ELK架构
Filebeat 日志数据采集,Logstash 过滤,Elasticsearch 存储,Kibana 展示
Fliebeat日志采集
Logstash 致命的问题是它的性能以及资源消耗。
Filebeat 是一个轻量级的日志传输工具,它的存在正弥补了 Logstash 的缺点:Filebeat 作为一个轻量级的日志传输工具可以将日志推送到中心 Logstash。
Beats 包含六种工具:
- Packetbeat: 网络数据(收集网络流量数据)
- Metricbeat: 指标(收集系统、进程和文件系统级别的 CPU 和内存使用情况等数据)
- Filebeat: 日志文件(收集文件数据)
- Winlogbeat: windows 事件日志(收集 Windows 事件日志数据)
- Auditbeat:审计数据(收集审计日志)
- Heartbeat:运行时间监控(收集系统运行时的数据)
Docker安装 filebeat
docker pull elastic/filebeat:7.4.1
https://github.com/elastic/beats/blob/v7.4.1/deploy/docker/filebeat.docker.yml
增加下面的配置 (收集 .log 数据 把数据发送到当前网络5044端口 (logstash 端口) )
这个地方的 .log 要保证有几条测试数据
$ cat filebeat.docker.yml1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21filebeat.config:
modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
filebeat.autodiscover:
providers:
- type: docker
hints.enabled: true
processors:
- add_cloud_metadata: ~
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
output.logstash:
hosts: ["168.192.169.58:5044"]
验证配置docker exec logstash logstash
-f conf.d/filebeat.conf --config.test_and_exit
验证结果1
2
3
4[2020-07-31T01:31:17,700][INFO ][org.reflections.Reflections] Reflecti
ons took 55 ms to scan 1 urls, producing 20 keys and 40 values Configuration OK
[2020-07-31T01:31:18,550][INFO ][logstash.runner ] Using conf
ig.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
启动容器1
docker run --name filebeat --user=root -dti --net elknetwork --volume="/home/centos/logs/:/opt/app/logs/" --volume="/data/elk/filebeat/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml" --volume="/var/lib/docker/containers:/var/lib/docker/containers" --volume="/var/run/docker.sock:/var/run/docker.sock" elastic/filebeat:7.4.1
集成beats数据采集
接收beats输入数据,传输到控制台1
2
3
4
5
6
7
8
9
10input {
beats {
port => "5044"
codec => "json"
}
}
output {
stdout { codec => rubydebug }
}
重启logstash: docker restart logstash
集成测试
在外面主机中写入日志:echo hello beate >> /home/centos/logs/test.log
进入logstash控制台:docker attach logstash
在logstash控制台看到输出,说明filebeat采集日志传到logstash控制台显示成功:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42{
"tags" => [
[0] "_jsonparsefailure",
[1] "beats_input_codec_json_applied"
],
"@timestamp" => 2020-07-31T02:30:17.207Z,
"host" => {
"name" => "3756f2b73723"
},
"input" => {
"type" => "log"
},
"ecs" => {
"version" => "1.1.0"
},
"@version" => "1",
"cloud" => {
"provider" => "openstack",
"machine" => {
"type" => "m1.xxlarge"
},
"instance" => {
"id" => "i-000001bd",
"name" => "oa3.v.x"
},
"availability_zone" => "nova"
},
"log" => {
"file" => {
"path" => "/opt/app/logs/test.log"
},
"offset" => 157
},
"message" => "hello beate",
"agent" => {
"version" => "7.4.1",
"type" => "filebeat",
"id" => "e0ca7add-2cfc-49c6-9cc6-6109f9e78bdf",
"hostname" => "3756f2b73723",
"ephemeral_id" => "781d6d18-a38e-4e4f-828f-a2b35f720c6a"
}
}
Filebeat 日志文件的数据采集配置完成。
Beats其它的数据采集插件,我们后面再扩展添加。
参考资料
官方网站:https://www.elastic.co/cn/beats/filebeat
官方文档:https://www.elastic.co/guide/en/beats/filebeat/current/index.html
Beats插件:https://www.jianshu.com/p/009286216560
