数据流程
[图片上传失败...(image-61c09e-1619429119566)]
文件夹创建整体架构图
参考资料
设置java环境
vi ~/.bash_profile
export JAVA_HOME=/usr/local/apps/jdk1.8.0_261
export PATH=JAVA_HOME/bin
export CLASSPATH=.:JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar
source ~/.bash_profile
可以访问jdk
chmod -r 755 jdk1.8.0_261
https://blog.csdn.net/ubuntutouch/article/details/100675502
[图片上传失败...(image-af15e0-1619429119566)]
安装logstash
文件夹创建
mkdir /usr/local/apps/logstashchmod 775 /usr/local/apps/logstash
mkdir /usr/local/apps/filebeat
chmod 775 /usr/local/apps/filebeat
mkdir /srv/logstash/log
mkdir /srv/logstash/data
chmod -R 775 /srv/logstash
mkdir /srv/filebeat/log
mkdir /srv/filebeat/data
chmod -R 775 /srv/filebeat
cd /usr/local/apps/logstash
wget https://artifacts.elastic.co/downloads/logstash/logstash-7.11.2-linux-x86_64.tar.gz
解压程序 tar -xvf logstash-7.11.2-linux-x86_64.tar.gz
在config下创建 mylogstash-filebeat.conf文件
input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => "/usr/local/apps/logstach/pki/tls/certs/logstash-forwarder.crt"
ssl_certificate => "/usr/local/apps/logstach/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/usr/local/apps/logstach/pki/tls/certs/logstash-forwarder.key"
ssl_verify_mode => "peer"
}
}
output {
elasticsearch {
hosts => ["http://172.20.3.12:9200","http://172.20.3.35:9200","http://172.20.3.36:9200"]
cluster => "search-center-es-cluster"
user => "logstash_system"
password => "TCaCkoju3F3iOm7W0sjH"
user => "elastic"
password => "gVZNqhqu636wm13h8npd"
index => "activecard-performance-%{+YYYY.MM.dd}"
index => "logstash"
}
}
配置日志目录
vi config/logstash.yml
path.data: /srv/data/logstash
但是好像没有生效
启动bin下的logstash
nohup ./logstash -f ../config/mylogstash-kafka.conf &
#查看启动日志
ps -ef | grep logstash
tail -100f nohup.out
日志报错
:error=>"Got response code '401' contacting Elasticsearch at UR
可能是你没有配置用户名密码
获取logstash的基本信息。
curl -XGET 'localhost:9600/?pretty'
安装 filebeat
安装
cd /usr/local/apps/filebeat
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.3.1-linux-x86_64.tar.gz
tar xzvf filebeat-7.3.1-linux-x86_64.tar.gz
cd ilebeat-7.3.1-linux-x86_64
mv * ../
修改配置文件
filebeat 日志目录配置
抓取扫描文件配置
vi /usr/local/apps/filebeat/filebeat.yml
打开以下内容打开使能
#抓取日志的配置
enabled: true
paths:
• - /srv/filebeat/log/*.log
• - /usr/local/apps/filebeat/test.log
#logstash的配置
output.logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
#日志路径配置
logging.to_files: true
logging.files:
path: /srv/filebeat/log
name: filebeat
keepfiles: 7
permissions: 0644
权限控制
把文件加权限赋予rd账户chown -R rd:rd /usr/local/apps/filebeat
后面的切换到rd账户执行
su rd
chmod go-w /usr/local/apps/filebeat/filebeat.yml
touch /usr/local/apps/filebeat/test.log
echo "asdfasdfasdf" >>/usr/local/apps/filebeat/test.log
nohup ./filebeat &
tail -fn 200 nohup.out
filebeat 测试
./filebeat test output 测试运行状态
rd@localhost filebeat]$ ./filebeat test outputlogstash: localhost:5044...
connection...
• parse host... OK
• dns lookup... OK
• addresses: ::1, 127.0.0.1
• dial up... OK
TLS... WARN secure connection disabled
talk to server... OK
说明是正常的
查询es
curl -XGET --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/logstash/_search'
{"_index":"logstash","_type":"_doc","_id":"HtlkDXkBEawMgE7wuu-Z","_score":1.0,"_source":{"offset":135,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.094Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"yjhkDXkBo6lKLCg_uhM3","_score":1.0,"_source":{"offset":151,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.094Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"yzhkDXkBo6lKLCg_uhM3","_score":1.0,"_source":{"offset":503,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.096Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"yDhkDXkBo6lKLCg_uhM0","_score":1.0,"_source":{"offset":711,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.097Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"wDhkDXkBo6lKLCg_uhM0","_score":1.0,"_source":{"offset":169,"source":"/srv/filebeat/log/a.log","prospector":{"type":"log"},"message":"asdfasdfasdf","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.093Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"wThkDXkBo6lKLCg_uhM0","_score":1.0,"_source":{"offset":279,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.095Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"HdlkDXkBEawMgE7wuu-V","_score":1.0,"_source":{"offset":423,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.096Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"wjhkDXkBo6lKLCg_uhM0","_score":1.0,"_source":{"offset":743,"prospector":{"type":"log"},"source":"/usr/local/apps/filebeat/test.log","message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.097Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"DdlkDXkBEawMgE7wuu-O","_score":1.0,"_source":{"offset":39,"prospector":{"type":"log"},"source":"/usr/local/apps/filebeat/test.log","message":"asdfasdfasdf","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.094Z","tags":["beats_input_codec_plain_applied"]}}]}}
参考:
https://www.cnblogs.com/xiaobaozi-95/p/9214307.html
https://blog.csdn.net/zjcjava/article/details/99258682
https://www.jianshu.com/p/4aa3a8b70bfa
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html
常见问题
配置里抓取的日志 但是感觉filebeat 没有抓取日志
可能是配置文件里 enable 没有打开
模拟产生日志
echo "asdfasdfasdfasdf" >> /srv/filebeat/log/test.log
http://172.20.3.35:9200/activecard-performance-2021.04.26/_search
http://172.20.3.35:9200/activecard-performance-2021.04.26/_search
查询日志
curl -XGET --user logstash_system:TCaCkoju3F3iOm7W0sjH 'http://172.20.3.35:9200/activecard-performance-2021.04.26/_search'
不行 那个用户只能查询
elasticsearch 多个用户权限问题
curl -XGET --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/activecard-performance-2021.04.26/_search'
curl -XGET --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/logstash/_search'
这个可以的
测试logstash 有没有写入权限
curl -XGET --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/logstash/_doc/4'
curl -XPOST --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/logstash/_doc/4' --header 'Content-Type: application/json' \
--data '{
"id":"4" ,
"title":"标题" ,
"category":"分类",
"browserUrl":"http://api.51awifi.com/api/doc/123" ,
"content":"文档内容" ,
"author":"张三"
}'
curl -XPOST --user logstash_system:TCaCkoju3F3iOm7W0sjH 'http://172.20.3.35:9200/logstash/_doc/4' --header 'Content-Type: application/json' \
--data '{
"id":"4" ,
"title":"标题" ,
"category":"分类",
"browserUrl":"http://api.51awifi.com/api/doc/123" ,
"content":"文档内容" ,
"author":"张三"
}'