在FreeBSD上安装Filebeat

遵循本指南以了解如何在FreeBSD上安装Filebeat。

在FreeBSD上安装Filebeat

Filebeat在默认的FreeBSD仓库上不可用,但是可以从FreeBSD端口安装。

我们在这个设置中使用FreeBSD 13.0。

freebsd-version
13.0-RELEASE

在FreeBSD上安装Ports Collection

要使用端口在FreeBSD中安装软件,您需要安装 portsnap。 Portsnap是用于检索Ports集合的快速且用户友好的工具。它连接到FreeBSD站点,验证安全密钥,并下载Ports Collection的新副本。

因此,要安装端口,请运行系统更新和升级

pkg update
pkg upgrade -f

下载端口集合的压缩快照。快照将存储在 / var / db / portsnap

portsnap fetch

上面的命令完成后,解压缩。仅在首次获取快照时才能执行此操作。

portsnap extract

提取端口并将其存储在 / usr /端口

如果以前已经下载了Ports Collection快照,则可以通过运行以下命令来简单地对其进行更新;

portsnap fetch
portsnap update

但是,您可以将其作为单个命令运行。

portsnap fetch update

在FreeBSD上安装Filebeat

要在FreeBSD上安装Filebeat,请导航至beats7 ports目录;

cd /usr/ports/sysutils/beats7

接下来,您可以通过运行以下命令从FreeBSD beats端口安装Filebeat。

make install clean

该命令可用于安装各种Elastic Beat,包括Filebeat,metricsbeat,packetbeat和heartbeat。

因此,由于我们在FreeBSD上安装Filebeat,因此我们从提供的选项中仅选择Filebeat。使用空格键选择和取消选择。

选择后,按ENTER继续在FreeBSD上安装Filebeat。

如果您注意到,这将安装Filebeat 7.10.1;

====> Compressing man pages (compress-man)
===> Staging rc.d startup script(s)
===>  Installing for beats7-7.10.1
===>  Checking if beats7 is already installed
===>   Registering installation for beats7-7.10.1
Installing beats7-7.10.1...

在FreeBSD上配置Filebeat

filebeat配置文件位于以下位置, /usr/local/etc/beats/。在此目录中,您可以找到filebeat示例配置和modules目录。

ls /usr/local/etc/beats/
filebeat.modules.d	filebeat.yml.reference	filebeat.yml.sample

Filebeat二进制文件位于 /usr/local/sbin/filebeat

要配置Filebeat,只需重命名示例配置文件。

cp /usr/local/etc/beats/filebeat.yml{.sample,}

您现在可以打开 /usr/local/etc/beats/filebeat.yml 进行编辑。

vim /usr/local/etc/beats/filebeat.yml

配置Filebeat输入

您可以通过启用以下选项来选择直接读取日志文件: 类型:日志 输入如下所示;

# filestream is an experimental input. It is going to replace log input in the future.
- type: filestream

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log

或者只是使用Filebeat模块。

例如,启用Filebeat系统模块;

cd /usr/local/etc/beats

列出可用的模块;

filebeat modules list
Enabled:

Disabled:
apache
auditd
elasticsearch
haproxy
icinga
iis
kafka
kibana
logstash
mongodb
mysql
nats
nginx
osquery
postgresql
redis
santa
system
traefik

如您所见,默认情况下未启用任何功能。让我们启用系统模块;

filebeat modules enable system

样品输出;

Enabled system

Filebeat系统模块从默认系统位置读取系统日志,这就是其配置文件的样子。

less /usr/local/etc/beats/filebeat.modules.d/system.yml
# Module: system
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.10/filebeat-module-system.html

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

  # Authorization logs
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

配置Filebeat输出

接下来,配置Filebeat以将事件数据发送到Elastic Stack。 Filebeat可以将日志直接发送到Elasticsearch或Logstash或其他 输出。 Filebeat输出是在Filebeat配置文件上定义的, /usr/local/etc/beats/filebeat.yml

Elasticsearch输出

要将事件数据或事件日志直接发送到Elasticsearch,请打开配置文件并按如下所示定义Elasticsearch输出;

vi /usr/local/etc/beats/filebeat.yml

Elasticsearch是默认输出。您需要做的就是更新IP地址Elasticsearch,默认情况下将其设置为localhost。

...
#================================ Outputs =====================================
 
# Configure what output to use when sending the data collected by the beat.
 
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]
  hosts: ["192.168.57.20:9200"]
...

