Filebeat / Logstash 설정

[logstash]

cd /etc/logstash
sudo cp logstash-sample.conf ./conf.d
[그외 conf 파일은 삭제]

---------------------
$ sudo vi  /etc/logstash/conf.d/logstash-sample.conf
input {
  beats {
    port => 5044
  }
}
filter {
  mutate {
    split => {"message" => " "}
    add_field => {
      "access_ip" => "%{[message][0]}"
    }
    remove_field => ["host", "cloud", "agent", "container"]
  }
}
output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "test-%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    #user => "elastic"
    #password => "changeme"
  }
}
---------------------


sudo systemctl restart logstash

#log 확인
tail -f /var/log/logstash/logstash-plain.log

[Filebeat]

cd /etc/filebeat
sudo vi /etc/filebeat/filebeat.yml

- type: log
  enabled: true  --> true 로 수정
  paths:
    - /var/log/*.log  --> log 파일 경로 지정
    
output.logstash:
  hosts: ["localhost:5044"]   --> logstash 지정
 
[다른 output은 주석처리] 
 
sudo systemctl restart filebeat
 
[직접실행-실행로그]
 /usr/bin/filebeat -e -c /etc/filebeat/filebeat.yml

 

http://localhost:5601/app/dev_tools

 

GET _cat/indices

GET filebeat-7.12*/_search

GET filebeat-7.12*/_count