既ELK配置后,继续配置Elastic Beats组件
上一链接双系统配置ELK
filebeat、metricbeat、packetbeat、winlogbeat、heartbeat
一些命令要使用 windows PowerShell运行!!!! 管理员权限
Win下配置上述Beats
一、配置运行filebeat
顾名思义,Filebeat用于收集和传送日志文件,它也是最常用的Beat。 Filebeat如此高效的事实之一就是它处理背压的方式-因此,如果Logstash繁忙,Filebeat会减慢其读取速率,并在减速结束后加快节奏。
Filebeat几乎可以安装在任何操作系统上,包括作为Docker容器安装,还随附用于特定平台(例如Apache,MySQL,Docker等)的内部模块,其中包含这些平台的默认配置和Kibana对象。
- 安装对应版本解压
- 修改配置文件filebeat.yml
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- E:\App\logstash\logs\logstash-plain.log
#- c:\programdata\elasticsearch\logs\*
setup.kibana:
host: "localhost:5601"
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]- 在filebeat安装目录,启动服务
filebeat setup
filebeat -e- 在es-head中查看,完成
二、配置运行metricbeat
Metricbeat是一种非常受欢迎的beat,它收集并报告各种系统和平台的各种系统级度量。 Metricbeat还支持用于从特定平台收集统计信息的内部模块。您可以使用这些模块和称为指标集的metricsets来配置Metricbeat收集指标的频率以及要收集哪些特定指标。
- 下载解压对应版本
- 修改metricbeat配置文件,metricbeat.yml
setup.kibana:
host: "localhost:5601"
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]- 启动
metricbeat setup
metricbeat -e状态如下
三、配置运行packetbeat
网络数据包分析器Packetbeat是第一个引入的beat。 Packetbeat捕获服务器之间的网络流量,因此可用于应用程序和性能监视。
Packetbeat可以安装在受监视的服务器上,也可以安装在其专用服务器上。 Packetbeat跟踪网络流量,解码协议并记录每笔交易的数据。 Packetbeat支持的协议包括:DNS,HTTP,ICMP,Redis,MySQL,MongoDB,Cassandra等。
- 下载安装WinPcap
- 下载解压对应版本
- 在安装目录下执行命令,install
./install-service-packetbeat.ps1若执行策略出错,则更改执行策略
set-executionpolicy remotesigned
- 修改packetbeat配置文件packetbeat.yml
①监听的device
packetbeat.interfaces.device: 0②配置协议type ports
packetbeat.protocols:
- type: icmp
# Enable ICMPv4 and ICMPv6 monitoring. Default: false
enabled: true
- type: amqp
# Configure the ports where to listen for AMQP traffic. You can disable
# the AMQP protocol by commenting out the list of ports.
ports: [5672]
- type: cassandra
#Cassandra port for traffic monitoring.
ports: [9042]
#加上
- type: dns
# Configure the ports where to listen for DNS traffic. You can disable
# the DNS protocol by commenting out the list of ports.
ports: [53]
# include_authorities controls whether or not the dns.authorities field
# (authority resource records) is added to messages.
include_authorities: true
# include_additionals controls whether or not the dns.additionals field
# (additional resource records) is added to messages.
include_additionals: true③配置日志的输出
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
setup.kibana:
host: "localhost:5601"- 获取windows系统的device来配置packetbeat.interfaces.device
packetbeat.exe devices- 运行packetbeat
packetbeat.exe作为服务启动:Start-Service packetbeat
四、配置运行winlogbeat
Winlogbeat仅会引起Windows系统管理员或工程师的兴趣,因为它是专门为收集Windows事件日志而设计的节拍。 它可用于分析安全事件,已安装的更新等。
- 解压对应版本
- 在安装目录下,安装服务
install-service-winlogbeat.ps1如果在系统上禁用了脚本执行,则需要为当前会话设置执行策略以允许脚本运行。 PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.
或者使用下列命令来关闭一些安全防护,输入后按确认
PS C:\Program Files\Winlogbeat> set-executionpolicy remotesigned
PS C:\Program Files\Winlogbeat> set-executionpolicy Bypass- 修改winlogbeat的配置文件winlogbeat.yml
output.elasticsearch:
hosts:
- localhost:9200- 检查文件正确性
winlogbeat.yml -e- 启动winlogbeat
Start-Service winlogbeat
#启动用这个
winlogbeat.exe -e- 在kibana或es-head查看即可
五、配置运行heartbeat
Heartbeat是用于“uptime monitoring”的。本质上,Heartbeat是探测服务以检查它们是否可访问的功能,例如,它可以用来验证服务的正常运行时间是否符合您的SLA。 您要做的就是为Heartbeat提供URL和正常运行时间指标的列表,以直接发送到Elasticsearch或Logstash以便在建立索引之前发送到您的堆栈。
- 下载对应版本
- 安装目录下cmd执行intall脚本
install-service-heartbeat.ps1
##若执行出错,则
set-executionpolicy remotesigned3.配置heartbeat.yml
①监听的端口,数据传输类型,请求间隔
# Configure monitors inline
heartbeat.monitors:
- type: http
# ID used to uniquely identify this monitor in elasticsearch even if the config changes
id: my-monitor
# Human readable display name for this service in Uptime UI and elsewhere
name: My Monitor
# List or urls to query
urls: ["http://localhost:9200"]
# Configure task schedule
schedule: '@every 10s'
# Total test connection and data exchange timeout
#timeout: 16s②配置kibana
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "localhost:5601"③配置message输出
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]- 运行heartbeat
heartbeat.exe作为windows服务启动:Start-Service packetbeat
Centos7.5配置上述Beats(无winlogbeat)
一、配置运行filebeat
- 下载解压对应版本
- 修改配置文件filebeat.yml
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "localhost:5601"
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*- 启动filebeat
[root@localhost filebeat]# ./filebeat -e
二、配置运行metricbeat
- 下载解压对应版本
- 修改配置文件
就是修改kibana和elasticsearch就可以了,和上面的win差不多,下面不赘述
#启动
./metricbeat -e
三、配置运行packetbeat
- 下载解压对应版本
- 修改配置文件
- 启动
四、配置运行heartbeat
- 下载解压对应版本
- 修改配置文件
- 启动
