{"id":1572,"date":"2022-05-02T16:10:29","date_gmt":"2022-05-02T08:10:29","guid":{"rendered":"https:\/\/www.buyao007.icu\/?p=1572"},"modified":"2022-05-07T21:21:47","modified_gmt":"2022-05-07T13:21:47","slug":"3-filebeat%e6%97%a5%e5%bf%97%e6%94%b6%e9%9b%86","status":"publish","type":"post","link":"https:\/\/www.buyao007.icu\/?p=1572","title":{"rendered":"3.Filebeat\u65e5\u5fd7\u6536\u96c6"},"content":{"rendered":"\n

\u5b59\u5bcc\u9633\uff0c \u6c5f\u6e56\u4eba\u79f0\u6ca1\u4eba\u79f0\u3002\u591a\u5e74\u4e92\u8054\u7f51\u8fd0\u7ef4\u5de5\u4f5c\u7ecf\u9a8c\uff0c\u66fe\u8d1f\u8d23\u8fc7\u5b59\u5e03\u65af\u5927\u89c4\u6a21\u96c6\u7fa4\u67b6\u6784\u81ea\u52a8\u5316\u8fd0\u7ef4\u7ba1\u7406\u5de5\u4f5c\u3002\u64c5\u957fWeb\u96c6\u7fa4\u67b6\u6784\u4e0e\u81ea\u52a8\u5316\u8fd0\u7ef4\uff0c\u66fe\u8d1f\u8d23\u56fd\u5185\u67d0\u5927\u578b\u535a\u5ba2\u7f51\u7ad9\u8fd0\u7ef4\u5de5\u4f5c\u3002<\/p>\n\n\n\n

1.EBLK\u4ecb\u7ecd<\/h2>\n\n\n\n

1.\u65e5\u5fd7\u5206\u6790\u7684\u9700\u6c42<\/em><\/strong><\/p>\n\n\n\n

1.\u627e\u51fa\u8bbf\u95ee\u6392\u540d\u524d\u5341\u7684IP,URL\r\n2.\u627e\u51fa10\u70b9\u523012\u70b9\u4e4b\u95f4\u6392\u540d\u524d\u5341\u7684IP,URL\r\n3.\u5bf9\u6bd4\u6628\u5929\u8fd9\u4e2a\u65f6\u95f4\u6bb5\u8bbf\u95ee\u60c5\u51b5\u6709\u4ec0\u4e48\u53d8\u5316\r\n4.\u5bf9\u6bd4\u4e0a\u4e2a\u661f\u671f\u540c\u4e00\u5929\u540c\u4e00\u65f6\u95f4\u6bb5\u7684\u8bbf\u95ee\u53d8\u5316\r\n5.\u627e\u51fa\u641c\u7d22\u5f15\u64ce\u8bbf\u95ee\u7684\u6b21\u6570\u548c\u6bcf\u4e2a\u641c\u7d22\u5f15\u64ce\u5404\u8bbf\u95ee\u4e86\u591a\u5c11\u6b21\r\n6.\u6307\u5b9a\u57df\u540d\u7684\u5173\u952e\u94fe\u63a5\u8bbf\u95ee\u6b21\u6570,\u54cd\u5e94\u65f6\u95f4\r\n7.\u7f51\u7ad9HTTP\u72b6\u6001\u7801\u60c5\u51b5\r\n8.\u627e\u51fa\u653b\u51fb\u8005\u7684IP\u5730\u5740,\u8fd9\u4e2aIP\u8bbf\u95ee\u4e86\u4ec0\u4e48\u9875\u9762,\u8fd9\u4e2aIP\u4ec0\u4e48\u65f6\u5019\u6765\u7684,\u4ec0\u4e48\u65f6\u5019\u8d70\u7684,\u5171\u8bbf\u95ee\u4e86\u591a\u5c11\u6b21\r\n9.5\u5206\u949f\u5185\u544a\u8bc9\u7ed3\u679c\r<\/code><\/pre>\n\n\n\n
2.EBLK\u7684\u529f\u80fd\u4ecb\u7ecd<\/em><\/strong><\/p>\n\n\n\n
E   Elasticsearch java\r\nB   Filebeat      Go \r\nL   Logstash      java\r\nK   Kibana        java\r<\/code><\/pre>\n\n\n\n
3.EBK\u65e5\u5fd7\u6536\u96c6\u6d41\u7a0b<\/em><\/strong><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
2.\u5b9e\u9a8c\u73af\u5883\u914d\u7f6e<\/h2>\n\n\n\n
1.Elasticsearch\u5355\u8282\u70b9\u5b89\u88c5\u90e8\u7f72<\/em><\/strong><\/p>\n\n\n\n
rpm -ivh elasticsearch-7.9.1-x86_64.rpm\r\ncat > \/etc\/elasticsearch\/elasticsearch.yml << 'EOF'    \r\nnode.name: node-1\r\npath.data: \/var\/lib\/elasticsearch\r\npath.logs: \/var\/log\/elasticsearch\r\nnetwork.host: 127.0.0.1,10.0.0.51\r\nhttp.port: 9200\r\ndiscovery.seed_hosts: [\"10.0.0.51\"]\r\ncluster.initial_master_nodes: [\"10.0.0.51\"]\r\nEOF\r\nsystemctl daemon-reload\r\nsystemctl start elasticsearch.service\r\nnetstat -lntup|grep 9200\r\ncurl 127.0.0.1:9200\r<\/code><\/pre>\n\n\n\n
2.kibana\u5b89\u88c5\u90e8\u7f72<\/em><\/strong><\/p>\n\n\n\n
rpm -ivh kibana-7.9.1-x86_64.rpm\r\ncat > \/etc\/kibana\/kibana.yml << 'EOF'\r\nserver.port: 5601\r\nserver.host: \"10.0.0.51\"\r\nelasticsearch.hosts: [\"http:\/\/10.0.0.51:9200\"]\r\nkibana.index: \".kibana\"\r\nEOF\r\nsystemctl start kibana\r<\/code><\/pre>\n\n\n\n
3.Elasticsearch-head\u5b89\u88c5\u90e8\u7f72<\/em><\/strong><\/p>\n\n\n\n
google\u6d4f\u89c8\u5668-->\u66f4\u591a\u5de5\u5177-->\u62d3\u5c55\u7a0b\u5e8f-->\u5f00\u53d1\u8005\u6a21\u5f0f-->\u9009\u62e9\u89e3\u538b\u7f29\u540e\u7684\u63d2\u4ef6\u76ee\u5f55<\/code><\/pre>\n\n\n\n
