Dies ist eine alte Version des Dokuments!
Inhaltsverzeichnis
graylog ArchLinux - Elastic - beats - filebeats
Graylog ist eine vollständig integrierte Open-Source Protokoll-Management-Plattform für die Erfassung, Indizierung und Analyse von strukturierten und unstrukturierten Daten aus nahezu jeder Quelle.
Graylog benötigt nachfolgende externe Komponente zum Empfangen von systend-journald
LOG-Einträgen:
- Elastic - beats - filebeat zum Transport von systemd-journald
Beschreibung | Externer Link |
---|---|
Homepage | https://www.graylog.org/ |
Dokumentation | https://docs.graylog.org/docs |
Download | https://www.graylog.org/downloads-2 |
filebeat | Elastic - beats - filebeat |
Ab hier werden zur Ausführung nachfolgender Befehle root
-Rechte benötigt. Um der Benutzer root
zu werden, melden Sie sich bitte als root
-Benutzer am System an, oder wechseln mit nachfolgendem Befehl zum Benutzer root
:
$ su - Password:
Voraussetzungen
Nachfolgende Voraussetzungen müssen vor der Installation von Elastic - beats - filebeat erfüllt sein, damit Elastic - beats - filebeat mit Graylog kommunizieren kann:
- Lauffähiger Graylog-Server ab der Version 5.x
Vorbereitung
Zur Installation von Elastic - beats - filebeat zur Kommunikation mit Graylog sollte Graylog wie in nachfolgendem internen Link beschrieben installiert sein:
Die Einbindung des AUR
-Repositories, kann wie in nachfolgenden internen Link beschrieben
durchgeführt werden.
Installation: filebeat-oss-bin
Nachdem das AUR
-Repository von ArchLinux - AUR
erfolgreich eingebunden wurde, kann mit nachfolgendem Befehl, das AUR
-Paket - filebeat-oss-bin
installiert werden:
# pikaur --noconfirm -S filebeat-oss-bin
Mit nachfolgendem Befehl kann überprüft werden, welche Inhalte mit den Paket filebeat-oss-bin
installiert wurden:
# pacman -Qil filebeat-oss-bin
/etc/filebeat-oss/filebeat.yml
Bevor der Dienst/Daemon von Elastic - beats - filebeat gestartet werden kann, ist nachfolgende Konfiguration in der Konfigurationsdatei
/etc/filebeat-oss/filebeat.yml
durchzuführen:
(Komplette Konfigurationsdatei):
###################### Filebeat Configuration Example ######################### # This file is an example configuration file highlighting only the most common # options. The filebeat.reference.yml file from the same directory contains all the # supported options with more comments. You can use it as a reference. # # You can find the full configuration reference here: # https://www.elastic.co/guide/en/beats/filebeat/index.html # For more available modules and options, please see the filebeat.reference.yml sample # configuration file. # ============================== Filebeat inputs =============================== filebeat.inputs: # Tachtler - NEW - - type: journald enabled: true id: everything # Each - is an input. Most options can be set at the input level, so # you can use different inputs for various configurations. # Below are the input specific configurations. # filestream is an input for collecting log messages from files. - type: filestream # Unique ID among all inputs, an ID is required. id: my-filestream-id # Change to true to enable this input configuration. enabled: false # Paths that should be crawled and fetched. Glob based paths. paths: - /var/log/*.log #- c:\programdata\elasticsearch\logs\* # Exclude lines. A list of regular expressions to match. It drops the lines that are # matching any regular expression from the list. # Line filtering happens after the parsers pipeline. If you would like to filter lines # before parsers, use include_message parser. #exclude_lines: ['^DBG'] # Include lines. A list of regular expressions to match. It exports the lines that are # matching any regular expression from the list. # Line filtering happens after the parsers pipeline. If you would like to filter lines # before parsers, use include_message parser. #include_lines: ['^ERR', '^WARN'] # Exclude files. A list of regular expressions to match. Filebeat drops the files that # are matching any regular expression from the list. By default, no files are dropped. #prospector.scanner.exclude_files: ['.gz$'] # Optional additional fields. These fields can be freely picked # to add additional information to the crawled log files for filtering #fields: # level: debug # review: 1 # ============================== Filebeat modules ============================== filebeat.config.modules: # Glob pattern for configuration loading path: ${path.config}/modules.d/*.yml # Set to true to enable config reloading reload.enabled: false # Period on which files under path should be checked for changes #reload.period: 10s # ======================= Elasticsearch template setting ======================= setup.template.settings: index.number_of_shards: 1 #index.codec: best_compression #_source.enabled: false # ================================== General =================================== # The name of the shipper that publishes the network data. It can be used to group # all the transactions sent by a single shipper in the web interface. #name: # The tags of the shipper are included in their own field with each # transaction published. #tags: ["service-X", "web-tier"] # Optional fields that you can specify to add additional information to the # output. #fields: # env: staging # ================================= Dashboards ================================= # These settings control loading the sample dashboards to the Kibana index. Loading # the dashboards is disabled by default and can be enabled either by setting the # options here or by using the `setup` command. #setup.dashboards.enabled: false # The URL from where to download the dashboards archive. By default this URL # has a value which is computed based on the Beat name and version. For released # versions, this URL points to the dashboard archive on the artifacts.elastic.co # website. #setup.dashboards.url: # =================================== Kibana =================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # This requires a Kibana endpoint configuration. # Tachtler - DISABLED - # default: setup.kibana: #setup.kibana: # Kibana Host # Scheme and port can be left out and will be set to the default (http and 