下面是可選的腳本模塊,可以自己選擇,然後進行拼接,注意替換個性化的地方。
一、 從某個服務器下載安裝filebeat
1 將rpm包上傳至服務器A的</usr/local>路徑下
用scp
用sz
用sftp
2 從服務器A拉取rpm包
2.1 手動輸入服務器A密碼
cd /usr/local/
filebeat=`ls | grep 'filebeat-7.7.0-x86_64.rpm'`
if [[ $filebeat == "" ]];then
echo "--現在從中心服務器下載filebeat--"
echo "--請輸入中心服務器密碼--"
scp -o StrictHostKeyChecking=no [email protected]:/usr/local/filebeat-7.7.0-x86_64.rpm /usr/local/
else
echo "--filebeat-7.7.0-x86_64.rpm已存在--"
fi
echo ""
ls -l | grep "filebeat"
2.2 自動填入密碼
安裝expect
yum -y install expect
腳本1(/usr/local/download_filebeat.sh)
#!/usr/bin/expect
set timeout 30
spawn scp -o StrictHostKeyChecking=no [email protected]:/usr/local/filebeat-7.7.0-x86_64.rpm /usr/local/
expect "password:"
send "root"
interact
腳本2(/usr/local/install_filebeat.sh)
cd /usr/local/
filebeat=`ls | grep 'filebeat-7.7.0-x86_64.rpm'`
if [[ $filebeat == "" ]];then
echo "--現在從中心服務器下載filebeat--"
expect /usr/local/download_filebeat.sh
echo "--下載完成--"
else
echo "--filebeat-7.7.0-x86_64.rpm已存在--"
fi
echo ""
ls -l | grep "filebeat-7.7.0-x86_64.rpm"
二、 安裝filebeat
rpm -ivh ./filebeat-7.3.0-x86_64.rpm
cp /etc/filebeat/filebeat.yml{,.bak}
三、 修改filebeat輸出端爲logstash
注意修改ip和端口
sed -i "s/output.elasticsearch:/#output.elasticsearch/" /etc/filebeat/filebeat.yml
sed -i "s/ hosts: \[\"localhost:9200\"\]/ #hosts: \[\"localhost:9200\"\]/" /etc/filebeat/filebeat.yml
sed -i "s/#output.logstash:/output.logstash:\n hosts: \[\"192.168.18.3:5044\"\]/" /etc/filebeat/filebeat.yml
四、 收集linux的system日誌(使用system模塊)
sed -i "s/^setup.kibana:/\nsetup.kibana:\n host: \"192.168.18.3:5601\"\nsetup.template.overwrite: true\nsetup.template.enabled: true\nsetup.ilm.enabled: false\n/" /etc/filebeat/filebeat.yml
sed -i "s/ hosts: \[\"localhost:9200\"\]/ hosts: \[\"192.168.18.3:9200\"\]\n indices:\n - index: \"os-linux-%{+yyyy.MM.dd}\"\n when.equals:\n event:\n module: \"system\"/" /etc/filebeat/filebeat.yml
filebeat modules enable system
#關閉syslog日誌,只保留auth日誌
sed -i "7 s/ enabled: true/ enabled: false/" /etc/filebeat/modules.d/system.yml