如何部署Filebeat与logstash集成?
- By : Will
- Category : Elastic Stack
1 前言
一个问题,一篇文章,一出故事。
本章将整理Filebeat与Logstash集成,然后通过Logstash将日志保存到Elasticsearch中。
2 最佳实践
2.1 环境信息
2.1.1 主机信息
Host Name = elasticsearch[01-03].cmdschool.org
IP Address = 10.168.0.[100 – 102] OS = Oracle Linux 9.x x86_64
Elasticsearch Version = 8.11.3
另外,如果你需要部署Elasticsearch集群环境,请参阅以下文档,
Host Name = kibana.cmdschool.org
OS = Oracle Linux 9.x x86_64
IP Address = 10.168.0.99
另外,如果你需要部署Kibana集群环境,请参阅以下文档,
Host Name = logstash.cmdschool.org
IP Address = 10.168.0.103 OS = Oracle Linux 9.x x86_64
Elasticsearch Version = 8.11.3
另外,如果你需要部署Logstash环境,请参阅以下文档,
Host Name = filebeat.cmdschool.org
OS = Oracle Linux 9.x x86_64
IP Address = any
另外,如果你需要部署Filebeat,请参阅以下文档,
2.2.2 配置名称解析
In All,
vim /etc/hosts
加入如下配置,
10.168.0.100 elasticsearch01 elasticsearch01.cmdschool.org 10.168.0.101 elasticsearch02 elasticsearch02.cmdschool.org 10.168.0.102 elasticsearch03 elasticsearch03.cmdschool.org 10.168.0.103 logstash logstash.cmdschool.org 10.168.0.99 kibana kibana.cmdschool.org
注:以上配置仅用于测试,正式环境请使用DNS代替
2.3 配置Filebeat
2.3.1 修改配置文件
cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.default vim /etc/filebeat/filebeat.yml
配置修改如下,
filebeat.inputs:
- type: log
id: filebeat.cmdschool.org
enabled: true
paths:
- /var/log/maillog
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
output.logstash:
hosts: ["logstash.cmdschool.org:5044"]
processors:
- add_host_metadata: ~
然后,你可以运行以下命令测试配置,
filebeat test config
然后,你可以运行以下命令测试Filebeat与Elasticsearch之间的配置,
filebeat test output
2.3.2 禁用logstash模块
filebeat modules disable logstash
按照我们的经验,logstash模块开启会影响日志的上传,所以你需要禁用该模块,然后使用如下命令确认,
filebeat modules list
可见如下输出,
Enabled: Disabled: activemq apache auditd #... logstash #...
2.3.3 重启服务使配置生效
systemctl restart filebeat.service
2.3.4 配置日志视图
echo "test" | s-nail -s "test" -r admin@cmdschool.org will@cmdschool.org
由于我们监控的是邮件日志,因此我们使用以上命令触发日志,
然后,我们使用Kibana确认自动创建的日志索引,
http://kibana.cmdschool.org:5601/app/management/data/index_management/indices
如上图所示,
单击【Management】->【Data】->【Index Managerment】可见看到因为触发日志而产生的索引
如上图所示,
单击【Management】->【Kibana】->【Data Views】->【Create data view】
在“Name”中填写数据视图名称,本范例为“filebeat”
在“Index pattern”中填写索引模式,本范例为“filebeat-*”
如上图所示,
单击【Analytics】->【Discover】即可查看服务产生的日志。
参阅文档
================
软件的介绍
——————
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-overview.html
Filebeat工作原理
——————
https://www.elastic.co/guide/en/beats/filebeat/current/how-filebeat-works.html
Filebeat安装
—————–
https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html
Filebeat与Elasticsearch集群直连配置方法
—————————————-
http://kibana.cmdschool.org:5601/app/home#/tutorial/logstashLogs
Filebeat的配置
——————
https://www.elastic.co/guide/en/beats/filebeat/current/howto-guides.html
Elastic Kibana postfix
———————–
https://github.com/ActionScripted/elastic-kibana-postfix
filebeat module postfix
————————-
https://github.com/maurom/filebeat-module-postfix
没有评论