Elasticsearch, Logstash, Kibana (ELK) 搭建

ELK的搭建有幾種方式，概括下：
1. 下載將ELK 組成一起的包
2. 分別安裝E,L,K
3. 將ELK裝在Docker中。
我還是比較喜歡第三種，就主要介紹第三種。

1 increase the limits about max_map_count

On Linux, you can increase the limits by running the following command as root:
sysctl -w vm.max_map_count=262144

2 start elk container

 docker run -p 5601:5601 -p 9200:9200 -p 5044:5044 -it --name elk sebp/elk

3 login in container and run logstash

docker exec -it elk /bin/bash

At the prompt, enter

/opt/logstash/bin/logstash --path.data /tmp/logstash/data \
    -e 'input { stdin { } } output { elasticsearch { hosts => ["localhost"] } }'

Wait for Logstash to start (as indicated by the message The stdin plugin is now waiting for input:

this is dumy data

if failed to start logstash, have below error:
Logstash could not be started because there is already another instance using the configured data directory. If you wish to run multiple instances, you must change the “path.data” setting.

do: service logstash stop, then rerun .

4 open kibana
You can now browse to Kibana’s web interface at http://:5601 (e.g. http://localhost:5601 for a local native instance of Docker).

Make sure that the drop-down “Time-field name” field is pre-populated with the value @timestamp, then click on “Create”, and you’re good to go.

Ref:
- https://peihsinsu.gitbooks.io/docker-note-book/content/bigdata-lek.html
- https://www.elastic.co/guide/en/logstash/current/config-examples.html
- http://467754239.blog.51cto.com/4878013/1700828/
- http://467754239.blog.51cto.com/4878013/1700828/