Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 34c9e257c0
Branches Tags
elasticsearch
/
docs
/
reference
/
monitoring
/
configuring-filebeat.asciidoc

configuring-filebeat.asciidoc 6.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186 
  1. [role="xpack"]
    2. 

  2. [[configuring-filebeat]]
    3. 

  3. == Collecting {es} log data with {filebeat}
    4. 

  4. 

  5. [subs="attributes"]
    6. 

  6. ++++
    7. 

  7. <titleabbrev>Collecting log data with {filebeat}</titleabbrev>
    8. 

  8. ++++
    9. 

  9. 

  10. You can use {filebeat} to monitor the {es} log files, collect log events, and
    11. 

  11. ship them to the monitoring cluster. Your recent logs are visible on the
    12. 

  12. *Monitoring* page in {kib}.
    13. 

  13. 

  14. //NOTE: The tagged regions are re-used in the Stack Overview.
    15. 

  15. 

  16. . Verify that {es} is running and that the monitoring cluster is ready to
    17. 

  17. receive data from {filebeat}.
    18. 

  18. +
    19. 

  19. --
    20. 

  20. TIP: In production environments, we strongly recommend using a separate cluster 
    21. 

  21. (referred to as the _monitoring cluster_) to store the data. Using a separate 
    22. 

  22. monitoring cluster prevents production cluster outages from impacting your 
    23. 

  23. ability to access your monitoring data. It also prevents monitoring activities 
    24. 

  24. from impacting the performance of your production cluster. See
    25. 

  25. <<monitoring-production>>.
    26. 

  26. 

  27. --
    28. 

  28. 

  29. . Enable the collection of monitoring data on your cluster.
    30. 

  30. +
    31. 

  31. --
    32. 

  32. include::configuring-metricbeat.asciidoc[tag=enable-collection]
    33. 

  33. 

  34. For more information, see <<monitoring-settings>> and <<cluster-update-settings>>.
    35. 

  35. --
    36. 

  36. 

  37. . Identify which logs you want to monitor. 
    38. 

  38. +
    39. 

  39. --
    40. 

  40. The {filebeat} {es} module can handle
    41. 

  41. <<audit-log-output,audit logs>>,
    42. 

  42. <<deprecation-logging,deprecation logs>>,
    43. 

  43. <<gc-logging,gc logs>>, <<logging,server logs>>, and 
    44. 

  44. <<index-modules-slowlog,slow logs>>.
    45. 

  45. For more information about the location of your {es} logs, see the
    46. 

  46. <<path-settings,path.logs>> setting.
    47. 

  47. 

  48. IMPORTANT: If there are both structured (`*.json`) and unstructured (plain text)
    49. 

  49. versions of the logs, you must use the structured logs. Otherwise, they might
    50. 

  50. not appear in the appropriate context in {kib}.
    51. 

  51. 

  52. --
    53. 

  53. 

  54. . {filebeat-ref}/filebeat-installation-configuration.html[Install {filebeat}] on the {es}
    55. 

  55. nodes that contain logs that you want to monitor.
    56. 

  56. 

  57. . Identify where to send the log data.
    58. 

  58. +
    59. 

  59. --
    60. 

  60. // tag::output-elasticsearch[]
    61. 

  61. For example, specify {es} output information for your monitoring cluster in
    62. 

  62. the {filebeat} configuration file (`filebeat.yml`):
    63. 

  63. 

  64. [source,yaml]
    65. 

  65. ----------------------------------
    66. 

  66. output.elasticsearch:
    67. 

  67.   # Array of hosts to connect to.
    68. 

  68.   hosts: ["http://es-mon-1:9200", "http://es-mon-2:9200"] <1>
    69. 

  69. 

  70.   # Optional protocol and basic auth credentials.
    71. 

  71.   #protocol: "https"
    72. 

  72.   #username: "elastic"
    73. 

  73.   #password: "changeme"
    74. 

  74. ----------------------------------
    75. 

  75. <1> In this example, the data is stored on a monitoring cluster with nodes 
    76. 

  76. `es-mon-1` and `es-mon-2`. 
    77. 

  77. 

  78. If you configured the monitoring cluster to use encrypted communications, you
    79. 

  79. must access it via HTTPS. For example, use a `hosts` setting like
    80. 

  80. `https://es-mon-1:9200`.
    81. 

  81. 

  82. IMPORTANT: The {es} {monitor-features} use ingest pipelines, therefore the
    83. 

  83. cluster that stores the monitoring data must have at least one 
    84. 

  84. <<ingest,ingest node>>.
    85. 

  85.  
    86. 

  86. If {es} {security-features} are enabled on the monitoring cluster, you must
    87. 

  87. provide a valid user ID and password so that {filebeat} can send metrics 
    88. 

  88. successfully. 
    89. 

  89. 

