以下是在Debian上管理Filebeat集群的关键步骤,涵盖安装、配置、部署及监控:
sudo apt update
sudo apt install filebeat
编辑配置文件 /etc/filebeat/filebeat.yml
:
filebeat.inputs:
- type: log
enabled: true
paths: ["/var/log/*.log"]
output.elasticsearch:
hosts: ["http://elasticsearch:9200"]
index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
cluster.name: "my-cluster"
node.name: "filebeat-node-1" # 主节点设为true,从节点设为false
node.master: true # 仅主节点需设置为true
path.data: /var/lib/filebeat
path.logs: /var/log/filebeat
说明:所有节点需共享相同的
cluster.name
,主节点负责协调集群状态。
启用配置管理(可选):
kubectl create configmap filebeat-config --from-file=filebeat.yml
单节点启动(测试环境):
sudo systemctl start filebeat
sudo systemctl enable filebeat
多节点集群部署:
sudo scp filebeat.yml node2:/etc/filebeat/
sudo systemctl start filebeat # 在所有节点执行
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: filebeat
spec:
selector:
matchLabels:
app: filebeat
template:
metadata:
labels:
app: filebeat
spec:
containers:
- name: filebeat
image: docker.elastic.co/beats/filebeat:8.13.4
volumeMounts:
- name: varlog
mountPath: /var/log
- name: config
mountPath: /usr/share/filebeat/filebeat.yml
subPath: filebeat.yml
volumes:
- name: varlog
hostPath:
path: /var/log
- name: config
configMap:
name: filebeat-config
kubectl apply -f filebeat-daemonset.yaml
检查集群状态:
curl -X GET "http://elasticsearch:9200/_cat/nodes?v&pretty"
应显示所有Filebeat节点的IP、角色等状态。监控与日志:
sudo systemctl status filebeat
sudo tail -f /var/log/filebeat/filebeat.log
高可用优化:
output.elasticsearch
中配置多个ES节点地址,实现故障转移。filebeat.yml
中添加证书路径,确保节点间通信安全。sudo apt install kibana
sudo nano /etc/kibana/kibana.yml
# 添加以下内容
elasticsearch.hosts: ["http://elasticsearch:9200"]
参考来源: