环境
CentOS 7.3
Filebeat 7.6.0 (Filebeat安装和基本使用参考这里)
Elasticsearch 7.6.0
Nginx
Module
Filebeat集成了大量的module,可以简化我们的配置,命令如下
查看module列表
cd /usr/local/filebeat-7.6.0-linux-x86_64
./filebeat modules list
#输出如下:
Enabled:
Disabled:
activemq
apache
auditd
aws
azure
cef
cisco
coredns
elasticsearch
envoyproxy
googlecloud
haproxy
ibmmq
icinga
iis
iptables
kafka
kibana
logstash
misp
mongodb
mssql
mysql
nats
netflow
nginx
osquery
panw
postgresql
rabbitmq
redis
santa
suricata
system
traefik
zeek
可见,module默认都是关闭的,需要我们手动启用
启用nginx module
./filebeat modules enable nginx #启用
./filebeat modules disable nginx #关闭
修改nginx module配置
cd modules.d/
vim nginx.yml
主要是加上var.paths:
- module: nginx
# Access logs
access:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/usr/local/nginx/logs/access.log"]
# Error logs
error:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/usr/local/nginx/logs/error.log*"]
配置filebeat
切换到Filebeat主目录,创建配置文件nginx.yml,内容如下:
setup.template.settings:
index.number_of_shards: 3
output.elasticsearch:
hosts: ["192.168.1.130:9200","192.168.0.131:9200","192.168.25.132:9200"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
启动nginx
略
启动filebeat
./filebeat -e -c test-nginx.yml
访问nginx所在的主机,多刷新几次
打开Elasticsearch,查看日志