3.filebeat\u57fa\u672c\u4f7f\u7528<\/h2>\n\n\n\n
1.filebeat\u4ece\u6807\u51c6\u8f93\u5165\u8bfb\u53d6\u4fe1\u606f<\/em><\/strong><\/p>\n\n\n\n
###\u5b89\u88c5\u5e76\u914d\u7f6e\r\nrpm -ivh filebeat-7.9.1-x86_64.rpm\r\ncp \/etc\/filebeat\/filebeat.yml \/opt\/\r\ncat > \/etc\/filebeat\/filebeat.yml << EOF\r\nfilebeat.inputs:\r\n- type: stdin ###\u8868\u793a\u4ece\u8f93\u5165\u4e2d\u6536\u53d6\u4fe1\u606f\r\n  enabled: true\r\noutput.console: ###\u4f60\u8981\u8f93\u51fa\u5230\u54ea\u91cc\r\n  pretty: true \r\n  enable: true\r\nEOF\r\n###\u542f\u52a8\u5e76\u68c0\u67e5\r\nfilebeat -e -c \/etc\/filebeat\/filebeat.yml\r\n\u7136\u540e\u76f4\u63a5\u5728\u5f53\u524d\u7ec8\u7aef\u8f93\u5165abc\uff0c\u4f1a\u53d1\u73b0\u81ea\u52a8\u6dfb\u52a0\u4e86\u5f88\u591a\u4fe1\u606f\uff0c\u5305\u62ec\u8282\u70b9\u540d\u79f0\u7b49\u4fe1\u606f\uff0c\u8fd9\u6837\u6536\u96c6\u7684\u65e5\u5fd7\u53ef\u4ee5\u65b9\u4fbf\u7684\u67e5\u8be2\u662f\u90a3\u4e2a\u8282\u70b9\u7684\u65e5\u5fd7\u3002\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
2.filebeat\u6536\u96c6message\u65e5\u5fd7<\/em><\/strong><\/p>\n\n\n\n
###\u914d\u7f6efilebeat\r\n[root@es-node3 ~]# cat \/etc\/filebeat\/filebeat.yml \r\nfilebeat.inputs:\r\n- type: log\r\n  paths:\r\n  - \/var\/log\/messages\r\n  enabled: true\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.150:9200\",\"10.0.0.151:9200\",\"10.0.0.152:9200\"]\r\n###\u542f\u52a8\u5e76\u68c0\u67e5\r\n[root@es-node3 ~]# systemctl restart filebeat.service\r\n###\u767b\u5f55kibina\u5e76\u4f9d\u6b21\u70b9\u51fb\u4e0b\u56fe\u6240\u793a\u4f4d\u7f6e\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u65e5\u5fd7\u5df2\u7ecf\u88ab\u5c55\u793a\u8fc7\u6765\u4e86\r\n###\u5f80\u65e5\u5fd7\u91cc\u8f93\u5165\u70b9\u4e1c\u897f\r\n[root@es-node3 ~]# echo sunfuyang >> \/var\/log\/messages\r\n\u70b9\u51fb\u5237\u65b0\u540e\uff0c\u70b9\u51fb\u641c\u7d22\uff0c\u53d1\u73b0\u5df2\u7ecf\u547d\u4e2d\u4e86\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.filebeat\u6536\u96c6\u7cfb\u7edf\u6587\u4ef6\u65e5\u5fd7<\/h2>\n\n\n\n
1.\u914d\u7f6e\u6240\u6709\u7cfb\u7edf\u65e5\u5fd7\u6253\u5230sunfuyang.log\u91cc<\/em><\/strong><\/p>\n\n\n\n
[root@es-node3 ~]# yum install rsyslog -y\r\n[root@es-node3 ~]# vim \/etc\/rsyslog.conf\r\n# Provides UDP syslog reception\r\n$ModLoad imudp\r\n$UDPServerRun 514\r\n*.*     \/var\/log\/sunfuyang.log\r\n[root@es-node3 ~]# systemctl restart rsyslog\r\n###\u6d4b\u8bd5\u4e00\u4e0b\u662f\u5426\u80fd\u6253\u5230sunfuyang.log\u91cc\r\n[root@es-node3 ~]#  logger \"rsyslog test from sunfuyang\"\r<\/code><\/pre>\n\n\n\n
2.\u914d\u7f6efilebeat\u914d\u7f6e\u6587\u4ef6<\/em><\/strong><\/p>\n\n\n\n
[root@es-node3 ~]# cat \/etc\/filebeat\/filebeat.yml \r\nfilebeat.inputs:\r\n- type: log\r\n  paths:\r\n  - \/var\/log\/sunfuyang.log\r\n  enabled: true\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.150:9200\",\"10.0.0.151:9200\",\"10.0.0.152:9200\"]\r\n[root@es-node3 ~]# systemctl restart filebeat.service \r<\/code><\/pre>\n\n\n\n
3.\u5220\u9664\u539f\u6765FIlebeat\u7684\u7d22\u5f15;\u91cd\u65b0\u6dfb\u52a0;<\/em><\/strong><\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u91cd\u65b0\u521b\u5efa\u7d22\u5f15\uff0c\u5982\u4e0b\u56fe\u53d1\u73b0\u6709\u5f88\u591afilebeat\u7684info\u4fe1\u606f<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.\u914d\u7f6eFilebeat\u8fc7\u6ee4\u4e0d\u9700\u8981\u7684\u4fe1\u606f<\/em><\/strong><\/p>\n\n\n\n