  90. For more information about these configuration options, see 
    91. 

  91. {filebeat-ref}/elasticsearch-output.html[Configure the {es} output].
    92. 

  92. // end::output-elasticsearch[]
    93. 

  93. --
    94. 

  94. 

  95. . Optional: Identify where to visualize the data.
    96. 

  96. +
    97. 

  97. --
    98. 

  98. // tag::setup-kibana[]
    99. 

  99. {filebeat} provides example {kib} dashboards, visualizations and searches. To
    100. 

  100. load the dashboards into the appropriate {kib} instance, specify the
    101. 

  101. `setup.kibana` information in the {filebeat} configuration file
    102. 

  102. (`filebeat.yml`) on each node:
    103. 

  103. 

  104. [source,yaml]
    105. 

  105. ----------------------------------
    106. 

  106. setup.kibana:
    107. 

  107.   host: "localhost:5601"
    108. 

  108.   #username: "my_kibana_user"
    109. 

  109.   #password: "YOUR_PASSWORD"
    110. 

  110. ----------------------------------
    111. 

  111. 

  112. TIP: In production environments, we strongly recommend using a dedicated {kib} 
    113. 

  113. instance for your monitoring cluster.
    114. 

  114. 

  115. If {security-features} are enabled, you must provide a valid user ID and
    116. 

  116. password so that {filebeat} can connect to {kib}: 
    117. 

  117. 

  118. .. Create a user on the monitoring cluster that has the 
    119. 

  119. <<built-in-roles,`kibana_admin` built-in role>> or equivalent
    120. 

  120. privileges.
    121. 

  121. 

  122. .. Add the `username` and `password` settings to the {es} output information in 
    123. 

  123. the {filebeat} configuration file. The example shows a hard-coded password, but
    124. 

  124. you should store sensitive values in the
    125. 

  125. {filebeat-ref}/keystore.html[secrets keystore].
    126. 

  126. 

  127. See {filebeat-ref}/setup-kibana-endpoint.html[Configure the {kib} endpoint].
    128. 

  128. 

  129. // end::setup-kibana[]
    130. 

  130. --
    131. 

  131. 

  132. . Enable the {es} module and set up the initial {filebeat} environment on each
    133. 

  133. node.
    134. 

  134. +
    135. 

  135. --
    136. 

  136. // tag::enable-es-module[]
    137. 

  137. For example:
    138. 

  138. 

  139. ["source","sh",subs="attributes,callouts"]
    140. 

  140. ----------------------------------------------------------------------
    141. 

  141. filebeat modules enable elasticsearch
    142. 

  142. filebeat setup -e
    143. 

  143. ----------------------------------------------------------------------
    144. 

  144. 

  145. For more information, see  
    146. 

  146. {filebeat-ref}/filebeat-module-elasticsearch.html[{es} module]. 
    147. 

  147. 

  148. // end::enable-es-module[]
    149. 

  149. --
    150. 

  150. 

  151. . Configure the {es} module in {filebeat} on each node.
    152. 

  152. +
    153. 

  153. --
    154. 

  154. // tag::configure-es-module[]
    155. 

  155. If the logs that you want to monitor aren't in the default location, set the
    156. 

  156. appropriate path variables in the `modules.d/elasticsearch.yml` file. See
    157. 

  157. {filebeat-ref}/filebeat-module-elasticsearch.html#configuring-elasticsearch-module[Configure the {es} module].
    158. 

  158. 

  159. IMPORTANT: If there are JSON logs, configure the `var.paths` settings to point
    160. 

  160. to them instead of the plain text logs.
    161. 

  161. 

  162. // end::configure-es-module[]
    163. 

  163. --
    164. 

  164. 

  165. . {filebeat-ref}/filebeat-starting.html[Start {filebeat}] on each node. 
    166. 

  166. +
    167. 

  167. --
    168. 

  168. NOTE: Depending on how you’ve installed {filebeat}, you might see errors related
    169. 

  169. to file ownership or permissions when you try to run {filebeat} modules. See
    170. 

  170. {beats-ref}/config-file-permissions.html[Config file ownership and permissions].
    171. 

  171. 

  172. --
    173. 

  173. 

  174. . Check whether the appropriate indices exist on the monitoring cluster.
    175. 

  175. +
    176. 

  176. --
    177. 

  177. For example, use the <<cat-indices,cat indices>> command to verify
    178. 

  178. that there are new `filebeat-*` indices. 
    179. 

  179. 

  180. TIP: If you want to use the *Monitoring* UI in {kib}, there must also be 
    181. 

  181. `.monitoring-*` indices. Those indices are generated when you collect metrics
    182. 

  182. about {stack} products. For example, see <<configuring-metricbeat>>.
    183. 

  183. 

  184. --
    185. 

  185. 

  186. . {kibana-ref}/monitoring-data.html[View the monitoring data in {kib}].
    187.