ELK-FileBeat安装

1、基础知识

1.1、简介

根据我们对ELK的经典架构的了解,他的数据收集和处理流程是:beats - logstash - elasticsearch - kibana。
Beats默认提供了很多中场景的组件,最常见的就是FileBeat

1.2、Beat场景

1.3、FileBeat安装参考文档

https://www.elastic.co/guide/en/beats/filebeat/7.17/filebeat-installation-configuration.html

2、环境准备

2.1、主机准备

Ubuntu操作系统  内存:2G   CPU:1核
FileBeat     192.168.10.30

2.2、同步时间

# 设置时区
timedatectl set-timezone Asia/Shanghai

# 同步系统时间
apt install -y ntpdate cron
systemctl start cron
systemctl enable cron

cat << 'CAT_END' > /var/spool/cron/crontabs/root 
#ntp Server update
*/5 * * * * /usr/sbin/ntpdate ntp5.aliyun.com  2>&1 > /dev/null
#ntp end
CAT_END

ntpdate ntp5.aliyun.com

2.3、设置主机名

hostnamectl set-hostname filebeat

3、FileBeat安装

3.1、方式1:yum、apt配置仓库安装

3.1.1、yum安装参考官网

https://www.elastic.co/guide/en/beats/filebeat/7.17/setup-repositories.html

3.1.2、apt安装参考官网

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt-get update && sudo apt-get install filebeat

3.2、方式2:下载.deb包离线安装

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.17.10-amd64.deb
sudo dpkg -i filebeat-7.17.10-amd64.deb

3.3、配置目录结构介绍

root@filebeat:~# dpkg -L filebeat | grep -Ei 'filebeat.yml|filebeat.service'
/lib/systemd/system/filebeat.service
/etc/filebeat/filebeat.yml

3.4、配置

3.4.1、配置filebeat.yml

root@filebeat:~# grep -iEv '#|^$' /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  id: filebeat_index
  enabled: true
  paths:
    - /var/log/syslog
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 5
setup.kibana:
output.elasticsearch:
  hosts: ["192.168.10.25:9200"]
  template.name: "filebeat"
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

属性解析:
enabled: true 表示启用这条配置
template.name 在将数据传入到elasticsearch的时候,自动添加一个索引,名称是filebeat

3.4.2、配置内容解析

root@filebeat:~# grep -Evi '#|^$' /etc/filebeat/filebeat.yml  
filebeat.inputs:
- type: filestream
  id: my-filestream-id
  enabled: false       # 默认该功能没有开启
  paths:
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1    # 默认的数据分片个数是 1
setup.kibana:
output.elasticsearch:          # 数据的输出
  hosts: ["localhost:9200"]
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

# 注意:filebeat.yml 这就是filebeat的配置文件,里面有12部分的配置,而我们重点关心的就是"Filebeat inputs" 和 "Outputs"

3.5、重启服务

systemctl start filebeat
systemctl status filebeat

3.6、查看ES是否有filebeat索引

root@filebeat:~# curl 192.168.10.25:9200/_cat/indices  | grep file
green open filebeat-7.17.10-2023.06.06-000001 k8EeqgiTQmCzIfg58XdWCQ 5 1   3     0 86.7kb 43.3kb

 

posted @ 2023-06-06 20:26  小粉优化大师  阅读(70)  评论(0编辑  收藏  举报