主機日誌接入ELK
安裝filebeat6。5
yum install https://artifacts。elastic。co/downloads/beats/filebeat/filebeat-6。5。0-x86_64。rpm
ELK主機安裝GEOip轉地理位置模組
/usr/share/elasticsearch/bin/elasticsearch-plugin install ingest-geoip
配置filebeat啟動檔案
sed -i ‘s/#host: “localhost:5601”/host: “localhost:5601”/g’
/etc/filebeat/filebeat。yml
啟用system日誌模組
filebeat modules enable system
配置system日誌收集路徑
# /etc/filebeat/modules/system。yml 配置參考
- module: system
syslog:
enabled: true
var。paths: [“/var/log/messages”]
auth:
enabled: true
var。paths: [“/var/log/secure”]
安裝顯示面板
filebeat setup
測試filebeat啟動
filebeat -e
配置filebeat服務
systemctl start filebeat && systemctl enable filebeat
filebeat system dashboard
其他主機接入配置檔案修改參考
sed -i ‘s/#host: “localhost:5601”/host: “server-ip:5601”/g’
/etc/filebeat/filebeat。yml
sed -i ‘s/hosts: [“localhost:9200”]/hosts: [“server-ip:9200”]/g’ /etc/filebeat/filebeat。yml