###\u5220\u9664kibana\u5339\u914des\u7d22\u5f15\u7684\u6a21\u5f0f;\t( \u4e0d\u80fd\u770b\u6570\u636e,\u4e0d\u4ee3\u8868\u7d22\u5f15\u88ab\u5220\u9664; )\r\n###\u5220\u9664es\u7684\u7d22\u5f15;\t\t( \u5220\u9664\u7d22\u5f15,\u6570\u636e\u9875\u6ca1\u4e86; )\r\n###\u914d\u7f6efilebeat\u914d\u7f6e\u6587\u4ef6\r\n[root@es-node3 ~]# cat \/etc\/filebeat\/filebeat.yml \r\nfilebeat.inputs:\r\n- type: log\r\n  paths:\r\n  - \/var\/log\/sunfuyang.log\r\n  enabled: true\r\n  # \u4ec5\u5305\u542b,\u9519\u8bef\u4fe1\u606f,\u8b66\u544a\u4fe1\u606f,sshd\u7684\u76f8\u5173\u914d\u7f6e,\u5176\u4ed6\u7684\u90fd\u4f1a\u8fc7\u6ee4\u6389\r\n  include_lines: ['^ERR', '^WARN', 'sshd']\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.150:9200\",\"10.0.0.151:9200\",\"10.0.0.152:9200\"]\r\n[root@es-node3 ~]# systemctl restart filebeat\r\n\u53ef\u4ee5\u6e05\u6670\u7684\u770b\u5230\u6536\u96c6\u7684\u65e5\u5fd7\u91cf\u5c11\u4e86\u5f88\u591a\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
5.\u914d\u7f6eFilebeat\u81ea\u5b9a\u4e49\u7d22\u5f15\u540d\u79f0<\/em><\/strong><\/p>\n\n\n\n
[root@es-node3 ~]# cat \/etc\/filebeat\/filebeat.yml\r\nfilebeat.inputs:\r\n- type: log\r\n  paths:\r\n  - \/var\/log\/sunfuyang.log\r\n  enabled: true\r\n  # \u4ec5\u5305\u542b,\u9519\u8bef\u4fe1\u606f,\u8b66\u544a\u4fe1\u606f,sshd\u7684\u76f8\u5173\u914d\u7f6e,\u5176\u4ed6\u7684\u90fd\u4f1a\u8fc7\u6ee4\u6389\r\n  include_lines: ['^ERR', '^WARN', 'sshd']\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.150:9200\",\"10.0.0.151:9200\",\"10.0.0.152:9200\"]\r\n  index: \"system-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n\r\nsetup.ilm.enabled: false ###\u5982\u679c\u4e0d\u5173\u95ed\u7684\u8bdd\uff0c\u7d22\u5f15\u540d\u79f0\u65e0\u6cd5\u81ea\u5b9a\u4e49\r\nsetup.template.name: \"system\"       #\u5b9a\u4e49\u6a21\u677f\u540d\u79f0\r\nsetup.template.pattern: \"system-*\"  #\u5b9a\u4e49\u6a21\u677f\u7684\u5339\u914d\u7d22\u5f15\u540d\u79f0\r\n[root@es-node3 ~]# systemctl restart filebeat\r\n\u901a\u8fc7es\u7684\u63d2\u4ef6\u53ef\u4ee5\u770b\u5230\u591a\u4e86\u4e00\u4e2a\u7d22\u5f15\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
6.\u914d\u7f6eFilebeat\u81ea\u5b9a\u4e49\u5206\u7247\u6570\u91cf<\/em><\/strong><\/p>\n\n\n\n
\u5220\u9664\u539f\u5148\u521b\u5efa\u7684\u6a21\u677f<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
###\u4fee\u6539filebeat\u914d\u7f6e\u6587\u4ef6\r\n[root@es-node3 ~]# cat \/etc\/filebeat\/filebeat.yml \r\nfilebeat.inputs:\r\n- type: log\r\n  paths:\r\n  - \/var\/log\/sunfuyang.log\r\n  enabled: true\r\n  # \u4ec5\u5305\u542b,\u9519\u8bef\u4fe1\u606f,\u8b66\u544a\u4fe1\u606f,sshd\u7684\u76f8\u5173\u914d\u7f6e,\u5176\u4ed6\u7684\u90fd\u4f1a\u8fc7\u6ee4\u6389\r\n  include_lines: ['^ERR', '^WARN', 'sshd']\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.150:9200\",\"10.0.0.151:9200\",\"10.0.0.152:9200\"]\r\n  index: \"system-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n\r\nsetup.ilm.enabled: false ###\u5982\u679c\u4e0d\u5173\u95ed\u7684\u8bdd\uff0c\u7d22\u5f15\u540d\u79f0\u65e0\u6cd5\u81ea\u5b9a\u4e49\r\nsetup.template.name: \"system\"       #\u5b9a\u4e49\u6a21\u677f\u540d\u79f0\r\nsetup.template.pattern: \"system-*\"  #\u5b9a\u4e49\u6a21\u677f\u7684\u5339\u914d\u7d22\u5f15\u540d\u79f0\r\n##setup.template.enabled: false###\u4e0d\u4f7f\u7528\u6a21\u677f\r\nsetup.template.settings:\r\n  index.number_of_shards: 3  ###\u5b9a\u4e49\u6a21\u677f\u5206\u7247\u6570\r\n  index.number_of_replicas: 1 ##\u5b9a\u4e49\u6a21\u677f\u526f\u672c\u6570\r\n###\u5220\u9664\u7d22\u5f15\uff0c\u91cd\u542ffilebeat\uff0c\u4ea7\u751f\u65b0\u7684\u6570\u636e\r\n[root@es-node3 ~]# systemctl restart filebeat.service\r\n\u53ef\u4ee5\u770b\u5230\u6570\u636e\u88ab\u5206\u6210\u4e86\u4e09\u4e2a\u5206\u7247\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\u5982\u679c\u5148\u914d\u7f6e\u4e86\u81ea\u5b9a\u4e49\u540d\u79f0,\u540e\u671f\u65e0\u6cd5\u4fee\u6539,\u5206\u7247,\u56e0\u4e3a\u6a21\u677f\u56fa\u5b9a\u5206\u7247\u4e3a1;\r\n\u89e3\u51b3\u65b9\u6cd5: \u5220\u9664\u6a21\u677f,\u5220\u9664\u7d22\u5f15,\u7136\u540e\u91cd\u542ffilebeat,\u4ea7\u751f\u65b0\u7684\u6570\u636e;\r<\/code><\/pre>\n\n\n\n
7.Filebeat\u6536\u96c6\u591a\u8282\u70b9\u7cfb\u7edf\u65e5\u5fd7<\/em><\/strong><\/p>\n\n\n\n
###\u914d\u7f6e\u6240\u6709\u7cfb\u7edf\u65e5\u5fd7\u6253\u5230sunfuyang.log\u91cc\r\n[root@es-node2 ~]# yum install rsyslog -y\r\n[root@es-node2 ~]# vim \/etc\/rsyslog.conf\r\n# Provides UDP syslog reception\r\n$ModLoad imudp\r\n$UDPServerRun 514\r\n*.*     \/var\/log\/sunfuyang.log\r\n[root@es-node2 ~]# systemctl restart rsyslog\r\n###\u6d4b\u8bd5\u4e00\u4e0b\u662f\u5426\u80fd\u6253\u5230sunfuyang.log\u91cc\r\n[root@es-node2 ~]#  logger \"rsyslog test from sunfuyang\"\r\n###\u62f7\u8d1dnode3\u8282\u70b9\u7684filebeat\u914d\u7f6e\u6587\u4ef6\u5230node2\u8282\u70b9\r\n[root@es-node2 ~]# scp -rp 10.0.0.152:\/etc\/filebeat\/filebeat.yml \/etc\/filebeat\/filebeat.yml\r\n[root@es-node2 ~]# systemctl restart filebeat.service\r\n\u6dfb\u52a0\u5b57\u6bb5\u540e\u53ef\u4ee5\u5f88\u6e05\u695a\u7684\u770b\u5230\u6570\u636e\u662f\u4ece\u90a3\u4e2a\u673a\u5668\u6765\u7684\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n
5.filebeat\u6536\u96c6\u666e\u901a\u683c\u5f0f\u7684nginx\u65e5\u5fd7<\/h2>\n\n\n\n
1.\u5b89\u88c5\u914d\u7f6enginx<\/em><\/strong><\/p>\n\n\n\n
cat > \/etc\/yum.repos.d\/nginx.repo <<'EOF'\r\n[nginx-stable]\r\nname=nginx stable repo\r\nbaseurl=http:\/\/nginx.org\/packages\/centos\/$releasever\/$basearch\/\r\ngpgcheck=0\r\nenabled=1\r\ngpgkey=https:\/\/nginx.org\/keys\/nginx_signing.key\r\nEOF\r\n[root@es-node3 ~]# yum makecache\r\n[root@es-node3 ~]# yum install nginx -y\r\n[root@es-node3 ~]# cat \/etc\/nginx\/conf.d\/elk.conf\r\nserver {\r\n      listen 80;\r\n     server_name elk.sfy.com;\r\n     root \/code;\r\n\r\n     location \/ {\r\n          index index.html;\r\n     }\r\n}\r\n[root@es-node3 ~]# systemctl start nginx\r\n[root@es-node3 ~]# mkdir \/code\r\n[root@es-node3 ~]# echo node03 > \/code\/index.html\r<\/code><\/pre>\n\n\n\n
2.\u914d\u7f6efilebeat<\/em><\/strong><\/p>\n\n\n\n
[root@es-node3 ~]# cat \/etc\/filebeat\/filebeat.yml\r\nfilebeat.inputs:\r\n- type: log\r\n  paths:\r\n  - \/var\/log\/nginx\/access.log\r\n  enabled: true\r\n\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.150:9200\",\"10.0.0.151:9200\",\"10.0.0.152:9200\"]\r\n  index: \"nginx-access-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n\r\nsetup.ilm.enabled: false ###\u5982\u679c\u4e0d\u5173\u95ed\u7684\u8bdd\uff0c\u7d22\u5f15\u540d\u79f0\u65e0\u6cd5\u81ea\u5b9a\u4e49\r\nsetup.template.name: \"nginx\"       #\u5b9a\u4e49\u6a21\u677f\u540d\u79f0\r\nsetup.template.pattern: \"nginx-*\"  #\u5b9a\u4e49\u6a21\u677f\u7684\u5339\u914d\u7d22\u5f15\u540d\u79f0\r<\/code><\/pre>\n\n\n\n
3.\u521b\u5efa\u8bbf\u95ee\u65e5\u5fd7\u5e76\u767b\u5f55kibina\u67e5\u770b<\/em><\/strong><\/p>\n\n\n\n
[root@es-node3 ~]# curl -HHost:elk.sfy.com http:\/\/10.0.0.152\r\n\u53ef\u4ee5\u770b\u5230\u65e5\u5fd7\u5df2\u7ecf\u88ab\u6536\u96c6\u4e0a\u6765\u4e86\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