5601) # In case you specify and additional path, the scheme is required: http://localhost:5601/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 #host: "localhost:5601" # Kibana Space ID # ID of the Kibana Space into which the dashboards should be loaded. By default, # the Default Space will be used. #space.id: # =============================== Elastic Cloud ================================ # These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/). # The cloud.id setting overwrites the `output.elasticsearch.hosts` and # `setup.kibana.host` options. # You can find the `cloud.id` in the Elastic Cloud web UI. #cloud.id: # The cloud.auth setting overwrites the `output.elasticsearch.username` and # `output.elasticsearch.password` settings. The format is `<user>:<pass>`. #cloud.auth: # ================================== Outputs =================================== # Configure what output to use when sending the data collected by the beat. # ---------------------------- Elasticsearch Output ---------------------------- # Tachtler - DISABLED - # default: output.elasticsearch: #output.elasticsearch: # Array of hosts to connect to. # hosts: ["localhost:9200"] # Protocol - either `http` (default) or `https`. #protocol: "https" # Authentication credentials - either API key or username/password. #api_key: "id:api_key" #username: "elastic" #password: "changeme" # ------------------------------ Logstash Output ------------------------------- # Tachtler - ENABLED - # default: #output.logstash: output.logstash: # The Logstash hosts # default: #hosts: ["localhost:5044"] hosts: ["server.idmz.tachtler.net:5044"] enabled: true # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications # Tachtler # default: #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] ssl.certificate_authorities: ["/etc/graylog/server/ssl/certs/CAcert.pem"] # Certificate for SSL client authentication # Tachtler # default: #ssl.certificate: "/etc/pki/client/cert.pem" ssl.certificate: "/etc/graylog/server/ssl/certs/graylog.idmz.tachtler.net.pem" # Client Certificate Key # Tachtler # default: ssl.key: "/etc/pki/client/cert.key" ssl.key: "/etc/graylog/server/ssl/private/graylog.idmz.tachtler.net.key" # Tachtler - DISABLED, only for testing! - #ssl.verification_mode: none # ================================= Processors ================================= processors: - add_host_metadata: when.not.contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ # ================================== Logging =================================== # Sets log level. The default log level is info. # Available log levels are: error, warning, info, debug #logging.level: debug # At debug level, you can selectively enable logging only for some components. # To enable all selectors use ["*"]. Examples of other selectors are "beat", # "publisher", "service". #logging.selectors: ["*"] # ============================= X-Pack Monitoring ============================== # Filebeat can export internal metrics to a central Elasticsearch monitoring # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # reporting is disabled by default. # Set to true to enable the monitoring reporter. #monitoring.enabled: false # Sets the UUID of the Elasticsearch cluster under which monitoring data for this # Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch. #monitoring.cluster_uuid: # Uncomment to send the metrics to Elasticsearch. Most settings from the # Elasticsearch output are accepted here as well. # Note that the settings should point to your Elasticsearch *monitoring* cluster. # Any setting that is not set is automatically inherited from the Elasticsearch # output configuration, so if you have the Elasticsearch output configured such # that it is pointing to your Elasticsearch monitoring cluster, you can simply # uncomment the following line. #monitoring.elasticsearch: # ============================== Instrumentation =============================== # Instrumentation support for the filebeat. #instrumentation: # Set to true to enable instrumentation of filebeat. #enabled: false # Environment in which filebeat is running on (eg: staging, production, etc.) #environment: "" # APM Server hosts to report instrumentation results to. #hosts: # - http://localhost:8200 # API Key for the APM Server(s). # If api_key is set then secret_token will be ignored. #api_key: # Secret token for the APM Server(s). #secret_token: # ================================= Migration ================================== # This allows to enable 6.7 migration aliases #migration.6_to_7.enabled: true
Nachfolgende Änderungen wurden durchgeführt:
# ============================== Filebeat inputs =============================== filebeat.inputs: # Tachtler - NEW - - type: journald enabled: true id: everything
ABC
# =================================== Kibana =================================== # Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. # This requires a Kibana endpoint configuration. # Tachtler - DISABLED - # default: setup.kibana: #setup.kibana:
ABC
# ---------------------------- Elasticsearch Output ---------------------------- # Tachtler - DISABLED - # default: output.elasticsearch: #output.elasticsearch:
ABC
# ------------------------------ Logstash Output ------------------------------- # Tachtler - ENABLED - # default: #output.logstash: output.logstash: # The Logstash hosts # default: #hosts: ["localhost:5044"] hosts: ["server.idmz.tachtler.net:5044"] enabled: true
ABC
# Optional SSL. By default is off. # List of root certificates for HTTPS server verifications # Tachtler # default: #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] ssl.certificate_authorities: ["/etc/graylog/server/ssl/certs/CAcert.pem"]
ABC
# Certificate for SSL client authentication # Tachtler # default: #ssl.certificate: "/etc/pki/client/cert.pem" ssl.certificate: "/etc/graylog/server/ssl/certs/graylog.idmz.tachtler.net.pem"
ABC
# Client Certificate Key # Tachtler # default: ssl.key: "/etc/pki/client/cert.key" ssl.key: "/etc/graylog/server/ssl/private/graylog.idmz.tachtler.net.key"
ABC
# Tachtler - DISABLED, only for testing! - #ssl.verification_mode: none
ABC
Hier geht es weiter … / To be continued …