日志搜集平台ELK-packetbeat-安装说明

环境:

业务机器安装packetbeat客户端

ES、kibana服务端需要保证启动(本次环境的ES和kibana服务跑在172.16.82.165上)

业务机器端执行安装:

1、下载包

yum install libpcap

curl -L -O https://artifacts.elastic.co/downloads/beats/packetbeat/packetbeat-6.3.2-x86_64.rpm

rpm -vi packetbeat-6.3.2-x86_64.rpm

配置文件如下

[ packetbeat]# cat /etc/packetbeat/packetbeat.yml|egrep -v "^#|^$"              

packetbeat.interfaces.device: any

packetbeat.flows:

  timeout: 30s

  period: 10s

packetbeat.protocols:

- type: icmp

  enabled: true

- type: amqp

  ports: [5672]

- type: cassandra

  ports: [9042]

- type: dns

  ports: [53]

  include_authorities: true

  include_additionals: true

- type: http

  ports: [80, 8080, 8000, 5000, 8002]

- type: memcache

  ports: [11211]

- type: mysql

  ports: [3306]

- type: pgsql

  ports: [5432]

- type: redis

  ports: [6379]

- type: thrift

  ports: [9090]

- type: mongodb

  ports: [27017]

- type: nfs

  ports: [2049]

- type: tls

  ports: [443]

setup.template.settings:

  index.number_of_shards: 3

  #_source.enabled: false

setup.kibana:

  host: "172.16.82.165:5601"

output.elasticsearch:

  hosts: ["172.16.82.165:9200"]

2、kibana导入图

packetbeat setup --dashboards

 packetbeat setup -e \

  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=[‘172.16.82.165:9200‘] \
  -E output.elasticsearch.username=packetbeat_internal \
  -E output.elasticsearch.password=YOUR_PASSWORD \
  -E setup.kibana.host=172.16.82.165:5601

备注:

-E output.elasticsearch.username=packetbeat_internal \
-E output.elasticsearch.password=YOUR_PASSWORD \
这两行涉及用户密码,如果我们e没有用户密码配置,可以先不执行这两行

启动packetbeat服务

/etc/init.d/packetbeat start 

然后执行这个测试数据:

curl -XGET ‘http://172.16.82.165:9200/packetbeat-*/_search?pretty

之后进入kibana,创新packetbeat-*的索引

会有数据显示展示