ELK6.4安裝ES叢集kibana展示logstash日誌收集
阿新 • • 發佈:2019-01-04
ELK6.4安裝ES叢集kibana展示logstash日誌收集##
場景1:
業務:**功能掛了,讓開發看下問題吧
開發A:(運維)哥們幫忙查一下日誌
這時候運維就熟練的使用了grep,awk等命令,獲取開發想要的資訊。遇到多維度,複雜檢索時還是蠻費勁的,文字檢索也比較慢,不會熟練使用Linux命令的開發人員,則陷入尷尬的地位,無法快速定位問題所在。
場景2:
開發A:哥們幫我拉一下日誌,我排查個問題。
運維:好嘞。
開發B:兄弟再幫忙拉一下/home/bea/*/logs/*的日誌。
運維:剛才開發A拉過了,你可以問他要一下。
開發B:剛才那哥們給你的日誌不是那個目錄下的,麻煩再拉一下,謝謝!
運維:好的吧
開發C:兄弟幫我拉一下另外一臺的另外一個應用的日誌。
運維:曉得了
開發C:謝謝你兄弟
我們的運維人員可以幫我們做,但是拉下來的日誌,就是我們自己的事情了,遇到日誌很小的時候,可以很簡單,用UE或者其他編輯器開啟,搜尋關鍵詞,檢視資訊。
遇到很大的日誌,比如說超過50M的用編輯器就很難開啟,即使打開了,也是很慢,電腦再有點卡,根本沒有辦法查日誌。
日誌方面當前遇到的問題
- 要對Linux命令特別熟悉
- 文字搜尋太慢
- 不能實時監控
- 分散式查詢日誌效率更低 等
ELK解決方案
ELK是三個開源專案的縮寫,分別是Elasticsearch、kibana、logstash
- Elasticsearch(ES) 是個開源分散式搜尋引擎,提供蒐集、分析、儲存資料三大功能。它的特點有:分散式,零配置,自動發現,索引自動分片,索引副本機制,restful風格介面,多資料來源,自動搜尋負載等。
- Logstash 主要是用來日誌的蒐集、分析、過濾日誌的工具,支援大量的資料獲取方式。一般工作方式為c/s架構,client端安裝在需要收集日誌的主機上,server端負責將收到的各節點日誌進行過濾、修改等操作在一併發往elasticsearch上去。
- Kibana 也是一個開源和免費的工具,Kibana可以為 Logstash 和 ElasticSearch 提供的日誌分析友好的Web 介面,可以幫助彙總、分析和搜尋重要資料日誌。
具體瞭解原理參考文末連結和官網瞭解
ELK是一個日誌,具體官網瞭解
ELK官網地址https://www.elastic.co/cn/
安裝Elasticsearch叢集
依賴環境:
系統:Linux系統 ,本次操作Centos7
JDK:1.8版本JDK,本次是自帶openJDK,裝在預設路徑下
機器:兩臺機器
192.168.220.71
192.168.220.72
檢查環境
[[email protected] ~]# java -version
openjdk version "1.8.0_65"
OpenJDK Runtime Environment (build 1.8.0_65-b17)
OpenJDK 64-Bit Server VM (build 25.65-b01, mixed mode)
[[email protected] ~]# which java
/usr/bin/java
[[email protected] ~]# ls -lrt /usr/bin/java
lrwxrwxrwx. 1 root root 22 Jan 17 2018 /usr/bin/java -> /etc/alternatives/java
[[email protected] ~]# ls -lrt /etc/alternatives/java
lrwxrwxrwx. 1 root root 70 Jan 17 2018 /etc/alternatives/java -> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64/jre/bin/java
[[email protected] ~]# cd /usr/lib/jvm
[[email protected] jvm]# ls
java-1.7.0-openjdk-1.7.0.91-2.6.2.3.el7.x86_64 jre-1.7.0 jre-1.8.0 jre-openjdk
java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64 jre-1.7.0-openjdk jre-1.8.0-openjdk
jre jre-1.7.0-openjdk-1.7.0.91-2.6.2.3.el7.x86_64 jre-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64
[[email protected] jvm]#
角色劃分
主節點:192.168.220.71
從節點:192.168.220.72
Elasticsearch 主動節點都要安裝
kibana 主節點上安裝
logstash 日誌收集的機器上 主從都要安裝
ELK版本資訊:
elasticsearch-6.4.0
kibana-6.4.0
logstash-6.4.0
filebeat-6.4.0
修改伺服器hosts
在71機器上執行
[[email protected] ~] vim /etc/hosts
新增 192.168.220.71 master-node
在72機器上執行
[[email protected] ~] vim /etc/hosts
新增 192.168.220.72 data-node1
centos 7 防火牆設定或者開通你埠
停止防火牆
[[email protected] ~]# systemctl stop firewalld.service
禁止防火牆開機啟動
[[email protected] ~]# systemctl disable firewalld.service
重啟機器
[[email protected] ~]# reboot
修改完後的主機名
主節點
[[email protected] ~]# hostname
master-node
從節點
[[email protected] ~]# hostname
data-node1
安裝ES
如果無法下載則需要自己下載上傳到/root/product目錄下
我是手動下載放在對應目錄
elasticsearch下載地址:https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.0.rpm
kibana下載地址:https://artifacts.elastic.co/downloads/kibana/kibana-6.4.0-x86_64.rpm
logstash下載地址:https://artifacts.elastic.co/downloads/logstash/logstash-6.4.0.rpm
[[email protected] product]# mkdir -p /root/product
[[email protected] product]# cd /root/product
[[email protected] product]# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.4.0.rpm
[[email protected] product]# rpm -ivh elasticsearch-6.4.0.rpm
