Logstash安裝

一、上傳解壓重命名

將Logstash壓縮包上傳到/home/下解壓壓縮包并重命名

[root@localhost home] tar -zxf logstash-7.15.0-linux-x86_64.tar.gz 
[root@localhost home] mv logstash-7.15.0 logstash

二、生成SSL證書文件

進入ES安裝根目錄下

[root@localhost] cd /home/elasticsearch

生成logstash 客戶端證書

[root@localhost elasticsearch] ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --name logstash --pem --out logstash.zip

解壓logstash.zip當沒有這個命令時，執行yum install unzip -y 安裝zip工具

[root@localhost elasticsearch] unzip logstash.zip 

進入logstash中執行一下命令logstash 需要生成一個p8文件

[root@localhost elasticsearch] cd logstash
[root@localhost logstash] openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.p8
[root@localhost logstash] ls
logstash.crt  logstash.key  logstash.p8

拷貝CA公鑰文件到當前目錄

[root@localhost logstash]# cp ../ca.pem ./

返回上一級目錄，并拷貝logstash目錄到logstash目錄下

[root@localhost logstash] cd ..
[root@localhost elasticsearch] cp -r logstash /home/logstash/

三、修改配置文件

進入logstash/config根目錄修改配置文件 logstash.yml

[root@localhost config] vi logstash.yml 

# 修改host 
http.host: 0.0.0.0
# 開啟監控
xpack.monitoring.enabled: true
# 配置ES地址 請注意協議是https
xpack.monitoring.elasticsearch.hosts: ["https://127.0.0.1:9200"]
xpack.monitoring.elasticsearch.ssl.verification_mode: none
# 證書路徑
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/opt/logstash/logstash/ca.pem"
xpack.monitoring.elasticsearch.sniffing: false
# es賬號
xpack.monitoring.elasticsearch.username: elastic
# es密碼
xpack.monitoring.elasticsearch.password: P8nhGN121I4VT0LMVwIT

修改解析配置文件名稱

[root@localhost config] mv logstash-sample.conf logstash.conf

使用root用戶啟動服務

[root@localhost logstash] cd ../bin
[root@localhost bin] ./logstash -f ../config/logstash.conf --config.reload.automatic
#或 后臺運行
[root@localhost bin] nohup ./logstash -f ../config/logstash.conf --config.reload.automatic &

四、測試驗證

測試是否啟動成功

[root@localhost ~] curl http://127.0.0.1:9600
{"host":"localhost.localdomain","version":"7.15.0","http_address":"0.0.0.0:9600","id":"0ce2b441-6a31-4b38-8868-018b06178f54","name":"localhost.localdomain","ephemeral_id":"4801a1e2-832d-4b95-8a63-0964623dafec","status":"green","snapshot":false,"pipeline":{"workers":1,"batch_size":125,"batch_delay":50},"monitoring":{"hosts":["http://127.0.0.1:9200"],"username":"logstash_system"},"build_date":"2021-09-16T01:56:12Z","build_sha":"fd0927b95e580d5178256fb6adb6b79a1af3345b","build_snapshot":false}

注意事項

1. http協議端口 9600
2. beat默認端口 5044 (采集使用)
3. syslog tcp udp 默認端口 514 (采集Linux系統日志)

完整配置文件

# 工作管道（性能優化配置）=CPU核數
pipeline.workers: 4
# 批處理（性能優化配置）
pipeline.batch.size: 1000
# 響應時間（性能優化配置）
pipeline.batch.delay: 10

# 綁定IP地址
http.host: "0.0.0.0"
# 開啟監控
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: elastic
xpack.monitoring.elasticsearch.password: 53Am18Spax2dkjIW4GeC
xpack.monitoring.elasticsearch.hosts: ["https://127.0.0.1:9200"]
xpack.monitoring.elasticsearch.ssl.verification_mode: none
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/home/logstash/config/certs/ca.pem"
xpack.monitoring.elasticsearch.sniffing: false

logstash秘鑰庫

ES_PWD 密碼 key ，ES_ACCESS 賬號key

創建密碼庫

bin/logstash-keystore create

添加密鑰key，過程中需要輸入對應的密碼

bin/logstash-keystore add ES_PWD

查看key 列表

bin/logstash-keystore list

刪除 key

bin/logstash-keystore remove ES_PWD

設置密碼

set +o history
export LOGSTASH_KEYSTORE_PASS=123456
set -o history

替換明文密碼

xpack.monitoring.elasticsearch.username: ${ES_ACCESS}
xpack.monitoring.elasticsearch.password: ${ES_PWD}