在Ubuntu上配置Filebeat将日志输出到Elasticsearch,可按以下步骤进行:
更新系统包列表,导入Elastic官方GPG密钥,添加Elastic官方APT仓库,然后安装Filebeat。具体命令如下:
sudo apt update
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update
sudo apt install filebeat
编辑/etc/filebeat/filebeat.yml文件,配置日志输入和输出。示例如下:
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
output.elasticsearch:
hosts: ["localhost:9200"]
index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
使用以下命令启动Filebeat服务,并设置为开机自启:
sudo systemctl start filebeat
sudo systemctl enable filebeat
查看Filebeat日志,确认服务运行正常,也可通过Elasticsearch的_cat/indices接口查看索引是否创建。命令如下:
sudo journalctl -u filebeat -f
curl -X GET "localhost:9200/_cat/indices?v"