下面是可选的脚本模块,可以自己选择,然后进行拼接,注意替换个性化的地方。
一、 从某个服务器下载安装filebeat
1 将rpm包上传至服务器A的</usr/local>路径下
用scp
用sz
用sftp
2 从服务器A拉取rpm包
2.1 手动输入服务器A密码
cd /usr/local/
filebeat=`ls | grep 'filebeat-7.7.0-x86_64.rpm'`
if [[ $filebeat == "" ]];then
echo "--现在从中心服务器下载filebeat--"
echo "--请输入中心服务器密码--"
scp -o StrictHostKeyChecking=no [email protected]:/usr/local/filebeat-7.7.0-x86_64.rpm /usr/local/
else
echo "--filebeat-7.7.0-x86_64.rpm已存在--"
fi
echo ""
ls -l | grep "filebeat"
2.2 自动填入密码
安装expect
yum -y install expect
脚本1(/usr/local/download_filebeat.sh)
#!/usr/bin/expect
set timeout 30
spawn scp -o StrictHostKeyChecking=no [email protected]:/usr/local/filebeat-7.7.0-x86_64.rpm /usr/local/
expect "password:"
send "root"
interact
脚本2(/usr/local/install_filebeat.sh)
cd /usr/local/
filebeat=`ls | grep 'filebeat-7.7.0-x86_64.rpm'`
if [[ $filebeat == "" ]];then
echo "--现在从中心服务器下载filebeat--"
expect /usr/local/download_filebeat.sh
echo "--下载完成--"
else
echo "--filebeat-7.7.0-x86_64.rpm已存在--"
fi
echo ""
ls -l | grep "filebeat-7.7.0-x86_64.rpm"
二、 安装filebeat
rpm -ivh ./filebeat-7.3.0-x86_64.rpm
cp /etc/filebeat/filebeat.yml{,.bak}
三、 修改filebeat输出端为logstash
注意修改ip和端口
sed -i "s/output.elasticsearch:/#output.elasticsearch/" /etc/filebeat/filebeat.yml
sed -i "s/ hosts: \[\"localhost:9200\"\]/ #hosts: \[\"localhost:9200\"\]/" /etc/filebeat/filebeat.yml
sed -i "s/#output.logstash:/output.logstash:\n hosts: \[\"192.168.18.3:5044\"\]/" /etc/filebeat/filebeat.yml
四、 收集linux的system日志(使用system模块)
sed -i "s/^setup.kibana:/\nsetup.kibana:\n host: \"192.168.18.3:5601\"\nsetup.template.overwrite: true\nsetup.template.enabled: true\nsetup.ilm.enabled: false\n/" /etc/filebeat/filebeat.yml
sed -i "s/ hosts: \[\"localhost:9200\"\]/ hosts: \[\"192.168.18.3:9200\"\]\n indices:\n - index: \"os-linux-%{+yyyy.MM.dd}\"\n when.equals:\n event:\n module: \"system\"/" /etc/filebeat/filebeat.yml
filebeat modules enable system
#关闭syslog日志,只保留auth日志
sed -i "7 s/ enabled: true/ enabled: false/" /etc/filebeat/modules.d/system.yml