CentOS 7에서 Filebeat를 설치하는 방법

CentOS 7에서 Filebeat를 설치하는 방법

Filebeat GPG 키 추가

Elasticsearch의 GPG 키를 추가해야 합니다.

sudo rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

Filebeat 저장소 추가

Filebeat를 설치하려면 Elastic 패키지 저장소를 추가해야 합니다.

cat <<EOF | sudo tee /etc/yum.repos.d/elastic.repo
[elastic-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Filebeat 설치

패키지를 설치합니다.

sudo yum install filebeat

(또는) Filebeat 패키지 설치

yum install --enablerepo=elasticsearch -y filebeat

Filebeat 설정

Filebeat 설정 파일을 확인

$ cat /etc/filebeat/filebeat.yml | egrep -v '^$|#'
filebeat.inputs:
- type: filestream
  id: my-filestream-id
  enabled: false
  paths:
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
output.elasticsearch:
  hosts: ["localhost:9200"]
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

Filebeat 설정 파일을 수정하여 원하는 로그를 수집하고 전송할 수 있습니다.

vim /etc/filebeat/filebeat.yml

output.elasticsearch:
  hosts: ["your_elasticsearch_host:9200"]

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /path/to/your/logs/*.log

Filebeat 서비스 시작 및 자동 시작 설정

systemctl --now enable filebeat.service

Filebeat 상태 확인

systemctl status filebeat.service

사용 가능한 모듈 목록 확인

filebeat modules list

$ filebeat modules list
Enabled:

Disabled:
activemq
apache
auditd
aws
awsfargate
azure
...

elasticsearch 모듈 구성을 활성화

filebeat modules enable elasticsearch

$ filebeat modules enable elasticsearch
Enabled elasticsearch

kibana 모듈 구성을 활성화

filebeat modules enable kibana

$ filebeat modules enable kibana
Enabled kibana

Filebeat 설정 파일을 편집

filebeat_system 계정 생성

Filebeat

vim /etc/filebeat/filebeat.yml

...
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "filebeat_system"
  password: "filebeat_system"

  ssl.certificate_authorities: ["/etc/elasticsearch/certs/http_ca.crt"]
  ...

Filebeat 출력 테스트

filebeat test output

$ filebeat test output
elasticsearch: https://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 8.6.2

Filebeat load

filebeat setup -e

$ filebeat setup -e
{"log.level":"info","@timestamp":"2023-03-20T15:22:55.612+0900","log.origin":{"file.name":"instance/beat.go","file.line":724},"message":"Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]","service.name":"filebeat","ecs.version":"1.6.0"}
...
Loading dashboards (Kibana must be running and reachable)
{"log.level":"info","@timestamp":"2023-03-20T16:01:50.260+0900","log.logger":"kibana","log.origin":{"file.name":"kibana/client.go","file.line":179},"message":"Kibana url: http://localhost:5601","service.name":"filebeat","ecs.version":"1.6.0"}

Filebeat 재시작

systemctl restart filebeat.service

 

참고URL

- filebeat 설치하는 방법 : https://www.elastic.co/guide/en/beats/filebeat/8.6/setup-repositories.html

- Elasticsearchit을 통한 안전한 통신 : https://www.elastic.co/guide/en/beats/filebeat/8.6/securing-communication-elasticsearch.html