Logstash输出

如果您将事件数据推送到Logstash,请注释掉Elasticsearch输出并定义Logstash输出,如下所示;

#================================ Outputs =====================================
 
# Configure what output to use when sending the data collected by the beat.
 
#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]
 
  # Protocol - either `http` (default) or `https`.
  #protocol: "https"
 
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"
 
#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]
  hosts: ["192.168.57.20:5044"]

保存并退出文件。

对于选择的每个输出,请确保端口可访问。例如,您可以验证与Logstash的连接;

telnet 192.168.57.20 5044
Trying 192.168.57.20...
Connected to 192.168.57.20.
Escape character is '^]'.

同样,如果您直接使用Elasticsearch,请确保可以访问端口 9200/tcp

telnet 192.168.57.20 9200
Trying 192.168.57.20...
Connected to 192.168.57.20.
Escape character is '^]'.

测试Filebeat输出目标连接

验证Filebeat可以连接到您选择的输出目标。

使用当前配置设置测试输出连接;

filebeat test output -c /usr/local/etc/beats/filebeat.yml

样品输出;

elasticsearch: http://192.168.57.20:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.57.20
    dial up... OK
  TLS... WARN secure connection disabled
  talk to server... OK
  version: 7.10.0

如您所见,我们的filebeat可以连接到我们的Elasticsearch输出。

测试Filebeat配置文件

要确保当前Filebeat配置文件上没有语法问题,请运行以下命令;

filebeat test config -c /usr/local/etc/beats/filebeat.yml

如果得到输出, Config OK,那么您很好。

在Elasticsearch中加载Filebeat索引模板

如果您直接将数据发送到Elasticsearch,则Filebeat将在成功连接到Elasticsearch后自动加载模板。

但是,如果您将Logstash用作事件数据处理引擎,则需要手动将索引模板加载到Elasticsearch中。因此,在加载索引模板之前,请确保存在与Elasticsearch的连接。

如果一切正常,请加载模板。

filebeat setup -c /usr/local/etc/beats/filebeat.yml --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["192.168.57.20:9200"]'

如果看到输出, 索引设置完成,模板加载成功。

如果主机没有与Elasticsearch的直接连接,则可以生成索引模板,将其复制到Elastic Stack Server并在本地安装。

生成模板;

filebeat -c /usr/local/etc/beats/filebeat.yml export template > filebeat.template.json

要将模板安装在Elastic Stack服务器上,请将其复制(filebeat.template.json)并在Elasticsearch服务器上本地加载。

curl -XPUT -H 'Content-Type: application/json' http://192.168.57.20:9200/_template/filebeat-7.10.1 [email protected]

如果加载成功,您应该会得到这样的输出, {"acknowledged":true}

在FreeBSD上运行Filebeat

您可以使用以下命令在调试模式下运行Filebeat;

filebeat -e -c /usr/local/etc/beats/filebeat.yml --path.config /usr/local/etc/beats/ --path.home /usr/local/share/beats/filebeat/ --path.data /var/db/beats/filebeat --path.logs /var/log/beats

filebeat将开始收集系统日志并将其发送到已定义的输出。

您应该看到这样一条线;

...
2021-04-16T12:47:08.990+0300	INFO	[registrar]	registrar/registrar.go:109	States Loaded from registrar: 2
2021-04-16T12:47:08.990+0300	INFO	[crawler]	beater/crawler.go:71	Loading Inputs: 2
2021-04-16T12:47:08.992+0300	INFO	log/input.go:157	Configured paths: [/var/log/auth.log* /var/log/secure*]
2021-04-16T12:47:08.992+0300	INFO	log/input.go:157	Configured paths: [/var/log/messages* /var/log/syslog*]
2021-04-16T12:47:08.992+0300	INFO	[crawler]	beater/crawler.go:108	Loading and starting Inputs completed. Enabled inputs: 0
2021-04-16T12:47:08.992+0300	INFO	cfgfile/reload.go:164	Config reloader started
2021-04-16T12:47:08.995+0300	INFO	log/input.go:157	Configured paths: [/var/log/auth.log* /var/log/secure*]
2021-04-16T12:47:08.995+0300	INFO	log/input.go:157	Configured paths: [/var/log/messages* /var/log/syslog*]
2021-04-16T12:47:08.995+0300	INFO	eslegclient/connection.go:99	elasticsearch url: http://192.168.57.20:9200
...
...
2021-04-16T12:48:27.496+0300	INFO	[publisher_pipeline_output]	pipeline/output.go:151	Connection to backoff(elasticsearch(http://192.168.57.20:9200)) established

