:/etc/filebeat# cat filebeat.yml 
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/nginx/access.log
    - /var/log/nginx/error.log
  fields:
    project: ms
    app: nginx
- type: log
  enabled: true
  paths:
    - /var/log/messages
  fields:
    project: cu
    app: messages
    
setup.template.name: "filebeat"
setup.template.pattern: "filebeat-*"
 
output.elasticsearch:
  hosts: ["http://192.168.2.96:9200"]
  index: "%{[fields.project]}-%{[fields.app]}-%{+yyyy.MM.dd}"

最后的output中的hosts的ip地址是elasticsearch的ip地址和监听端口。

可以用docker ps命令查看是否在相关容器是否在运行

然后打开浏览器，输入服务器ip:5601,如下打开

在索引模板中可以查看到创建的filebeat模板已经加载成功了

创建数据视图

查看创建的日志视图

可以将filebeat装在其他服务器上，就可以实现多服务器的日志收集