서버에 직접 elk설치를 해보니 너무 복잡했다.
그래서 도커를 이용하여 elk를 설치해보고자 한다.
📗 docker, docker-compse 설치
docker-compose는 여러 개의 컨테이너로부터 이루어진 서비스를 구축, 실행하는 순서를 자동으로 하여, 관리를 간단히 하는 기능
#기존버전 삭제
sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-engine
# 레파지토리 업데이트 & 도커 설치
yum install -y yum-utils
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce docker-ce-cli containerd.io
yum install docker-compose
도커 이미지 다운
다운로드가 완료되면 현재위치에서 docker-elk 폴더가 생성된다.
git clone https://github.com/deviantony/docker-elk.git
docker-compose.yml 수정
version: '3.2'
services:
elasticsearch:
build:
context: elasticsearch/
args:
ELK_VERSION: $ELK_VERSION
volumes:
- type: bind
source: ./elasticsearch/config/elasticsearch.yml
target: /usr/share/elasticsearch/config/elasticsearch.yml
read_only: true
- type: volume
source: elasticsearch
target: /usr/share/elasticsearch/data
ports:
- "9200:9200"
- "9300:9300"
environment:
ES_JAVA_OPTS: "-Xmx256m -Xms256m"
ELASTIC_PASSWORD: password
# Use single node discovery in order to disable production mode and avoid bootstrap checks
# see https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
discovery.type: single-node
networks:
- elk
logstash:
build:
context: logstash/
args:
ELK_VERSION: $ELK_VERSION
volumes:
- type: bind
source: ./logstash/config/logstash.yml
target: /usr/share/logstash/config/logstash.yml
read_only: true
- type: bind
source: ./logstash/pipeline
target: /usr/share/logstash/pipeline
read_only: true
ports:
- "5044:5044"
- "5000:5000/tcp"
- "5000:5000/udp"
- "9600:9600"
environment:
LS_JAVA_OPTS: "-Xmx256m -Xms256m"
networks:
- elk
depends_on:
- elasticsearch
kibana:
build:
context: kibana/
args:
ELK_VERSION: $ELK_VERSION
volumes:
- type: bind
source: ./kibana/config/kibana.yml
target: /usr/share/kibana/config/kibana.yml
read_only: true
ports:
- "5601:5601"
networks:
- elk
depends_on:
- elasticsearch
networks:
elk:
driver: bridge
volumes:
elasticsearch:
docker-stack.yml 수정
version: '3.3'
services:
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:7.10.0
ports:
- "9200:9200"
- "9300:9300"
configs:
- source: elastic_config
target: /usr/share/elasticsearch/config/elasticsearch.yml
environment:
ES_JAVA_OPTS: "-Xmx256m -Xms256m"
ELASTIC_PASSWORD: password
# Use single node discovery in order to disable production mode and avoid bootstrap checks
# see https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
discovery.type: single-node
networks:
- elk
deploy:
mode: replicated
replicas: 1
logstash:
image: docker.elastic.co/logstash/logstash:7.10.0
ports:
- "5044:5044"
- "5000:5000"
- "9600:9600"
configs:
- source: logstash_config
target: /usr/share/logstash/config/logstash.yml
- source: logstash_pipeline
target: /usr/share/logstash/pipeline/logstash.conf
environment:
LS_JAVA_OPTS: "-Xmx256m -Xms256m"
networks:
- elk
deploy:
mode: replicated
replicas: 1
kibana:
image: docker.elastic.co/kibana/kibana:7.10.0
ports:
- "5601:5601"
configs:
- source: kibana_config
target: /usr/share/kibana/config/kibana.yml
networks:
- elk
deploy:
mode: replicated
replicas: 1
configs:
elastic_config:
file: ./elasticsearch/config/elasticsearch.yml
logstash_config:
file: ./logstash/config/logstash.yml
logstash_pipeline:
file: ./logstash/pipeline/logstash.conf
kibana_config:
file: ./kibana/config/kibana.yml
networks:
elk:
driver: overlay
elasticsearch 설정
docker-elk로 이동 후 아래 파일 편집
vi elasticsearch/config/elasticsearch.yml---
## Default Elasticsearch configuration from Elasticsearch base image.
## https://github.com/elastic/elasticsearch/blob/master/distribution/docker/src/docker/config/elasticsearch.yml
#
cluster.name: "docker-cluster"
network.host: 0.0.0.0
discovery.type : single-node
kibana 설정
vi kibana/config/kibana.yml---
## Default Kibana configuration from Kibana base image.
## https://github.com/elastic/kibana/blob/master/src/dev/build/tasks/os_packages/docker_generator/templates/kibana_yml.template.ts
#
server.name: kibana
server.host: 0.0.0.0
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
monitoring.ui.container.elasticsearch.enabled: true
logstash 설정
vi logstash/config/logstash.yml---
## Default Logstash configuration from Logstash base image.
## https://github.com/elastic/logstash/blob/master/docker/data/logstash/config/logstash-full.yml
#
http.host: "0.0.0.0"vi logstash/pipeline/logstash.confinput {
beats {
port => 5044
}
tcp {
port => 5000
}
}
## Add your filters / logstash plugins configuration here
output {
elasticsearch {
hosts => "elasticsearch:9200"
index => "%{[@metadata][beat]}-%{+YYY.MM.dd}"
document_type => "%{[@metadata][type]}"
user => "username"
password => "password"
ecs_compatibility => disabled
}
}docker 실행하기
docker-compose build && docker-compose up -d
페이지 접속
kibana > overview 클릭
Add your data 클릭
create index pattern
indext pattern name에 winlogbeat*을 치고 next step 클릭
teime field에 @timestamp 선택 후 Create index pattern 클릭
인덱스 생성 완료 화면
설정완료 후 Kibana > overview 클릭
Discover 대시보드 형식 클릭
대시보드 화면이 나온다.
글쓴이는 elk를 구축하기 전에 window pc에 sysmon과 winlogbeat을 설치하여 연동시켜놨다.
아래 링크를 통해 연동방법 확인
https://magnuxx.tistory.com/entry/sysmon-winlogbeat-elk-%EC%97%B0%EB%8F%99%ED%95%98%EA%B8%B0
종료하기
docker-compose down -v
📗 설치 후기
- 서버에 직접 설치하는 것보다 훨씬 수월했다.
- 서버에 설치할 때는 페이지 접속 전 로그인 과정을 거쳤는데 도커는 안 거쳤다(이 부분은 확인해봐야 할 듯)
- windows 노드의 로그를 연동해봤다. 리눅스 시스템 로그도 연동되는지 확인해봐야겠다.
- docker를 쉽게 manage 하는 docker-compose에 대해서 알게 되었다(쿠버네티스와 비슷하면서도 다른 것 같다)
반응형
'인프라 > Docker&K8S' 카테고리의 다른 글
| docker IP 대역 변경하기 (0) | 2022.05.30 |
|---|---|
| docker.io : Depends: containerd (>= 1.2.6-0ubuntu1~) (0) | 2022.04.18 |
| 쿠버네티스 - yaml(야물) (0) | 2022.04.13 |
| 쿠버네티스 아키텍처 -네임스페이스(namespace) (0) | 2022.04.09 |
| 쿠버네티스 명령어 훓어보기(k8s명령어) (0) | 2022.04.08 |
댓글