4.\u5373\u60f3\u6536\u96c6nginx\u65e5\u5fd7\u53c8\u60f3\u6536\u96c6\u7cfb\u7edf\u65e5\u5fd7\u600e\u4e48\u529e<\/em><\/strong><\/p>\n\n\n\n
[root@es-node3 ~]# filebeat -c \/etc\/filebeat\/filebeat.yml --path.data \/var\/lib\/filebeat\r\n[root@es-node3 ~]# filebeat -c \/etc\/filebeat\/system.yml --path.data \/opt\/mod\/\r\n###\u53ea\u9700\u8981\u6307\u5b9a\u4e0d\u540c\u7684\u914d\u7f6e\u6587\u4ef6\uff0c\u4e0d\u540c\u7684path.data\u5373\u53ef\r<\/code><\/pre>\n\n\n\n
6.filebeat\u6536\u96c6Json\u683c\u5f0f\u7684Nginx\u65e5\u5fd7<\/h2>\n\n\n\n
1.\u5f53\u524d\u65e5\u5fd7\u6536\u96c6\u65b9\u6848\u7684\u4e0d\u8db3<\/em><\/strong><\/p>\n\n\n\n
\u6240\u6709\u65e5\u5fd7\u90fd\u5b58\u50a8\u5728message\u7684value\u91cc,\u4e0d\u80fd\u62c6\u5206\u5355\u72ec\u663e\u793a\r\n\u8981\u60f3\u5355\u72ec\u663e\u793a\uff0c\u5c31\u5f97\u60f3\u529e\u6cd5\u628a\u65e5\u5fd7\u5b57\u6bb5\u62c6\u5206\u5f00\uff0c\u53d8\u6210json\u683c\u5f0f\r<\/code><\/pre>\n\n\n\n
2.\u6211\u4eec\u671f\u671b\u7684\u65e5\u5fd7\u6536\u96c6\u6548\u679c<\/em><\/strong><\/p>\n\n\n\n
\u53ef\u4ee5\u628a\u65e5\u5fd7\u6240\u6709\u5b57\u6bb5\u62c6\u5206\u51fa\u6765\r\n{\r\n \"time_local\": \"24\/Dec\/2022:09:43:45 +0800\",\r\n \"remote_addr\": \"127.0.0.1\",\r\n \"referer\": \"-\",\r\n \"request\": \"HEAD \/ HTTP\/1.1\",\r\n \"status\": 200,\r\n \"bytes\": 0,\r\n \"http_user_agent\": \"curl\/7.29.0\",\r\n \"x_forwarded\": \"-\",\r\n \"up_addr\": \"-\",\r\n \"up_host\": \"-\",\r\n \"upstream_time\": \"-\",\r\n \"request_time\": \"0.000\"\r\n}\r<\/code><\/pre>\n\n\n\n
3.\u4fee\u6539Nginx\u914d\u7f6e\u6587\u4ef6<\/em><\/strong><\/p>\n\n\n\n
log_format json '{ \"time_local\": \"$time_local\", '\r\n                         '\"remote_addr\": \"$remote_addr\", '\r\n                         '\"referer\": \"$http_referer\", '\r\n                         '\"request\": \"$request\", '\r\n                         '\"status\": $status, '\r\n                         '\"bytes\": $body_bytes_sent, '\r\n                         '\"http_user_agent\": \"$http_user_agent\", '\r\n                         '\"x_forwarded\": \"$http_x_forwarded_for\", '\r\n                         '\"up_addr\": \"$upstream_addr\",'\r\n                         '\"up_host\": \"$upstream_http_host\",'\r\n                         '\"upstream_time\": \"$upstream_response_time\",'\r\n\t\t\t '\"request_time\": \"$request_time\"'\r\n\t\t\t' }';\r\naccess_log \/var\/log\/nginx\/access.log json;\r<\/code><\/pre>\n\n\n\n
4.\u6e05\u7a7a\u65e7\u7684\u65e5\u5fd7\u6587\u4ef6\u5e76\u91cd\u542fnginx<\/em><\/strong><\/p>\n\n\n\n
> \/var\/log\/nginx\/access.log\r\nnginx -t\r\nsystemctl restart nginx\r\ncurl 127.0.0.1\r\ncat \/var\/log\/nginx\/access.log\r<\/code><\/pre>\n\n\n\n
5.\u4fee\u6539filebeat\u914d\u7f6e\u6587\u4ef6\u5e76\u67e5\u770bkibana<\/em><\/strong><\/p>\n\n\n\n
[root@es-node3 ~]# cat \/etc\/filebeat\/filebeat.yml\r\nfilebeat.inputs:\r\n- type: log\r\n  paths:\r\n  - \/var\/log\/nginx\/access.log\r\n  enabled: true\r\n  json.keys_under_root: true  ##\u8fd9\u4e24\u884c\u610f\u601d\u662f\u5f00\u542f\u652f\u6301json\u7684key\uff0c#Flase\u4f1a\u5c06json\u89e3\u6790\u7684\u683c\u5f0f\u5b58\u50a8\u81f3messages\uff0c\u6539\u4e3atrue\u5219\u4e0d\u5b58\u50a8\u81f3message\r\n  json.overwrite_keys: true  #\u8986\u76d6\u9ed8\u8ba4message\u5b57\u6bb5\uff0c\u4f7f\u7528\u81ea\u5b9a\u4e49json\u683c\u5f0f\u7684key<\/strong>\r\n\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.150:9200\",\"10.0.0.151:9200\",\"10.0.0.152:9200\"]\r\n  index: \"nginx-access-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n\r\nsetup.ilm.enabled: false ###\u5982\u679c\u4e0d\u5173\u95ed\u7684\u8bdd\uff0c\u7d22\u5f15\u540d\u79f0\u65e0\u6cd5\u81ea\u5b9a\u4e49\r\nsetup.template.name: \"nginx\"       #\u5b9a\u4e49\u6a21\u677f\u540d\u79f0\r\nsetup.template.pattern: \"nginx-*\"  #\u5b9a\u4e49\u6a21\u677f\u7684\u5339\u914d\u7d22\u5f15\u540d\u79f0\r<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