warning: elasticsearch-6.4.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing... ################################# [100%]
Creating elasticsearch group... OK
Creating elasticsearch user... OK
Updating / installing...
1:elasticsearch-0:6.4.0-1 ################################# [100%]
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch
[[email protected] product]#
[[email protected] product]# ll /etc/elasticsearch
total 28
-rw-rw----. 1 root elasticsearch 207 Sep 12 19:43 elasticsearch.keystore
-rw-rw----. 1 root elasticsearch 2869 Aug 18 07:23 elasticsearch.yml
-rw-rw----. 1 root elasticsearch 3009 Aug 18 07:23 jvm.options
-rw-rw----. 1 root elasticsearch 6380 Aug 18 07:23 log4j2.properties
-rw-rw----. 1 root elasticsearch 473 Aug 18 07:23 role_mapping.yml
-rw-rw----. 1 root elasticsearch 197 Aug 18 07:23 roles.yml
-rw-rw----. 1 root elasticsearch 0 Aug 18 07:23 users
-rw-rw----. 1 root elasticsearch 0 Aug 18 07:23 users_roles
[[email protected] product]#
jvm.options是 設定java相關的引數
-Xms1g
-Xmx1g
配置ES執行記憶體大小。
安裝配置或者參考官網
https://www.elastic.co/guide/en/elasticsearch/reference/6.0/rpm.html
配置ES
[[email protected] elasticsearch]# more /etc/elasticsearch/elasticsearch.yml |grep -v "^#"
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
[[email protected] elasticsearch]#vim /etc/elasticsearch/elasticsearch.yml
vim小技巧大寫GG跳到最後一行
新增
cluster.name: master-node # 叢集中的名稱,叢集之間要一致
node.name: master # 該節點名稱
node.master: true # 意思是該節點為主節點
node.data: true # 表示這不是資料節點
network.host: 0.0.0.0 # 監聽全部ip,在實際環境中應設定為一個安全的ip
http.port: 9200 # es服務的埠號
discovery.zen.ping.unicast.hosts: ["192.168.220.71", "192.168.220.72"] # 配置自動發現
從節點新增
cluster.name: master-node # 叢集中的名稱,叢集之間要一致
node.name: master # 該節點名稱
node.master: true # 意思是該節點為主節點
node.data: true # 表示這不是資料節點
network.host: 0.0.0.0 # 監聽全部ip,在實際環境中應設定為一個安全的ip
http.port: 9200 # es服務的埠號
discovery.zen.ping.unicast.hosts: ["192.168.220.71", "192.168.220.72"] # 配置自動發現
啟動 先啟動主節點,再啟動從節點
systemctl start elasticsearch.service
日誌檢視
[[email protected] ~]# ls /var/log/elasticsearch/
[[email protected] ~]# tail -50f /var/log/messages
檢查啟動情況
[[email protected] elasticsearch]# curl '192.168.220.71:9200/_cluster/health?pretty'
{
"cluster_name" : "master-node",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 0,
"active_shards" : 0,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0
}
[[email protected] elasticsearch]#
檢查叢集情況
[[email protected] elasticsearch]# curl '192.168.220.71:9200/_cluster/state?pretty'
{
"cluster_name" : "master-node",
"compressed_size_in_bytes" : 9574,
"cluster_uuid" : "OYnLCw6DSdeWet020B-zzA",
"version" : 16,
"state_uuid" : "1GtRg_ZhT2qOPPJeyzPY_w",
"master_node" : "45ktex-MTPKmE9Jpcd2HBQ",
"blocks" : { },
"nodes" : {
"45ktex-MTPKmE9Jpcd2HBQ" : {
"name" : "master",
"ephemeral_id" : "bHU_jIfUQ1KQvomp2Pyx_g",
"transport_address" : "192.168.220.71:9300",
"attributes" : {
"ml.machine_memory" : "1888342016",
"xpack.installed" : "true",
"ml.max_open_jobs" : "20",
"ml.enabled" : "true"
}
},
"624Y_ao2Svq0wfbdmaqHUg" : {
"name" : "data-node1",
"ephemeral_id" : "Do0nAllcSQmmtpNeocV3wA",
"transport_address" : "192.168.220.72:9300",
"attributes" : {
"ml.machine_memory" : "1913507840",
"ml.max_open_jobs" : "20",
"xpack.installed" : "true",
"ml.enabled" : "true"
}
}
},
......
