如何基于Oracle Linux 9.x部署Filebeat?
- By : Will
- Category : Elastic Stack
1 基础知识
1.1 软件的介绍
– Filebeat是一个用于转发和集中日志数据的轻量级传送器
– Filebeat作为代理安装到服务器,监视指定的日志文件或位置,收集日志事件
– Filebeat将收集的日志转发到Elasticsearch或Logstash进行索引
1.2 工作原理
如上图所示,
– Filebeat主要包含两组件,输入(inputs)和收割机(harvesters)
– Filebeat的收割机负责逐行读取单个文件的内容(即每个文件一个收割机),并将内容发给输出
– Filebeat的输入负责管理收割机并查找模式匹配源且为每个匹配到的文件单独启动收割机
– Filebeat的收割机(Harvester)会获取日志的最新内容并将日志发送到Filebeat的libbeat(libeat是一种轻量数据采集器框架)
– Filebeat的轻量数据采集器会聚合并将聚合事件并发送到Filebeat配置的输出(Elasticsearch、Logstash等)
注意:收割机运行文件描述符保持打开状态,如文件收集过程中被删除或重命名,Filebeat会继续读取该文件
2 最佳实践
2.1 环境信息
Host Name = filebeat.cmdschool.org
OS = Oracle Linux 9.x x86_64
IP Address = any
2.2 安装前的准备
In Filebeat,
2.2.1 基本环境配置
2.2.2 配置安装源
vim /etc/yum.repos.d/elasticsearc.repo
加入如下配置,
[elasticsearch] name=Elasticsearch repository for 8.x packages baseurl=https://artifacts.elastic.co/packages/8.x/yum gpgcheck=1 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch enabled=1 autorefresh=1 type=rpm-md
2.3 安装Filebeat
2.3.1 安装指定的版本
dnf install -y filebeat-8.11.3
2.3.2 启动服务并设置自启动
systemctl start filebeat.service systemctl enable filebeat.service
另外,建议你使用如下命令检查服务状态,
systemctl status filebeat.service
可见如下提示,
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: disabled)
Active: active (running) since Wed 2024-01-03 15:16:37 CST; 1 week 0 days ago
Docs: https://www.elastic.co/beats/filebeat
Main PID: 11102 (filebeat)
Tasks: 6 (limit: 11121)
Memory: 47.5M
CPU: 1min 51.399s
CGroup: /system.slice/filebeat.service
└─11102 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /e>
Jan 11 09:33:07 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:33:07.609+0800","log.logger":"monitoring",">
Jan 11 09:33:37 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:33:37.609+0800","log.logger":"monitoring",">
Jan 11 09:34:07 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:34:07.616+0800","log.logger":"monitoring",">
Jan 11 09:34:37 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:34:37.609+0800","log.logger":"monitoring",">
Jan 11 09:35:07 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:35:07.609+0800","log.logger":"monitoring",">
Jan 11 09:35:37 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:35:37.609+0800","log.logger":"monitoring",">
Jan 11 09:36:07 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:36:07.609+0800","log.logger":"monitoring",">
Jan 11 09:36:37 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:36:37.609+0800","log.logger":"monitoring",">
Jan 11 09:37:07 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:37:07.609+0800","log.logger":"monitoring",">
Jan 11 09:37:37 filebeat.cmdschool.org filebeat[11102]: {"log.level":"info","@timestamp":"2024-01-11T09:37:37.610+0800","log.logger":"monitoring",">
如果需要查询运行的进程号,可使用如下命令,
pgrep -u root filebeat -a
可见如下显示,
11102 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat
然后,服务倾听的端口可使用如下命令,
for i in `pgrep -u root filebeat`; do netstat -anp | grep $i; done
可见如下显示,
unix 3 [ ] STREAM CONNECTED 1031670 11102/filebeat unix 2 [ ] DGRAM CONNECTED 1031680 11102/filebeat
参阅文档
================
软件的介绍
——————
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html
Filebeat工作原理
——————
https://www.elastic.co/guide/en/beats/filebeat/current/how-filebeat-works.html
Filebeat安装
—————–
https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html
没有评论