7.filebeat\u540c\u65f6\u6536\u96c6nginx\u8bbf\u95ee\u65e5\u5fd7\u548c\u9519\u8bef\u65e5\u5fd7<\/h2>\n\n\n\n
1.\u5f53\u524d\u65e5\u5fd7\u6536\u96c6\u65b9\u6848\u7684\u4e0d\u8db3<\/em><\/strong><\/p>\n\n\n\n
\u867d\u7136\u65e5\u5fd7\u53ef\u4ee5\u62c6\u5206\u4e86\uff0c\u4f46\u662f\u7d22\u5f15\u540d\u79f0\u8fd8\u662f\u9ed8\u8ba4\u7684\uff0c\u6839\u636e\u7d22\u5f15\u540d\u79f0\u5e76\u4e0d\u80fd\u770b\u51fa\u6765\u6536\u96c6\u7684\u662f\u4ec0\u4e48\u65e5\u5fd7\u3002<\/code><\/pre>\n\n\n\n
2.\u6211\u4eec\u671f\u671b\u7684\u65e5\u5fd7\u6536\u96c6\u6548\u679c<\/em><\/strong><\/p>\n\n\n\n
nginx-access-7.9.1-2022.4\r\nnginx-error-7.9.1-2022.4\r<\/code><\/pre>\n\n\n\n
3.\u4fee\u6539filebeat\u914d\u7f6e\u6587\u4ef6<\/em><\/strong><\/p>\n\n\n\n
[root@es-node3 ~]# cat \/etc\/filebeat\/filebeat.yml\r\nfilebeat.inputs:\r\n- type: log\r\n  paths:\r\n  - \/var\/log\/nginx\/access.log\r\n  enabled: true\r\n  tags: nginx-access ###\u6253\u4e2a\u6807\u7b7e\r\n  json.keys_under_root: true ##\u8fd9\u4e24\u884c\u610f\u601d\u662f\u5f00\u542f\u652f\u6301json\u7684key\r\n  json.overwrite_keys: true\r\n\r\n- type: log\r\n  paths:\r\n  - \/var\/log\/nginx\/error.log\r\n  enabled: true\r\n  tags: nginx-error ###\u6253\u4e2a\u6807\u7b7e\r\n\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.150:9200\",\"10.0.0.151:9200\",\"10.0.0.152:9200\"]\r\n  indices:\r\n  - index: \"nginx-access-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n    when.contains:\r\n      tags: \"nginx-access\" ###\u5339\u914d\u5230\u8fd9\u4e2a\u6807\u7b7e\uff0c\u6253\u5230es\u8fd9\u4e2a\u7d22\u5f15\r\n  - index: \"nginx-error-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n    when.contains:\r\n      tags: \"nginx-error\" ###\u5339\u914d\u5230\u8fd9\u4e2a\u6807\u7b7e\uff0c\u6253\u5230es\u8fd9\u4e2a\u7d22\u5f15\r\n\r\nsetup.ilm.enabled: false ###\u5982\u679c\u4e0d\u5173\u95ed\u7684\u8bdd\uff0c\u7d22\u5f15\u540d\u79f0\u65e0\u6cd5\u81ea\u5b9a\u4e49\r\nsetup.template.name: \"nginx\"       #\u5b9a\u4e49\u6a21\u677f\u540d\u79f0\r\nsetup.template.pattern: \"nginx-*\"  #\u5b9a\u4e49\u6a21\u677f\u7684\u5339\u914d\u7d22\u5f15\u540d\u79f0\r<\/code><\/pre>\n\n\n\n
4.\u521b\u9020\u8bbf\u95ee\u65e5\u5fd7\u5e76\u68c0\u67e5\u6536\u96c6\u7ed3\u679c<\/em><\/strong><\/p>\n\n\n\n
\u53ef\u4ee5\u770b\u5230\u7d22\u5f15\u5df2\u7ecf\u521b\u5efa\u51fa\u6765\u4e86<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
5.nginx\u591a\u865a\u62df\u4e3b\u673a\u7684\u65e5\u5fd7\u6536\u96c6<\/em><\/strong><\/p>\n\n\n\n
\u540c\u4e0a\u6253\u4e2a\u6807\u7b7e\u5c31\u884c\u4e86\r\nblog ---> \/var\/log\/nginx\/blog.sfy.com.log\r\nedu ---> \/var\/log\/nginx\/edu.sfy.com.log\r\n###nginx\u914d\u7f6e\u6587\u4ef6\r\n[root@web01 conf.d]# cat edu.sfy.com.conf \r\nserver {\r\n\tlisten 80;\r\n\tserver_name edu.sfy.com;\r\n\troot \/code\/edu;\r\n\taccess_log \/var\/log\/nginx\/edu.log json;\r\n\r\n\tlocation \/ {\r\n\t\tindex index.html;\r\n\t}\r\n\r\n[root@web01 conf.d]# cat blog.sfy.com.conf \r\nserver {\r\n\tlisten 80;\r\n\tserver_name blog.sfy.com;\r\n\troot \/code\/blog;\r\n\taccess_log \/var\/log\/nginx\/blog.log json;\r\n\r\n\tlocation \/ {\r\n\t\tindex index.html;\r\n\t}\r\n}\r\n###\u521b\u5efa\u7ad9\u70b9\u76ee\u5f55\u5e76\u8bbf\u95ee\u6570\u636e\r\nmkdir \/code\/blog\r\necho \"blog..