docker network create -d bridge elastic

docker pull elasticsearch:8.4.3

docker run -it \-p 9200:9200 \-p 9300:9300 \--name elasticsearch \--net elastic \-e ES_JAVA_OPTS="-Xms1g -Xmx1g" \-e "discovery.type=single-node" \-e LANG=C.UTF-8 \-e LC_ALL=C.UTF-8 \elasticsearch:8.4.3

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━✅ Elasticsearch security features have been automatically configured!✅ Authentication is enabled and cluster connections are encrypted.
ℹ️  Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):  L3WKr6ROTiK_DbqzBr8c
ℹ️  HTTP CA certificate SHA-256 fingerprint:  5e7d9fe48c485c2761f9e7a99b9d5737e4e34dc55b9bf6929d929fb34d61a11a
ℹ️  Configure Kibana to use this cluster:• Run Kibana and click the configuration link in the terminal when Kibana starts.• Copy the following enrollment token and paste it into Kibana in your browser (valid for the next 30 minutes):  eyJ2ZXIiOiI4LjQuMyIsImFkciI6WyIxNzIuMTkuMC4yOjkyMDAiXSwiZmdyIjoiNWU3ZDlmZTQ4YzQ4NWMyNzYxZjllN2E5OWI5ZDU3MzdlNGUzNGRjNTViOWJmNjkyOWQ5MjlmYjM0ZDYxYTExYSIsImtleSI6Ik4yMGtkSTRCWDZkeG1BS2lMWGtvOlVPenpCN3dYUUlXV2xmcjZhSTNiQncifQ==
ℹ️ Configure other nodes to join this cluster:• Copy the following enrollment token and start new Elasticsearch nodes with `bin/elasticsearch --enrollment-token <token>` (valid for the next 30 minutes):  eyJ2ZXIiOiI4LjQuMyIsImFkciI6WyIxNzIuMTkuMC4yOjkyMDAiXSwiZmdyIjoiNWU3ZDlmZTQ4YzQ4NWMyNzYxZjllN2E5OWI5ZDU3MzdlNGUzNGRjNTViOWJmNjkyOWQ5MjlmYjM0ZDYxYTExYSIsImtleSI6Ik9XMGtkSTRCWDZkeG1BS2lMWGtwOmI0Y05razVpUWlPTncwTkMwYWM5akEifQ==
  If you're running in Docker, copy the enrollment token and run:  `docker run -e "ENROLLMENT_TOKEN=<token>" docker.elastic.co/elasticsearch/elasticsearch:8.4.3`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

 mkdir -p apps/elk8.4.3/elasticsearch# 这个cp命令是在 /home/ubuntu目录下执行的docker cp elasticsearch:/usr/share/elasticsearch/config apps/elk8.4.3/elasticsearch/
docker cp elasticsearch:/usr/share/elasticsearch/data apps/elk8.4.3/elasticsearch/
docker cp elasticsearch:/usr/share/elasticsearch/plugins apps/elk8.4.3/elasticsearch/
docker cp elasticsearch:/usr/share/elasticsearch/logs apps/elk8.4.3/elasticsearch/

docker rm -f elasticsearch

vim apps/elk8.4.3/elasticsearch/config/elasticsearch.yml

增加：xpack.monitoring.collection.enabled: true说明：添加这个配置以后在kibana中才会显示联机状态，否则会显示脱机状态

docker run -it \-d \-p 9200:9200 \-p 9300:9300 \--name elasticsearch \--net elastic \-e ES_JAVA_OPTS="-Xms1g -Xmx1g" \-e "discovery.type=single-node" \-e LANG=C.UTF-8 \-e LC_ALL=C.UTF-8 \-v /home/ubuntu/apps/elk8.4.3/elasticsearch/config:/usr/share/elasticsearch/config \-v /home/ubuntu/apps/elk8.4.3/elasticsearch/data:/usr/share/elasticsearch/data \-v /home/ubuntu/apps/elk8.4.3/elasticsearch/plugins:/usr/share/elasticsearch/plugins \-v /home/ubuntu/apps/elk8.4.3/elasticsearch/logs:/usr/share/elasticsearch/logs \elasticsearch:8.4.3

docker pull kibana:8.4.3

docker run -it \--restart=always \--log-driver json-file \--log-opt max-size=100m \--log-opt max-file=2 \--name kibana \-p 5601:5601 \--net elastic \kibana:8.4.3

mkdir apps/elk8.4.3/kibana# 这个cp命令是在 /home/ubuntu目录下执行的docker cp kibana:/usr/share/kibana/config apps/elk8.4.3/kibana/

docker cp kibana:/usr/share/kibana/data apps/elk8.4.3/kibana/
docker cp kibana:/usr/share/kibana/plugins apps/elk8.4.3/kibana/
docker cp kibana:/usr/share/kibana/logs apps/elk8.4.3/kibana/
sudo chown -R 1000:1000 apps/elk8.4.3/kibana

