logstash 和 filebeat 连接有用户名密码的el

作者: dozenx | 来源:发表于2021-04-26 17:26 被阅读0次

数据流程

[图片上传失败...(image-61c09e-1619429119566)]

文件夹创建整体架构图

参考资料

设置java环境

vi ~/.bash_profile

export JAVA_HOME=/usr/local/apps/jdk1.8.0_261

export PATH= $PATH:$ JAVA_HOME/bin

export CLASSPATH=.: $JAVA_HOME/jre/lib/rt.jar:$ JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar

source ~/.bash_profile

可以访问jdk

chmod -r 755 jdk1.8.0_261

https://blog.csdn.net/ubuntutouch/article/details/100675502

[图片上传失败...(image-af15e0-1619429119566)]

安装logstash

文件夹创建

<pre spellcheck="false" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" cid="n438" mdtype="fences" style="box-sizing: border-box; overflow: visible; font-family: var(--monospace); font-size: 0.9em; display: block; break-inside: avoid; text-align: left; white-space: normal; background-image: inherit; background-position: inherit; background-size: inherit; background-repeat: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: rgb(248, 248, 248); position: relative !important; border: 1px solid rgb(231, 234, 237); border-radius: 3px; padding: 8px 4px 6px; margin-bottom: 15px; margin-top: 15px; width: inherit;">mkdir /usr/local/apps/logstash

chmod 775 /usr/local/apps/logstash

mkdir /usr/local/apps/filebeat

chmod 775 /usr/local/apps/filebeat

mkdir /srv/logstash/log

mkdir /srv/logstash/data

chmod -R 775 /srv/logstash

mkdir /srv/filebeat/log

mkdir /srv/filebeat/data

chmod -R 775 /srv/filebeat

cd /usr/local/apps/logstash</pre>

wget https://artifacts.elastic.co/downloads/logstash/logstash-7.11.2-linux-x86_64.tar.gz

解压程序 tar -xvf logstash-7.11.2-linux-x86_64.tar.gz

在config下创建 mylogstash-filebeat.conf文件

<pre spellcheck="false" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" cid="n58" mdtype="fences" style="box-sizing: border-box; overflow: visible; font-family: var(--monospace); font-size: 0.9em; display: block; break-inside: avoid; text-align: left; white-space: normal; background-image: inherit; background-position: inherit; background-size: inherit; background-repeat: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: rgb(248, 248, 248); position: relative !important; border: 1px solid rgb(231, 234, 237); border-radius: 3px; padding: 8px 4px 6px; margin-bottom: 15px; margin-top: 15px; width: inherit;">input {

beats {
port => 5044

ssl => true

ssl_certificate_authorities => "/usr/local/apps/logstach/pki/tls/certs/logstash-forwarder.crt"

ssl_certificate => "/usr/local/apps/logstach/pki/tls/certs/logstash-forwarder.crt"

ssl_key => "/usr/local/apps/logstach/pki/tls/certs/logstash-forwarder.key"

ssl_verify_mode => "peer"

}
}

output {
elasticsearch {
hosts => ["http://172.20.3.12:9200","http://172.20.3.35:9200","http://172.20.3.36:9200"]

cluster => "search-center-es-cluster"

user => "logstash_system"

password => "TCaCkoju3F3iOm7W0sjH"

user => "elastic"
password => "gVZNqhqu636wm13h8npd"

index => "activecard-performance-%{+YYYY.MM.dd}"

index => "logstash"

}
}</pre>

配置日志目录

vi config/logstash.yml

path.data: /srv/data/logstash

但是好像没有生效

启动bin下的logstash

nohup ./logstash -f ../config/mylogstash-kafka.conf &

#查看启动日志

ps -ef | grep logstash

tail -100f nohup.out

日志报错

:error=>"Got response code '401' contacting Elasticsearch at UR

可能是你没有配置用户名密码

获取logstash的基本信息。

curl -XGET 'localhost:9600/?pretty'

安装 filebeat

安装

cd /usr/local/apps/filebeat

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.3.1-linux-x86_64.tar.gz

tar xzvf filebeat-7.3.1-linux-x86_64.tar.gz

cd ilebeat-7.3.1-linux-x86_64

mv * ../

修改配置文件

filebeat 日志目录配置

抓取扫描文件配置

vi /usr/local/apps/filebeat/filebeat.yml

<pre spellcheck="false" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" cid="n340" mdtype="fences" style="box-sizing: border-box; overflow: visible; font-family: var(--monospace); font-size: 0.9em; display: block; break-inside: avoid; text-align: left; white-space: normal; background-image: inherit; background-position: inherit; background-size: inherit; background-repeat: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: rgb(248, 248, 248); position: relative !important; border: 1px solid rgb(231, 234, 237); border-radius: 3px; padding: 8px 4px 6px; margin-bottom: 15px; margin-top: 15px; width: inherit;">打开以下内容

打开使能

#抓取日志的配置

enabled: true

paths:

• - /srv/filebeat/log/*.log

• - /usr/local/apps/filebeat/test.log

#logstash的配置

output.logstash:

# The Logstash hosts

hosts: ["localhost:5044"]

