利用ELK搭建Docker容器化应用日志中心

应用一旦容器化以后，需要考虑的就是如何采集位于Docker容器中的应用程序的打印日志供运维分析。典型的比如SpringBoot应用的日志收集。

本文即将阐述如何利用ELK日志中心来收集容器化应用程序所产生的日志，并且可以用可视化的方式对日志进行查询与分析，其架构如下图所示：

架构图

镜像准备

镜像准备

ElasticSearch镜像
Logstash镜像
Kibana镜像
Nginx镜像（作为容器化应用来生产日志）

开启Linux系统Rsyslog服务

修改Rsyslog服务配置文件：

<span class="hljs-attribute" style="font-size: inherit; color: #eedc70; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">vim</span> /etc/rsyslog.conf<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />

vim /etc/rsyslog.conf

开启下面三个参数：

$ModLoad imtcp<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />$InputTCPServerRun <span class="hljs-number" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">514</span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />*.* @@localhost<span class="hljs-symbol" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">:</span><span class="hljs-number" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">4560</span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />

$ModLoad imtcp $InputTCPServerRun 514 *.* @@localhost:4560

开启3个参数

意图很简单：让Rsyslog加载imtcp模块并监听514端口，然后将Rsyslog中收集的数据转发到本地4560端口！

然后重启Rsyslog服务：

<span class="hljs-attribute" style="font-size: inherit; color: #eedc70; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">systemctl</span> restart rsyslog<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />

systemctl restart rsyslog

查看rsyslog启动状态：

<span class="hljs-attribute" style="font-size: inherit; color: #eedc70; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">netstat</span> -tnl<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />

netstat -tnl

netstat -tnl

部署ElasticSearch服务

docker run -d  -p <span class="hljs-number" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">9200</span><span class="hljs-symbol" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">:</span><span class="hljs-number" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">9200</span> <br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" /> -v ~<span class="hljs-regexp" style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">/elasticsearch/data</span><span class="hljs-symbol" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">:/usr/share/elasticsearch/data</span> <br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" /> --name elasticsearch elasticsearch<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />

docker run -d -p 9200:9200 -v ~/elasticsearch/data:/usr/share/elasticsearch/data --name elasticsearch elasticsearch

ES启动成功效果

部署Logstash服务

添加 ~/logstash/logstash.conf 配置文件如下：

input {<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />  syslog {<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />    type => <span class="hljs-string" style="font-size: inherit; color: #eedc70; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">"rsyslog"</span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />    port => <span class="hljs-number" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">4560</span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />  }<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />}<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />output {<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />  elasticsearch {<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />    hosts => [ <span class="hljs-string" style="font-size: inherit; color: #eedc70; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">"elasticsearch:9200"</span> ]<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />  }<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />}<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />

input { syslog { type => "rsyslog" port => 4560 } } output { elasticsearch { hosts => [ "elasticsearch:9200" ] } }

配置中我们让Logstash从本地的Rsyslog服务中取出应用日志数据，然后转发到ElasticSearch数据库中！

配置完成以后，可以通过如下命令来启动Logstash容器：

docker run -d -p 4560:4560 <br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" /><span class="hljs-deletion" style="font-size: inherit; color: #f82375; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">-v ~/logstash/logstash.conf:/etc/logstash.conf </span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" /><span class="hljs-deletion" style="font-size: inherit; color: #f82375; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">--link elasticsearch:elasticsearch </span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" /><span class="hljs-deletion" style="font-size: inherit; color: #f82375; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">--name logstash logstash </span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />logstash -f /etc/logstash.conf<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />

docker run -d -p 4560:4560 -v ~/logstash/logstash.conf:/etc/logstash.conf --link elasticsearch:elasticsearch --name logstash logstash logstash -f /etc/logstash.conf

部署Kibana服务

docker run -d -p 5601:5601 <br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" /><span class="hljs-deletion" style="font-size: inherit; color: #f82375; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">--link elasticsearch:elasticsearch </span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" /><span class="hljs-deletion" style="font-size: inherit; color: #f82375; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">-e ELASTICSEARCH_URL=http://elasticsearch:9200 </span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" /><span class="hljs-deletion" style="font-size: inherit; color: #f82375; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">--name kibana kibana</span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />

docker run -d -p 5601:5601 --link elasticsearch:elasticsearch -e ELASTICSEARCH_URL=http://elasticsearch:9200 --name kibana kibana

启动Nginx容器来生产日志

docker run -d -p <span class="hljs-number" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">90</span>:<span class="hljs-number" style="font-size: inherit; color: #ae87fa; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">80</span> --<span class="hljs-built_in" style="font-size: inherit; color: #f82375; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">log</span>-driver syslog --<span class="hljs-built_in" style="font-size: inherit; color: #f82375; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">log</span>-opt <br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />syslog-address=tcp:<span class="hljs-comment" style="font-size: inherit; color: #808080; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">//localhost:514 </span><br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />--<span class="hljs-built_in" style="font-size: inherit; color: #f82375; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">log</span>-opt tag=<span class="hljs-string" style="font-size: inherit; color: #eedc70; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;">"nginx"</span> --name nginx nginx<br style="font-size: inherit; color: inherit; line-height: inherit; word-wrap: inherit !important; word-break: inherit !important;" />

docker run -d -p 90:80 --log-driver syslog --log-opt syslog-address=tcp://localhost:514 --log-opt tag="nginx" --name nginx nginx

很明显Docker容器中的Nginx应用日志转发到本地syslog服务中，然后由syslog服务将数据转给Logstash进行收集。

至此，日志中心搭建完毕，目前一共四个容器在工作：

实验验证

浏览器打开localhost:90来打开Nginx界面，并刷新几次，让后台产生GET请求的日志
打开Kibana可视化界面：localhost:5601

localhost:5601
收集Nginx应用日志

收集Nginx应用日志
查询应用日志

在查询框中输入program=nginx可查询出特定日志

查询应用日志

原文链接：https://www.jianshu.com/p/a40c36beee63