\" > \/code\/blog\/index.html\r\nmkdir \/code\/edu\r\necho \"edu..\" > \/code\/edu\/index.html\r\nsystemctl reload nginx\r\ncurl -HHost:edu.sfy.com http:\/\/10.0.0.7\r\ncurl -HHost:blog.sfy.com http:\/\/10.0.0.7\r\n###filebeat\u914d\u7f6e\u6587\u4ef6\r\n[root@web01 conf.d]# cat \/etc\/filebeat\/filebeat.yml\r\nfilebeat.inputs:\r\n- type: log\r\n  enabled: true\r\n  paths:\r\n    - \/var\/log\/nginx\/access.log\r\n  json.keys_under_root: true  #Flase\u4f1a\u5c06json\u89e3\u6790\u7684\u683c\u5f0f\u5b58\u50a8\u81f3messages\uff0c\u6539\u4e3atrue\u5219\u4e0d\u5b58\u50a8\u81f3message\r\n  json.overwrite_keys: true   #\u8986\u76d6\u9ed8\u8ba4message\u5b57\u6bb5\uff0c\u4f7f\u7528\u81ea\u5b9a\u4e49json\u683c\u5f0f\u7684key\r\n  tags: nginx-access\r\n\r\n- type: log\r\n  enabled: true\r\n  paths:\r\n    - \/var\/log\/nginx\/blog.log\r\n  json.keys_under_root: true  #Flase\u4f1a\u5c06json\u89e3\u6790\u7684\u683c\u5f0f\u5b58\u50a8\u81f3messages\uff0c\u6539\u4e3atrue\u5219\u4e0d\u5b58\u50a8\u81f3message\r\n  json.overwrite_keys: true   #\u8986\u76d6\u9ed8\u8ba4message\u5b57\u6bb5\uff0c\u4f7f\u7528\u81ea\u5b9a\u4e49json\u683c\u5f0f\u7684key\r\n  tags: nginx-blog\r\n\r\n- type: log\r\n  enabled: true\r\n  paths:\r\n    - \/var\/log\/nginx\/edu.log\r\n  json.keys_under_root: true  #Flase\u4f1a\u5c06json\u89e3\u6790\u7684\u683c\u5f0f\u5b58\u50a8\u81f3messages\uff0c\u6539\u4e3atrue\u5219\u4e0d\u5b58\u50a8\u81f3message\r\n  json.overwrite_keys: true   #\u8986\u76d6\u9ed8\u8ba4message\u5b57\u6bb5\uff0c\u4f7f\u7528\u81ea\u5b9a\u4e49json\u683c\u5f0f\u7684key\r\n  tags: nginx-edu\r\n\r\n- type: log\r\n  enabled: true\r\n  paths:\r\n    - \/var\/log\/nginx\/error.log\r\n  tags: nginx-error\r\n\r\n\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.151:9200\",\"10.0.0.152:9200\",\"10.0.0.150:9200\"]\r\n  indices:\r\n    - index: \"nginx-access-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n      when.contains:\r\n        tags: \"nginx-access\"  #tags\u4e3aaccess\u7684\u65e5\u5fd7\u5b58\u50a8\u81f3nginx-access-* \u7d22\u5f15\r\n    - index: \"nginx-blog-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n      when.contains:\r\n        tags: \"nginx-blog\"   #tags\u4e3aerror\u7684\u65e5\u5fd7\u5b58\u50a8\u81f3nginx-error-* \u7d22\u5f15\r\n    - index: \"nginx-edu-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n      when.contains:\r\n        tags: \"nginx-edu\"   #tags\u4e3aerror\u7684\u65e5\u5fd7\u5b58\u50a8\u81f3nginx-error-* \u7d22\u5f15\r\n    - index: \"nginx-error-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n      when.contains:\r\n        tags: \"nginx-error\"   #tags\u4e3aerror\u7684\u65e5\u5fd7\u5b58\u50a8\u81f3nginx-error-* \u7d22\u5f15\r\n\r\n\r\nsetup.ilm.enabled: false\r\nsetup.template.name: \"nginx\"       #\u5b9a\u4e49\u6a21\u677f\u540d\u79f0\r\nsetup.template.pattern: \"nginx-*\"  #\u5b9a\u4e49\u6a21\u677f\u7684\u5339\u914d\u7d22\u5f15\u540d\u79f0\r<\/code><\/pre>\n\n\n\n
8.filebeat\u6536\u96c6tomcat\u65e5\u5fd7<\/h2>\n\n\n\n
1.\u4fee\u6539tomcat\u8bbf\u95ee\u65e5\u5fd7\u683c\u5f0f\u4e3ajson<\/em><\/strong><\/p>\n\n\n\n