好吧,如果您看到这样的错误:

2021-04-16T12:45:39.840+0300	ERROR	instance/metrics_file_descriptors.go:39	Error while retrieving FD information: error retrieving process stats: cannot find matching process for pid=90737
2021-04-16T12:45:39.840+0300	ERROR	instance/metrics.go:98	Error while getting memory usage: error retrieving process stats: cannot find matching process for pid=90737
2021-04-16T12:45:39.840+0300	ERROR	instance/metrics.go:142	Error retrieving CPU percentages: error retrieving process stats: cannot find matching process for pid=90737

您可以禁用指标监视;

echo "logging.metrics.enabled: false" >> /usr/local/etc/beats/filebeat.yml

在FreeBSD上将Filebeat作为服务运行

启用Filebeat以在系统启动时运行,并

您可以使用以下命令将Filebeat作为服务运行;

sysrc filebeat_enable="YES"

在FreeBSD上启动Filebeat;

service filebeat start

查看日志;

tail -f /var/log/beats/filebeat
2021-04-16T13:00:07.421+0300	INFO	[index-management.ilm]	ilm/std.go:139	do not generate ilm policy: exists=true, overwrite=false
2021-04-16T13:00:07.421+0300	INFO	[index-management]	idxmgmt/std.go:274	ILM policy successfully loaded.
2021-04-16T13:00:07.421+0300	INFO	[index-management]	idxmgmt/std.go:407	Set setup.template.name to '{filebeat-7.10.1 {now/d}-000001}' as ILM is enabled.
2021-04-16T13:00:07.421+0300	INFO	[index-management]	idxmgmt/std.go:412	Set setup.template.pattern to 'filebeat-7.10.1-*' as ILM is enabled.
2021-04-16T13:00:07.421+0300	INFO	[index-management]	idxmgmt/std.go:446	Set settings.index.lifecycle.rollover_alias in template to {filebeat-7.10.1 {now/d}-000001} as ILM is enabled.
2021-04-16T13:00:07.421+0300	INFO	[index-management]	idxmgmt/std.go:450	Set settings.index.lifecycle.name in template to {filebeat {"policy":{"phases":{"hot":{"actions":{"rollover":{"max_age":"30d","max_size":"50gb"}}}}}}} as ILM is enabled.
2021-04-16T13:00:07.422+0300	INFO	template/load.go:97	Template filebeat-7.10.1 already exists and will not be overwritten.
2021-04-16T13:00:07.422+0300	INFO	[index-management]	idxmgmt/std.go:298	Loaded index template.
2021-04-16T13:00:07.424+0300	INFO	[index-management]	idxmgmt/std.go:309	Write alias successfully generated.
2021-04-16T13:00:07.429+0300	INFO	[publisher_pipeline_output]	pipeline/output.go:151	Connection to backoff(elasticsearch(http://192.168.57.20:9200)) established

验证Elasticsearch Index数据接收

接下来,登录到弹性堆栈服务器并验证数据接收。

curl -X GET 192.168.57.20:9200/_cat/indices?v
health status index                             uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   filebeat-7.10.1-2021.04.16-000001 CbQmXaRzQ4G9n1wldgvwbg   1   1       1022            0    222.2kb        222.2kb
green  open   .apm-custom-link                  YUZ3YLcBRqqA16bFXrPWEg   1   0          0            0       208b           ...

之后,前往Kibana, 创建索引模式。并在Discover上检查您的索引数据;

我已经模拟了一些身份验证事件,如此处所示。

在FreeBSD上安装Filebeat

如果您已经加载了默认的仪表板,则应该能够在仪表板上可视化身份验证事件。

在FreeBSD上安装Filebeat

这标志着我们在FreeBSD上如何安装Filebeat的终结。

其他教程

如何在Linux中运行多个Filebeat实例

配置Filebeat-Logstash SSL / TLS连接的简便方法

在CentOS 8上安装和配置Filebeat

Sidebar