Linux安装Logstash

Logstash安装

一、上传解压重命名

将Logstash压缩包上传到/home/下解压压缩包并重命名

[root@localhost home] tar -zxf logstash-7.15.0-linux-x86_64.tar.gz 
[root@localhost home] mv logstash-7.15.0 logstash

二、生成SSL证书文件

进入ES安装根目录下

[root@localhost] cd /home/elasticsearch

生成logstash 客户端证书

[root@localhost elasticsearch] ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --name logstash --pem --out logstash.zip

解压logstash.zip当没有这个命令时，执行yum install unzip -y 安装zip工具

[root@localhost elasticsearch] unzip logstash.zip 

进入logstash中执行一下命令logstash 需要生成一个p8文件

[root@localhost elasticsearch] cd logstash
[root@localhost logstash] openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.p8
[root@localhost logstash] ls
logstash.crt  logstash.key  logstash.p8

拷贝CA公钥文件到当前目录

[root@localhost logstash]# cp ../ca.pem ./

返回上一级目录，并拷贝logstash目录到logstash目录下

[root@localhost logstash] cd ..
[root@localhost elasticsearch] cp -r logstash /home/logstash/

三、修改配置文件

进入logstash/config根目录修改配置文件 logstash.yml

[root@localhost config] vi logstash.yml 

# 修改host 
http.host: 0.0.0.0
# 开启监控
xpack.monitoring.enabled: true
# 配置ES地址 请注意协议是https
xpack.monitoring.elasticsearch.hosts: ["https://127.0.0.1:9200"]
xpack.monitoring.elasticsearch.ssl.verification_mode: none
# 证书路径
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/opt/logstash/logstash/ca.pem"
xpack.monitoring.elasticsearch.sniffing: false
# es账号
xpack.monitoring.elasticsearch.username: elastic
# es密码
xpack.monitoring.elasticsearch.password: P8nhGN121I4VT0LMVwIT

修改解析配置文件名称

[root@localhost config] mv logstash-sample.conf logstash.conf

使用root用户启动服务

[root@localhost logstash] cd ../bin
[root@localhost bin] ./logstash -f ../config/logstash.conf --config.reload.automatic
#或 后台运行
[root@localhost bin] nohup ./logstash -f ../config/logstash.conf --config.reload.automatic &

四、测试验证

测试是否启动成功

[root@localhost ~] curl http://127.0.0.1:9600
{"host":"localhost.localdomain","version":"7.15.0","http_address":"0.0.0.0:9600","id":"0ce2b441-6a31-4b38-8868-018b06178f54","name":"localhost.localdomain","ephemeral_id":"4801a1e2-832d-4b95-8a63-0964623dafec","status":"green","snapshot":false,"pipeline":{"workers":1,"batch_size":125,"batch_delay":50},"monitoring":{"hosts":["http://127.0.0.1:9200"],"username":"logstash_system"},"build_date":"2021-09-16T01:56:12Z","build_sha":"fd0927b95e580d5178256fb6adb6b79a1af3345b","build_snapshot":false}

注意事项

1. http协议端口 9600
2. beat默认端口 5044 (采集使用)
3. syslog tcp udp 默认端口 514 (采集Linux系统日志)

完整配置文件

# 工作管道（性能优化配置）=CPU核数
pipeline.workers: 4
# 批处理（性能优化配置）
pipeline.batch.size: 1000
# 响应时间（性能优化配置）
pipeline.batch.delay: 10

# 绑定IP地址
http.host: "0.0.0.0"
# 开启监控
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: elastic
xpack.monitoring.elasticsearch.password: 53Am18Spax2dkjIW4GeC
xpack.monitoring.elasticsearch.hosts: ["https://127.0.0.1:9200"]
xpack.monitoring.elasticsearch.ssl.verification_mode: none
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/home/logstash/config/certs/ca.pem"
xpack.monitoring.elasticsearch.sniffing: false

logstash秘钥库

ES_PWD 密码 key ，ES_ACCESS 账号key

创建密码库

bin/logstash-keystore create

添加密钥key，过程中需要输入对应的密码

bin/logstash-keystore add ES_PWD

查看key 列表

bin/logstash-keystore list

删除 key

bin/logstash-keystore remove ES_PWD

设置密码

set +o history
export LOGSTASH_KEYSTORE_PASS=123456
set -o history

替换明文密码

xpack.monitoring.elasticsearch.username: ${ES_ACCESS}
xpack.monitoring.elasticsearch.password: ${ES_PWD}