<Host name=\"elk.tomcat.com\"  appBase=\"webapps\"\r\n            unpackWARs=\"true\" autoDeploy=\"true\">\r\n          <Valve className=\"org.apache.catalina.valves.AccessLogValve\" directory=\"logs\"\r\n            prefix=\"elk.tomcat_access_log\" suffix=\".txt\"\r\n            pattern=\"{&quot;clientip&quot;:&quot;%h&quot;,&quot;ClientUser&quot;:&quot;%l&quot;,&quot;authenticated&quot;:&quot;%u&quot;,&quot;AccessTime&quot;:&quot;%t&quot;,&quot;method&quot;:&quot;%r&quot;,&quot;status&quot;:&quot;%s&quot;,&quot;SendBytes&quot;:&quot;%b&quot;,&quot;Query?string&quot;:&quot;%q&quot;,&quot;partner&quot;:&quot;%{Referer}i&quot;,&quot;AgentVersion&quot;:&quot;%{User-Agent}i&quot;}\" \/>\r<\/code><\/pre>\n\n\n\n
2.\u914d\u7f6efilebeat\u6536\u96c6\u8bbf\u95ee\u65e5\u5fd7\u548c\u9519\u8bef\u65e5\u5fd7<\/em><\/strong><\/p>\n\n\n\n
\u8bbf\u95ee\u65e5\u5fd7\u4fee\u6539\u683c\u5f0f\u4e3ajson\u5373\u53ef\uff0c\u9519\u8bef\u65e5\u5fd7\u53ef\u80fd\u4f1a\u6709\u591a\u884c\uff0c\u9700\u8981\u5c06\u591a\u884c\u5339\u914d\u4e3a\u4e00\u884c\r\n\u5efa\u8bae\u9605\u8bfb\uff1a\r\nhttps://www.elastic.co\/guide\/en\/beats\/filebeat\/current\/multiline-examples.html\r\n[root@web01 filebeat]# cat \/etc\/filebeat\/filebeat.yml\r\nfilebeat.inputs:\r\n- type: log\r\n  enabled: true\r\n  paths:\r\n    - \/soft\/tomcat\/logs\/elk.tomcat_access_log.*.txt\r\n  json.keys_under_root: true  #Flase\u4f1a\u5c06json\u89e3\u6790\u7684\u683c\u5f0f\u5b58\u50a8\u81f3messages\uff0c\u6539\u4e3atrue\u5219\u4e0d\u5b58\u50a8\u81f3message\r\n  json.overwrite_keys: true   #\u8986\u76d6\u9ed8\u8ba4message\u5b57\u6bb5\uff0c\u4f7f\u7528\u81ea\u5b9a\u4e49json\u683c\u5f0f\u7684key\r\n  tags: tomcat-access\r\n\r\n- type: log\r\n  enabled: true\r\n  paths:\r\n    - \/soft\/tomcat\/logs\/catalina.out\r\n  tags: tomcat-error\r\n  multiline.pattern: '^\\d{2}' ###\\d\u5339\u914d\u6570\u5b57\r\n  multiline.negate: true\r\n  multiline.match: after\r\n  multiline.max_lines: 1000 ###\u4fee\u6539\u6700\u5927\u5339\u914d\u884c\u6570\r\n\r\n\r\noutput.elasticsearch:\r\n  hosts: [\"10.0.0.161:9200\",\"10.0.0.162:9200\",\"10.0.0.163:9200\"]\r\n  indices:\r\n    - index: \"tomcat-access-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n      when.contains:\r\n        tags: \"tomcat-access\"  #tags\u4e3aaccess\u7684\u65e5\u5fd7\u5b58\u50a8\u81f3nginx-access-* \u7d22\u5f15\r\n    - index: \"tomcat-error-%{[agent.version]}-%{+yyyy.MM.dd}\"\r\n      when.contains:\r\n        tags: \"tomcat-error\"\r\n\r\nsetup.ilm.enabled: false\r\nsetup.template.name: \"tomcat\"       #\u5b9a\u4e49\u6a21\u677f\u540d\u79f0\r\nsetup.template.pattern: \"tomcat-*\"  #\u5b9a\u4e49\u6a21\u677f\u7684\u5339\u914d\u7d22\u5f15\u540d\u79f0\r<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u5b59\u5bcc\u9633\uff0c \u6c5f\u6e56\u4eba\u79f0\u6ca1\u4eba\u79f0\u3002\u591a\u5e74\u4e92\u8054\u7f51\u8fd0\u7ef4\u5de5\u4f5c\u7ecf\u9a8c\uff0c\u66fe\u8d1f\u8d23\u8fc7\u5b59\u5e03\u65af\u5927\u89c4\u6a21\u96c6\u7fa4\u67b6\u6784\u81ea\u52a8\u5316\u8fd0\u7ef4\u7ba1\u7406\u5de5\u4f5c\u3002\u64c5\u957fWeb\u96c6 […]<\/p>\n","protected":false},"author":1,"featured_media":246,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"_links":{"self":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/1572"}],"collection":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1572"}],"version-history":[{"count":8,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/1572\/revisions"}],"predecessor-version":[{"id":1608,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/posts\/1572\/revisions\/1608"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=\/wp\/v2\/media\/246"}],"wp:attachment":[{"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.buyao007.icu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}