版本信息 :
Ubuntu 22.04.5 LTS
Elasticsearch v9.3.1
Kibana v9.3.1
Fluent Bit v4.2.2
在 Elasticsearch 8.x 和 9.x 版本中,Enrollment Token(注册令牌)机制是深度绑定 SSL 的,
Docker Compose 部署 EFK 为项目创建以下目录,分别用于存放配置文件和数据:
mkdir config/{fluent-bit,kibana,elasticsearch} -p mkdir data/{fluent-bit,kibana,elasticsearch} -p
项目整体目录如下:
# tree . ├── config │ ├── elasticsearch │ ├── fluent-bit │ │ └── fluent-bit.conf │ └── kibana ├── data │ ├── elasticsearch │ ├── fluent-bit │ └── kibana └── docker-compose.yml
fluent-bit.conf 示例配置如下:
fluent-bit.conf [SERVICE] Flush 1 Log_Level info Daemon off [INPUT] Name cpu Tag cpu_usage [INPUT] Name forward Listen 0.0.0.0 Port 24224 [OUTPUT] Name es Match * Host elasticsearch Port 9200 # 要配置 ES 用户密码才能同步数据 HTTP_User elastic HTTP_Passwd changeme Index fluentbit Type _doc Suppress_Type_Name On
docker-compose.yml 配置如下
docker-compose.yml services: elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:9.3.1 container_name: elasticsearch environment: - node.name=elasticsearch - discovery.type=single-node - bootstrap.memory_lock=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - xpack.security.enabled=true - xpack.security.enrollment.enabled=true - xpack.security.transport.ssl.enabled=false ulimits: memlock: soft: -1 hard: -1 volumes: - ./data/elasticsearch:/usr/share/elasticsearch/data ports: - "19200:9200" networks: - efk-net kibana: image: docker.elastic.co/kibana/kibana:9.3.1 container_name: kibana environment: - ELASTICSEARCH_HOSTS=http://elasticsearch:9200 - ELASTICSEARCH_USERNAME=kibana_system - ELASTICSEARCH_PASSWORD=dHCC5hm-lwK1Ifoz=E3I volumes: - ./data/kibana:/usr/share/kibana/data ports: - "5601:5601" depends_on: - elasticsearch networks: - efk-net fluent-bit: image: fluent/fluent-bit:4.2.2 container_name: fluent-bit volumes: - ./config/fluent-bit/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf - /var/log:/var/log:ro depends_on: - elasticsearch networks: - efk-net networks: efk-net: driver: bridge
如遇启动失败,请查看日志,启动正常后,登录 Kibana 链接 <KIBANA_IP>:5601
看到这个界面说明你的 Elasticsearch 已经成功启动了。这是 Elastic 9.x 系列的新安全特性: 由于启用了安全验证,Kibana 启动后需要一个“准入许可证”(Enrollment Token)来和 Elasticsearch 握手 。
你可以选择:生成 Token 、 彻底关闭验证 或者使用密码验证,本示例中使用 密码验证
生成 相关密码
为管理员用户 elastic 生成密码(重置密码)
# docker compose exec -it elasticsearch /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic This tool will reset the password of the [elastic] user to an autogenerated value. The password will be printed in the console. Please confirm that you would like to continue [y/N]y Password for the [elastic] user successfully reset. New value: xf52=nGPAf3TBOIbMuKR
为 kibana_system 生成密码docker compose exec -it elasticsearch bin/elasticsearch-reset-password -u kibana_system
彻底关闭验证(最快,推荐用于开发环境)
点击你截图页面下方的 Configure manually 。
在地址栏输入: http://elasticsearch:9200xpack.security.enabled: false # kibana 环境变量 ELASTICSEARCH_HOSTS: http://elasticsearch:9200
常见错误总结 This is a superuser account that cannot write to system indices that Kibana needs to function Kibana 不能配置使用 ES 管理员账户 elastic 去认证,否则无法启动
docker-compose.yml kibana: image: docker.elastic.co/kibana/kibana:9.3.1 container_name: kibana environment: - ELASTICSEARCH_HOSTS=http://elasticsearch:9200 - ELASTICSEARCH_USERNAME=kibana_system - ELASTICSEARCH_PASSWORD='dHCC5hm-lwK1Ifoz=E3I'