"snapshot_deletions" : {
"snapshot_deletions" : [ ]
}
}
出現此場景說明ES叢集搭建成功
安裝kibana
在ES主節點上安裝kibana
[[email protected] ~]# cd /root/product
[[email protected] product]# wget https://artifacts.elastic.co/downloads/kibana/kibana-6.4.0-x86_64.rpm
[[email protected] product]# rpm -ivh kibana-6.0.0-x86_64.rpm
error: open of kibana-6.0.0-x86_64.rpm failed: No such file or directory
[[email protected] product]# rpm -ivh kibana-6.0.0-x86_64.rpm^C
[[email protected] product]# rpm -ivh kibana-6.4.0-x86_64.rpm
warning: kibana-6.4.0-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:kibana-6.4.0-1 ################################# [100%]
[[email protected] product]#
[[email protected] elasticsearch]#
編輯 kibana
[[email protected] product]# more /etc/kibana/kibana.yml |grep -v "^#"
[[email protected] product]# vim /etc/kibana/kibana.yml
新增如下配置
server.port: 5601 # 配置kibana的埠
server.host: 192.168.220.71 # 配置監聽ip
elasticsearch.url: "http://192.168.220.71:9200" # 配置es伺服器的ip,如果是叢集則配置該叢集中主節點的ip
logging.dest: /var/log/kibana.log # 配置kibana的日誌檔案路徑,不然預設是messages裡記錄日誌
建立日誌賦權
[[email protected] product]# touch /var/log/kibana.log
[[email protected] log]# chmod 777 /var/log/kibana.log
啟動kibana 檢視程序
[[email protected] log]# systemctl start kibana
[[email protected] log]# ps aux |grep kibana
kibana 5307 37.8 9.1 1122624 168436 ? Rsl 21:23 0:11 /usr/share/kibana/bin/../node/bin/node --no-warnings /usr/share/kibana/bin/../src/cli -c /etc/kibana/kibana.yml
root 5362 0.0 0.0 112644 948 pts/0 R+ 21:24 0:00 grep --color=auto kibana
[r[email protected] log]#
檢視監聽埠
[[email protected] log]# netstat -lntp |grep 5601
tcp 0 0 192.168.220.71:5601 0.0.0.0:* LISTEN 5307/node
[[email protected] log]#
瀏覽器訪問 http://192.168.220.71:5601
安裝logstash
logstash是日誌收集的工具,安裝在所要收集日誌的機器上。
安裝在192.168.220.72上安裝logstash,但是要注意的是目前logstash不支援JDK1.9。
安裝步驟多種方式安裝參考
https://www.elastic.co/guide/en/logstash/current/installing-logstash.html
[[email protected] ~]# cd /root/product
[[email protected] product]# wget https://artifacts.elastic.co/downloads/logstash/logstash-6.4.0.rpm
[[email protected] product]# rpm -ivh logstash-6.4.0.rpm
warning: logstash-6.4.0.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:logstash-1:6.4.0-1 ################################# [100%]
Using provided startup.options file: /etc/logstash/startup.options
Successfully created system startup script for Logstash
[[email protected] product]#
安裝完之後,先配置logstash收集syslog日誌:
[[email protected] ~]# vim /etc/logstash/conf.d/syslog.conf
input { # 定義日誌源
syslog {
type => "system-syslog" # 定義型別
port => 10514 # 定義監聽埠
}
}
output { # 定義日誌輸出
stdout {
codec => rubydebug # 將日誌輸出到當前的終端上顯示
}
}
"/etc/logstash/conf.d/syslog.conf" [New] 12L, 248C written
[[email protected] ~]#
檢測配置檔案是否有錯:
[[email protected] bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2018-09-13T10:14:12,020][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.queue", :path=>"/var/lib/logstash/queue"}
[2018-09-13T10:14:12,081][INFO ][logstash.setting.writabledirectory] Creating directory {:setting=>"path.dead_letter_queue", :path=>"/var/lib/logstash/dead_letter_queue"}
[2018-09-13T10:14:13,808][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK
[2018-09-13T10:14:21,559][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