### >>>>>>> BACKUP START: Kibana interactive setup (2024-03-25T07:30:11.689Z)
## ** THIS IS AN AUTO-GENERATED FILE **#
# Default Kibana configuration for docker target#server.host: "0.0.0.0"#server.shutdownTimeout: "5s"#elasticsearch.hosts: [ "http://elasticsearch:9200" ]#monitoring.ui.container.elasticsearch.enabled: true### >>>>>>> BACKUP END: Kibana interactive setup (2024-03-25T07:30:11.689Z)
# This section was automatically generated during setup.i18n.locale: "zh-CN"server.host: 0.0.0.0server.shutdownTimeout: 5s# #这个ip一定是elasticsearch的容器ip，可使用docker inspect | grep -i ipaddresselasticsearch.hosts: ['https://172.19.0.2:9200']monitoring.ui.container.elasticsearch.enabled: trueelasticsearch.serviceAccountToken: AAEAAWVsYXN0aWMva2liYW5hL2Vucm9sbC1wcm9jZXNzLXRva2VuLTE3MTEzNTE4MTA5NDM6ZHZ1R3M5cV9RRlc2NmQ3dE9WaWM0QQelasticsearch.ssl.certificateAuthorities: [/usr/share/kibana/data/ca_1711351811685.crt]xpack.fleet.outputs: [{id: fleet-default-output, name: default, is_default: true, is_default_monitoring: true, type: elasticsearch, hosts: ['https://172.19.0.2:9200'], ca_trusted_fingerprint: 5e7d9fe48c485c2761f9e7a99b9d5737e4e34dc55b9bf6929d929fb34d61a11a}]

docker rm -f kibana

docker run -it \-d \--restart=always \--log-driver json-file \--log-opt max-size=100m \--log-opt max-file=2 \--name kibana \-p 5601:5601 \--net elastic \-v /home/ubuntu/apps/elk8.4.3/kibana/config:/usr/share/kibana/config \-v /home/ubuntu/apps/elk8.4.3/kibana/data:/usr/share/kibana/data \-v /home/ubuntu/apps/elk8.4.3/kibana/plugins:/usr/share/kibana/plugins \-v /home/ubuntu/apps/elk8.4.3/kibana/logs:/usr/share/kibana/logs \kibana:8.4.3

docker pull logstash:8.4.3

docker run -it \-d \--name logstash \-p 9600:9600 \-p 5044:5044 \--net elastic \logstash:8.4.3

mkdir apps/elk8.4.3/logstash
# 这个cp命令是在 /home/ubuntu目录下执行的docker cp logstash:/usr/share/logstash/config apps/elk8.4.3/logstash/ docker cp logstash:/usr/share/logstash/pipeline apps/elk8.4.3/logstash/ 
sudo cp -rf apps/elk8.4.3/elasticsearch/config/certs apps/elk8.4.3/logstash/config/certs
sudo chown -R 1000:1000 apps/elk8.4.3/logstash

http.host: "0.0.0.0"xpack.monitoring.enabled: truexpack.monitoring.elasticsearch.hosts: [ "http://172.19.0.2:9200" ]xpack.monitoring.elasticsearch.username: "elastic"# 第一次启动elasticsearch是保存的信息中查找 L3WKr6ROTiK_DbqzBr8cxpack.monitoring.elasticsearch.password: "L3WKr6ROTiK_DbqzBr8c"xpack.monitoring.elasticsearch.ssl.certificate_authority: "/usr/share/logstash/config/certs/http_ca.crt"# 第一次启动elasticsearch是保存的信息中查找 5e7d9fe48c485c2761f9e7a99b9d5737e4e34dc55b9bf6929d929fb34d61a11axpack.monitoring.elasticsearch.ssl.ca_trusted_fingerprint: "5e7d9fe48c485c2761f9e7a99b9d5737e4e34dc55b9bf6929d929fb34d61a11a"

input {  beats {    port => 5044  }}

filter {  date {        # 因为我的日志里，我的time字段格式是2024-03-14T15:34:03+08:00 ，所以要使用以下两行配置        match => [ "time", "ISO8601" ]        target => "@timestamp"  }  json {    source => "message"  }  mutate {    remove_field => ["message", "path", "version", "@version", "agent", "cloud", "host", "input", "log", "tags", "_index", "_source", "ecs", "event"]  }}

output {  elasticsearch {    hosts => ["https://172.18.0.2:9200"]    index => "douyin-%{+YYYY.MM.dd}"    ssl => true    ssl_certificate_verification => false    cacert => "/usr/share/logstash/config/certs/http_ca.crt"    ca_trusted_fingerprint => "第一次启动elasticsearch是保存的信息中查找e924551c1453c893114a05656882eea81cb11dd87c1258f83e6f676d2428f8f2"    user => "elastic"    password => "第一次启动elasticsearch是保存的信息中查找UkNx8px1yrMYIht30QUc"  }}

docker rm -f logstash

docker run -it \-d \--name logstash \-p 9600:9600 \-p 5044:5044 \--net elastic \-v /home/ubuntu/apps/elk8.4.3/logstash/config:/usr/share/logstash/config \-v /home/ubuntu/apps/elk8.4.3/logstash/pipeline:/usr/share/logstash/pipeline \logstash:8.4.3

sudo docker pull elastic/filebeat:8.4.3

docker run -it \-d \--name filebeat \--network host \-e TZ=Asia/Shanghai \elastic/filebeat:8.4.3 \filebeat -e  -c /usr/share/filebeat/filebeat.yml