如何从 dockerised ELK 中清除日志文件?

How do I clean log files from dockerised ELK?

我正在使用 docker-elk,我想清除所有日志文件,但我不确定它们存储在哪里。有趣的是,当我停止并删除所有 docker 容器,然后从 docker-compose 文件中删除 运行 它们时,ELK 服务器仍然包含所有旧日志。这是为什么?

这是我的docker-compose.yml供参考:

version: '3.2'

services:
  elasticsearch:
    build:
      context: elasticsearch/
      args:
        ELK_VERSION: $ELK_VERSION
    volumes:
      - type: bind
        source: ./elasticsearch/config/elasticsearch.yml
        target: /usr/share/elasticsearch/config/elasticsearch.yml
        read_only: true
      - type: volume
        source: elasticsearch
        target: /usr/share/elasticsearch/data
    ports:
      - "9200:9200"
      - "9300:9300"
    environment:
      ES_JAVA_OPTS: "-Xmx256m -Xms256m"
      ELASTIC_PASSWORD: changeme
      # Use single node discovery in order to disable production mode and avoid bootstrap checks
      # see https://www.elastic.co/guide/en/elasticsearch/reference/current/bootstrap-checks.html
      discovery.type: single-node
    network_mode: "host"
    # networks:
    #   - elk

  logstash:
    build:
      context: logstash/
      args:
        ELK_VERSION: $ELK_VERSION
    volumes:
      - type: bind
        source: ./logstash/config/logstash.yml
        target: /usr/share/logstash/config/logstash.yml
        read_only: true
      - type: bind
        source: ./logstash/pipeline
        target: /usr/share/logstash/pipeline
        read_only: true
    ports:
      - "5000:5000/tcp"
      - "5000:5000/udp"
      - "9600:9600"
    environment:
      LS_JAVA_OPTS: "-Xmx256m -Xms256m"
    network_mode: "host"
    # networks:
    #   - elk
    depends_on:
      - elasticsearch

  kibana:
    build:
      context: kibana/
      args:
        ELK_VERSION: $ELK_VERSION
    volumes:
      - type: bind
        source: ./kibana/config/kibana.yml
        target: /usr/share/kibana/config/kibana.yml
        read_only: true
    ports:
      - "5601:5601"
    network_mode: "host"
    # networks:
    #   - elk
    depends_on:
      - elasticsearch

networks:
  elk:
    driver: bridge

volumes:
  elasticsearch:

虽然 non-Docker Elasticsearch 默认记录到 /var/log/elasticsearch/elasticsearch.log(在 Linux 上),但 Docker 容器将它们的日志写入 STDOUT ,这通常是Docker best practice.

这些日志应该在 /var/lib/docker/containers/ 中,但请注意,在 Mac 上,这是在 Docker 使用的小型 VM 层内,因此您无法直接访问它。

如何“停止并删除所有 docker 容器”并且仍然“ELK 服务器仍然包含所有旧日志”? docker-compose down -v 应该删除所有内容,您在 docker logs 或其他地方看到日志了吗?

您已安装卷:

  - type: volume
    source: elasticsearch
    target: /usr/share/elasticsearch/data

我想如果你删除这个卷并重建你的 docker-compose 你会得到没有数据的新容器。