[[email protected] bin]#
#出現 Configuration OK 即可
–path.settings 用於指定logstash的配置檔案所在的目錄
-f 指定需要被檢測的配置檔案的路徑
–config.test_and_exit 指定檢測完之後就退出,不然就會直接啟動了
配置kibana伺服器的ip以及配置的監聽埠:
[[email protected] bin]# vim /etc/rsyslog.conf
*.* @@192.168.220.71:10514
重啟rsyslog,讓配置生效:
[[email protected] bin]# systemctl restart rsyslog
[[email protected] bin]#
指定剛才的配置檔案,啟動logstash:
日誌檔案會輸出到此終端
瀏覽器訪問
http://192.168.220.72:10514/
或者開啟一個新的終端
curl http://192.168.220.72:10514/
會在螢幕上列印日誌即顯示收整合功
[[email protected] ~]# cd /usr/share/logstash/bin
[[email protected] bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2018-09-13T11:01:58,406][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-09-13T11:02:00,454][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.4.0"}
[2018-09-13T11:02:08,785][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>1, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-09-13T11:02:09,979][INFO ][logstash.pipeline ] Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x1d9e66b1 run>"}
[2018-09-13T11:02:10,085][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[2018-09-13T11:02:10,131][INFO ][logstash.inputs.syslog ] Starting syslog udp listener {:address=>"0.0.0.0:10514"}
[2018-09-13T11:02:10,180][INFO ][logstash.inputs.syslog ] Starting syslog tcp listener {:address=>"0.0.0.0:10514"}
[2018-09-13T11:02:11,596][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-09-13T11:03:00,340][INFO ][logstash.inputs.syslog ] new connection {:client=>"192.168.220.72:34664"}
{
"type" => "system-syslog",
"facility_label" => "kernel",
"facility" => 0,
"message" => "GET / HTTP/1.1\r\n",
"severity_label" => "Emergency",
"@version" => "1",
"host" => "192.168.220.72",
"severity" => 0,
"tags" => [
[0] "_grokparsefailure_sysloginput"
],
"@timestamp" => 2018-09-13T03:03:00.405Z,
"priority" => 0
}
{
"type" => "system-syslog",
"facility_label" => "kernel",
"facility" => 0,
"message" => "User-Agent: curl/7.29.0\r\n",
"severity_label" => "Emergency",
"@version" => "1",
"host" => "192.168.220.72",
"severity" => 0,
"tags" => [
[0] "_grokparsefailure_sysloginput"
],
"@timestamp" => 2018-09-13T03:03:00.568Z,
"priority" => 0
}
配置logstash
[[email protected] ~]# vim /etc/logstash/conf.d/syslog.conf
input { # 定義日誌源
syslog {
type => "system-syslog" # 定義型別
port => 10514 # 定義監聽埠
}
}
output { # 定義日誌輸出
elasticsearch {
hosts => ["192.168.220.71:9200"] # 定義es伺服器的ip
index => "system-syslog-%{+YYYY.MM}" # 定義索引
}
}
~
"/etc/logstash/conf.d/syslog.conf" 13L, 305C written
[[email protected] ~]#
配置監聽IP
[[email protected] ~]# vim /etc/logstash/logstash.yml
http.host: "192.168.220.72"
檢測配置檔案有沒有錯誤
[[email protected] ~]# cd /usr/share/logstash/bin
[[email protected] bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/syslog.conf --config.test_and_exit
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2018-09-13T11:11:11,314][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
Configuration OK
[2018-09-13T11:11:22,311][INFO ][logstash.runner ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash
[[email protected] bin]#
給日誌賦權
[[email protected] ~]# chown logstash /var/log/logstash/logstash-plain.log
[[email protected] ~]# ll !$
ll /var/log/logstash/logstash-plain.log
-rw-r--r--. 1 logstash root 4688 Sep 13 11:11 /var/log/logstash/logstash-plain.log
