filebeat收集docekr日志

### 部署docker
yum install docker-ce

### 编辑配置文件 
vim /etc/docker/daemon.json
{
  "data-root": "/var/lib/docker",
	"registry-mirrors": [
		"https://docker.1panel.live",
		"https://dockercf.jsdelivr.fyi",
		"https://docker-cf.registry.cyou",
		"https://docker.chenby.cn",
		"https://docker.jsdelivr.fyi",
		"https://docker.m.daocloud.io",
		"https://docker.m.daocloud.io",
		"https://docker.mirrors.sjtug.sjtu.edu.cn",
		"https://docker.mirrors.ustc.edu.cn",
		"https://docker.nju.edu.cn",
		"https://dockerproxy.com",
		"https://docker.rainbond.cc",
		"https://docker.registry.cyou",
		"https://dockertest.jsdelivr.fyi",
		"https://hub-mirror.c.163.com",
		"https://hub.rat.dev/",
		"https://mirror.aliyuncs.com",
		"https://mirror.baidubce.com",
		"https://mirror.iscas.ac.cn",
		"https://registry.docker-cn.com"
	]
}


### 启动docker
systemctl start docker

#### 配置文件
vi /app/filebeat/config/docker.yaml
filebeat.inputs:
  # 指定输入类型为docker类型
- type: docker
  # 指定容器的ID * 是通配符号
  containers.ids: 
    - '*'
## 输出到终端
output.console:
  pretty: true

image-20241007143639729

#### 利用container类型
filebeat.inputs:
- type: container
  paths: 
    - '/var/lib/docker/containers/*/*.log'

# output.console:
#   pretty: true

output.elasticsearch:
  hosts: ["http://10.0.0.101:9200","http://10.0.0.102:9200","http://10.0.0.103:9200"] 


------------------
### 目录下是docker的日志
[root@elk101 ~]# ll /var/lib/docker/containers/
总用量 0
drwx--x--- 4 root root 237 10月  7 14:31 858e0d1f3ee89290cbcc29a53b7d94ec8998cdca73edd0c0f211244d7539b96d
drwx--x--- 4 root root 237 10月  7 14:33 db783c3f6aa16df288b8848f6c033cd3da710e03a35b205fd731f390f92fc2f3

image-20241007144735668