#日志路径配置

logging.to_files: true

logging.files:

path: /srv/filebeat/log

name: filebeat

keepfiles: 7

permissions: 0644

</pre>

权限控制

<pre mdtype="fences" cid="n108" lang="" class="md-fences md-end-block ty-contain-cm modeLoaded" spellcheck="false" style="box-sizing: border-box; overflow: visible; font-family: var(--monospace); font-size: 0.9em; display: block; break-inside: avoid; text-align: left; white-space: normal; background-image: inherit; background-position: inherit; background-size: inherit; background-repeat: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: rgb(248, 248, 248); position: relative !important; border: 1px solid rgb(231, 234, 237); border-radius: 3px; padding: 8px 4px 6px; margin-bottom: 15px; margin-top: 15px; width: inherit;">把文件加权限赋予rd账户

chown -R rd:rd /usr/local/apps/filebeat

后面的切换到rd账户执行

su rd

chmod go-w /usr/local/apps/filebeat/filebeat.yml

touch /usr/local/apps/filebeat/test.log

echo "asdfasdfasdf" >>/usr/local/apps/filebeat/test.log

nohup ./filebeat &

tail -fn 200 nohup.out</pre>

filebeat 测试

./filebeat test output 测试运行状态

<pre spellcheck="false" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" cid="n387" mdtype="fences" style="box-sizing: border-box; overflow: visible; font-family: var(--monospace); font-size: 0.9em; display: block; break-inside: avoid; text-align: left; white-space: normal; background-image: inherit; background-position: inherit; background-size: inherit; background-repeat: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: rgb(248, 248, 248); position: relative !important; border: 1px solid rgb(231, 234, 237); border-radius: 3px; padding: 8px 4px 6px; margin-bottom: 15px; margin-top: 15px; width: inherit;">rd@localhost filebeat]$ ./filebeat test output

logstash: localhost:5044...

connection...

• parse host... OK

• dns lookup... OK

• addresses: ::1, 127.0.0.1

• dial up... OK

TLS... WARN secure connection disabled

talk to server... OK</pre>

说明是正常的

查询es

curl -XGET --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/logstash/_search'

<pre spellcheck="false" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" cid="n415" mdtype="fences" style="box-sizing: border-box; overflow: visible; font-family: var(--monospace); font-size: 0.9em; display: block; break-inside: avoid; text-align: left; white-space: normal; background-image: inherit; background-position: inherit; background-size: inherit; background-repeat: inherit; background-attachment: inherit; background-origin: inherit; background-clip: inherit; background-color: rgb(248, 248, 248); position: relative !important; border: 1px solid rgb(231, 234, 237); border-radius: 3px; padding: 8px 4px 6px; margin-bottom: 15px; margin-top: 15px; width: inherit;">{"_index":"logstash","_type":"_doc","_id":"HtlkDXkBEawMgE7wuu-Z","_score":1.0,"_source":{"offset":135,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.094Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"yjhkDXkBo6lKLCg_uhM3","_score":1.0,"_source":{"offset":151,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.094Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"yzhkDXkBo6lKLCg_uhM3","_score":1.0,"_source":{"offset":503,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.096Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"yDhkDXkBo6lKLCg_uhM0","_score":1.0,"_source":{"offset":711,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.097Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"wDhkDXkBo6lKLCg_uhM0","_score":1.0,"_source":{"offset":169,"source":"/srv/filebeat/log/a.log","prospector":{"type":"log"},"message":"asdfasdfasdf","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.093Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"wThkDXkBo6lKLCg_uhM0","_score":1.0,"_source":{"offset":279,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.095Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"HdlkDXkBEawMgE7wuu-V","_score":1.0,"_source":{"offset":423,"source":"/usr/local/apps/filebeat/test.log","prospector":{"type":"log"},"message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.096Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"wjhkDXkBo6lKLCg_uhM0","_score":1.0,"_source":{"offset":743,"prospector":{"type":"log"},"source":"/usr/local/apps/filebeat/test.log","message":"123123123123123","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.097Z","tags":["beats_input_codec_plain_applied"]}},{"_index":"logstash","_type":"_doc","_id":"DdlkDXkBEawMgE7wuu-O","_score":1.0,"_source":{"offset":39,"prospector":{"type":"log"},"source":"/usr/local/apps/filebeat/test.log","message":"asdfasdfasdf","@version":"1","beat":{"version":"6.2.4","name":"localhost.localdomain","hostname":"localhost.localdomain"},"@timestamp":"2021-04-26T08:56:14.094Z","tags":["beats_input_codec_plain_applied"]}}]}}</pre>

参考:

https://www.cnblogs.com/xiaobaozi-95/p/9214307.html

https://blog.csdn.net/zjcjava/article/details/99258682

https://www.jianshu.com/p/4aa3a8b70bfa

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html

常见问题

配置里抓取的日志但是感觉filebeat 没有抓取日志

可能是配置文件里 enable 没有打开

模拟产生日志

echo "asdfasdfasdfasdf" >> /srv/filebeat/log/test.log

http://172.20.3.35:9200/activecard-performance-2021.04.26/_search

查询日志

curl -XGET --user logstash_system:TCaCkoju3F3iOm7W0sjH 'http://172.20.3.35:9200/activecard-performance-2021.04.26/_search'

不行那个用户只能查询

elasticsearch 多个用户权限问题

curl -XGET --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/activecard-performance-2021.04.26/_search'

curl -XGET --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/logstash/_search'

这个可以的

测试logstash 有没有写入权限

curl -XGET --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/logstash/_doc/4'

curl -XPOST --user elastic:gVZNqhqu636wm13h8npd 'http://172.20.3.35:9200/logstash/_doc/4' --header 'Content-Type: application/json' \

--data '{

"id":"4" ,

"title":"标题" ,

"category":"分类",

"browserUrl":"http://api.51awifi.com/api/doc/123" ,

"content":"文档内容" ,

"author":"张三"

}'

curl -XPOST --user logstash_system:TCaCkoju3F3iOm7W0sjH 'http://172.20.3.35:9200/logstash/_doc/4' --header 'Content-Type: application/json' \

--data '{

"id":"4" ,

"title":"标题" ,

"category":"分类",

"browserUrl":"http://api.51awifi.com/api/doc/123" ,

"content":"文档内容" ,

"author":"张三"

}'