賦權資料夾
[[email protected] ~]# ll /var/lib/logstash/
total 4
drwxr-xr-x. 2 root root 6 Sep 13 10:14 dead_letter_queue
drwxr-xr-x. 2 root root 6 Sep 13 10:14 queue
-rw-r--r--. 1 root root 36 Sep 13 10:25 uuid
[[email protected] ~]# chown -R logstash /var/lib/logstash/
[[email protected] ~]# ll /var/lib/logstash/
total 4
drwxr-xr-x. 2 logstash root 6 Sep 13 10:14 dead_letter_queue
drwxr-xr-x. 2 logstash root 6 Sep 13 10:14 queue
-rw-r--r--. 1 logstash root 36 Sep 13 10:25 uuid
重啟logstash
[[email protected] ~]# systemctl restart logstash
[[email protected] ~]#
檢視檢測埠
[[email protected] ~]# netstat -lntp |grep 10514
tcp6 0 0 :::10514 :::* LISTEN 10922/java
[[email protected] ~]# netstat -lntp |grep 9600
tcp6 0 0 192.168.220.72:9600 :::* LISTEN 10922/java
[[email protected] ~]#
在瀏覽器上訪問一下
http://192.168.220.72:10514/
或者 curl http://192.168.220.72:10514/
檢視ES的索引
[[email protected] ~]# curl '192.168.220.71:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open system-syslog-2018.09 K1M6FtzXS7CLjfmJ4rfeog 5 1 5 0 59kb 33.4kb
green open .kibana k94rlEYtQi-AGx42BoTFiQ 1 1 1 0 8kb 4kb
[[email protected] ~]#
[[email protected] ~]# curl -XGET '192.168.220.71:9200/system-syslog-2018.09?pretty'
{
"system-syslog-2018.09" : {
"aliases" : { },
"mappings" : {
"doc" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
……
"settings" : {
"index" : {
"creation_date" : "1536809299144",
"number_of_shards" : "5",
"number_of_replicas" : "1",
"uuid" : "K1M6FtzXS7CLjfmJ4rfeog",
"version" : {
"created" : "6040099"
},
"provided_name" : "system-syslog-2018.09"
}
}
}
}
[[email protected] ~]#
在kibana中配置索引
安裝filebeat
[[email protected] ~]# cd /root/product/
[[email protected] product]# rpm -ivh filebeat-6.4.0-x86_64.rpm
warning: filebeat-6.4.0-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:filebeat-6.4.0-1 ################################# [100%]
編輯配置
[[email protected] product]# vim /etc/filebeat/filebeat.yml
filebeat.prospectors:
- type: log
#enabled: false 這一句要註釋掉
paths:
- /var/log/messages # 指定需要收集的日誌檔案的路徑
#output.elasticsearch: # 先將這幾句註釋掉
# Array of hosts to connect to.
#hosts: ["localhost:9200"]
output.console: # 指定在終端上輸出日誌資訊
enable: true
"/etc/filebeat/filebeat.yml" 204L, 7576C written
[[email protected] product]#
臨時啟動
[[email protected] product]# /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml
去除螢幕列印日誌,輸出到ES中
[[email protected] ~]# vim /etc/filebeat/filebeat.yml
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["192.168.220.71:9200"]
# Optional protocol and basic auth credentials.
#protocol: "https"
#username: "elastic"
#password: "changeme"
#output.console: # 指定在終端上輸出日誌資訊
#enable: true
啟動
[[email protected] ~]# systemctl start filebeat
檢視程序
[[email protected] ~]# ps axu |grep filebeat
root 5421 0.0 0.8 376148 15548 ? Ssl 15:13 0:04 /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
root 8168 0.0 0.0 112644 952 pts/0 R+ 17:07 0:00 grep --color=auto filebeat
檢視是否有filebeat開頭的索引
[[email protected] ~]# curl '192.168.220.71:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open filebeat-6.4.0-2018.09.19 kwrZC65IToG9Q2_y0Evlvg 3 1 3349 0 1.3mb 643.9kb
參考
http://www.cnblogs.com/aresxin/p/8035137.html
http://blog.51cto.com/zero01/2079879
http://blog.51cto.com/zero01/2082794