ELK配置笔记

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ELK配置笔记相关的知识,希望对你有一定的参考价值。

filebeat安装配置

1 下载,安装

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.4.3-linux-x86_64.tar.gz

mv filebeat-8.4.3-linux-x86_64.tar.gz /opt
cd /opt
tar -zxvf filebeat-8.4.3-linux-x86_64.tar.gz
cd filebeat-8.4.3-linux-x86_64

2 配置

修改filebeat.yml

# ========================= Filebeat inputs ======================
filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

# Unique ID among all inputs, an ID is required.
id: my-filestream-id

# Change to true to enable this input configuration.
enabled: true #设为true,启用这个input配置

# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log #日志路径
#- c:\\programdata\\elasticsearch\\logs\\*

# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list.
# Line filtering happens after the parsers pipeline. If you would like to filter lines
# before parsers, use include_message parser.
#exclude_lines: [^DBG]

# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list.
# Line filtering happens after the parsers pipeline. If you would like to filter lines
# before parsers, use include_message parser.
#include_lines: [^ERR, ^WARN]

# Exclude files. A list of regular expressions to match. Filebeat drops the files that
# are matching any regular expression from the list. By default, no files are dropped.
#prospector.scanner.exclude_files: [.gz$]

# Optional additional fields. These fields can be freely picked
# to add additional information to the crawled log files for filtering
#fields:
# level: debug
# review: 1
...
# =================== Outputs ===============================
# ---------------------------- Elasticsearch Output ----------------------------
#本配置传给logstash,所以本部分全部注释掉
...
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["192.168.0.100:10547"]

# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"

# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"

3 启动

#启动
nohup ./filebeat -e -c filebeat.yml >/dev/null 2>&1 &

#指定配置文件启动
./filebeat run -e -c filebeat.yml -d "publish"

4 清除标记

 Filebeat 会将文件读取位置记录 /opt/filebeat-8.4.3-linux-x86/data/registry 文件夹中,想重新从文件开始读取需要删除 registry 文件夹,然后重启Filebeat 。

以上是关于ELK配置笔记的主要内容,如果未能解决你的问题,请参考以下文章

ELK 学习笔记之 Logstash之inputs配置

ELK 学习笔记之 Logstash之filter配置

ELK 学习笔记之 elasticsearch elasticsearch.yml配置概述

ELK 学习笔记之 Logstash安装

ELK 学习笔记之 elasticsearch环境搭建

ELK 学习笔记之 elasticsearch head插件安装