环境
操作系统:ubuntu16.04
软件版本:
filebeat-6.2.2-linux-x86_64
步骤
官网
下载
注意版本需要与elasticsearch版本保持一样
解压
tar xzvf
filebeat-6.2.2-linux-x86_64.tar.gz
移动
mv
filebeat-6.2.2-linux-x86_64 /opt
进入
cd
filebeat-6.2.2-linux-x86_64
输出至logstash
修改 filebeat.yml 以设置连接信息:
output.logstash:
hosts: ["localhost:5044"]
输出至elasticsearch
修改 filebeat.yml 以设置连接信息:
output.elasticsearch:
hosts: ["<es_url>"]
username: "elastic"
password: "<password>"
setup.kibana:
host: "<kibana_url>"其中,<password> 是 elastic 用户的密码,<es_url> 是 Elasticsearch 的 URL,<kibana_url> 是 Kibana 的 URL。
启动Filebeat
./filebeat setup
./filebeat -e
加载指定yml启动
./filebeat -e -c myfilebeatconfig.yml
后台运行
./filebeat > /dev/null 2>&1 &
启用和停用内置nginx组件
./filebeat modules enable nginx
./filebeat modules disable nginx
问题
Exiting: 1 error: Error reading fileset mysql/error: Error reading manifest file: config file ("/opt/filebeat-6.2.2-linux-x86_64/module/mysql/error/manifest.yml") must be owned by the beat user (uid=0) or root
原因:这些检查的目的是防止未经授权的用户提供或修改Beat所运行的配置。配置文件的所有者必须root 是执行Beat进程的用户,或者是该用户。
解决方法:
官方说明:https://www.elastic.co/guide/en/beats/libbeat/5.3/config-file-permissions.html#config-file-permissions
To correct this problem you can use either chown root {beatname}.yml or chown 501 {beatname}.yml to change the owner of the configuration file.
Exiting: error loading config file: config file ("{beatname}.yml") can only be
writable by the owner but the permissions are "-rw-rw-r--" (to fix the
permissions use: 'chmod go-w /etc/{beatname}/{beatname}.yml')
To correct this problem, use chmod go-w /etc/{beatname}/{beatname}.yml to remove write privileges from anyone other than the owner.通过chown root {beatname}.yml,将不同的yml文件授权给root用户,比如:filebeat-6.2.2-linux-x86_64/module/mysql下的*.yml,执行:chown root manifest.yml后重新./filebeat setup即可
Exiting: Template loading requested but the Elasticsearch output is not configured/enabled
原因:
filebeat.yml配置文件存在多个output输出源
解决方法:
只留一个源输出到elasticsearch即可,加载模板必须使用out.elasticsearch,或者使用logstash可跳过直接启动
启用java日志
vim filebeat.yml
filebeat.prospectors:
#日志类型
- type: log
enabled: true
paths:
- /usr/local/bin/contract/logs/*.log
#排除空行
exclude_lines: ['^$']
#定义index字段,即索引标识
fields:
index: 'java-logs
#排除.gz文件
exclude_files: ['.gz$']
#java多行日志合并
#multiline.pattern: ^\[
multiline.pattern: '^\s*(\d{4}|\d{2})\-(\d{2}|[a-zA-Z]{3})\-(\d{2}|\d{4})'
multiline.negate: true
multiline.match: after
#日志标识
tags: ["my-logs"]
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
hosts: ["localhost:9200"]
# 将java-logs标识内容输入到指定索引里
indices:
- index: "java-logs-%{+yyyy-MM-dd}"
when.contains:
fields:
index: 'java-logs'
#setup.template.name: "java-logs"
#setup.template.pattern: "java-logs-*"
setup.ilm.enabled: false
启用mysql配置
./filebeat modules enable mysql
在 modules.d/mysql.yml 文件中修改设置。
# Error logs
error:
enabled: true
var.paths: ["/var/log/mysqld.log"]
# Slow logs
slowlog:
enabled: true
var.paths: ["/var/lib/mysql/centos72-slow.log"]
启用nginx配置
./filebeat modules enable nginx
进入elasticsearch目录安装插件
./bin/elasticsearch-plugin install ingest-user-agent
./bin/elasticsearch-plugin install ingest-geoip
进入filebeat 目录启用nginx
./filebeat modules enable nginx
在 modules.d/nginx.yml 文件中修改设置
- module: nginx
# Access logs
access:
enabled: true
var.paths: ["/opt/nginx/logs/access.log"]
# Error logs
error:
enabled: true
var.paths: ["/opt/nginx/logs/error.log"]
来源:oschina
链接:https://my.oschina.net/u/437309/blog/4264051