安装filebeat nginx 日志模板

$images\cherry_red.png$ 1 ELK日志分析系统

$images\cherry_blue.png$ 1.1 ELK系统部署

$images\cherry_orange.png$ 1.1.1 ELK端配置

$images\cherry_cyan.png$ 1.1.1.1 Elasticsearch

$images\cherry_cyan.png$ 1.1.1.2 Kibana

$images\cherry_cyan.png$ 1.1.1.3 Filebeat

$images\cherry_blue.png$ 1.2 ELK优化

$images\cherry_orange.png$ 1.2.1 es-head插件安装

$images\cherry_orange.png$ 1.2.2 安装filebeat nginx 日志模板

在 ES 服务配置:
[root@mycat-elk ~]# cd /usr/local/elasticsearch-6.2.3/
[root@mycat-elk elasticsearch-6.2.3]# ./bin/elasticsearch-plugin install ingest-geoip
[root@mycat-elk elasticsearch-6.2.3]# ./bin/elasticsearch-plugin install ingest-user-agent

重启ES
[root@mycat-elk ~]# netstat -nlpt | grep 9200
tcp6 0 0 192.168.182.11:9200 :::* LISTEN 11783/java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 11783/java
[root@mycat-elk ~]# kill -9 11783
[root@mycat-elk ~]# su abc
[abc@mycat-elk root]$ /usr/local/elasticsearch-6.2.3/bin/elasticsearch -d

配置filebeat
[root@web-1 ~]# grep -vE "#|^$" /opt/filebeat-6.2.3-linux-x86_64/filebeat.yml
filebeat.prospectors:
- type: log
enabled: true
paths:
- /var/log/nginx/*.log
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
host: "192.168.182.11:5601"
output.elasticsearch:
hosts: ["192.168.182.11:9200"]

开启nginx 模块支持
[root@web-1 ~]# cd /opt/filebeat-6.2.3-linux-x86_64/
[root@web-1 filebeat-6.2.3-linux-x86_64]# ./filebeat modules enable nginx
PS：报错原因，是新安装的模板文件并不是属于root用户的，默认是为uid 1000的用户，但是启动时这些文件必须属于root
[root@web-1 filebeat-6.2.3-linux-x86_64]# ./filebeat setup
Loaded index template
Loaded dashboards
Exiting: 1 error: Error reading fileset nginx/access: Error reading manifest file: config file ("/opt/filebeat-6.2.3-linux-x86_64/module/nginx/access/manifest.yml") must be owned by the beat user (uid=0) or root

解决方案:
[root@ ~]# chown -R root:root /opt/filebeat-6.2.3-linux-x86_64/
[root@web-1 filebeat-6.2.3-linux-x86_64]# ./filebeat setup

注意你的访问日志命令风格:
[root@web-1 nginx]# cat /opt/filebeat-6.2.3-linux-x86_64/module/nginx/access/manifest.yml
var:
- name: paths
default:
- /var/log/nginx/*access.log*
os.darwin:
- /usr/local/var/log/nginx/access.log*
os.windows:
- c:/programdata/nginx/logs/*access.log*

++++++++++++++++++++++++++++++++++++++++++++++++
启动：
[root@web-1 ~]# cd /opt/filebeat-6.2.3-linux-x86_64/
[root@web-1 filebeat-6.2.3-linux-x86_64]# nohup ./filebeat -e -c ./filebeat.yml &