[ELK] Filebeat 설치

• Filebeat란?
  • 일종의 경량화 로그 수집기
  • 선택된 특정 로그 및 파일을 경량화 시켜 전달하며 정보의 중앙집중화를 도와주는 역활을 한다.
  • 주로 ELK로 수집한 정보를 파싱하여 전달한다.(주로 Logstash로 보낸다)
  • 사실상 filebeat와 같은 beats 계열 애들이 수집 대상서버에서 수집 정보를 모아 보내는 역활을 하므로 중요하다.

• 구축환경
  • OS: Ubiuntu 22.04
  • CPU: 4v Cpu
  • RAM: 16GB
  • DISK: 100GB(OS 및 프로그램  설치할 하드) + 100GB(ELK 분석/저장 파일 보관할 하드)
  • ETC: Openstack(IAAS)

---

filebeats 설치

root@ubuntu:/home/ubuntu# wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
OK
root@ubuntu:/home/ubuntu# sudo apt-get install apt-transport-https
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libboost-serialization1.74.0 libgmpxx4ldbl libllvm15 libprotobuf-c1 libsfcgal1
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  apt-transport-https
0 upgraded, 1 newly installed, 0 to remove and 40 not upgraded.
Need to get 1510 B of archives.
After this operation, 170 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 apt-transport-https all 2.4.11 [1510 B]
Fetched 1510 B in 1s (2712 B/s)
Selecting previously unselected package apt-transport-https.
(Reading database ... 102288 files and directories currently installed.)
Preparing to unpack .../apt-transport-https_2.4.11_all.deb ...
Unpacking apt-transport-https (2.4.11) ...
Setting up apt-transport-https (2.4.11) ...
Scanning processes...
Scanning candidates...
Scanning linux images...

Restarting services...
 systemctl restart packagekit.service postgresql@9.5-main.service postgresql@14-main.service systemd-resolved.service

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@ubuntu:/home/ubuntu# echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
deb https://artifacts.elastic.co/packages/8.x/apt stable main
root@ubuntu:/home/ubuntu# sudo apt-get update && sudo apt-get install filebeat
Get:1 https://artifacts.elastic.co/packages/8.x/apt stable InRelease [10.4 kB]
Get:2 https://artifacts.elastic.co/packages/8.x/apt stable/main amd64 Packages [82.0 kB]
Hit:3 http://archive.ubuntu.com/ubuntu jammy InRelease
Get:4 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Hit:5 http://apt.postgresql.org/pub/repos/apt jammy-pgdg InRelease
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]
Get:7 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1109 kB]
Hit:8 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1326 kB]
Fetched 2756 kB in 3s (874 kB/s)
Reading package lists... Done
W: https://artifacts.elastic.co/packages/8.x/apt/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libboost-serialization1.74.0 libgmpxx4ldbl libllvm15 libprotobuf-c1 libsfcgal1
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  filebeat
0 upgraded, 1 newly installed, 0 to remove and 40 not upgraded.
Need to get 50.2 MB of archives.
After this operation, 183 MB of additional disk space will be used.
Get:1 https://artifacts.elastic.co/packages/8.x/apt stable/main amd64 filebeat amd64 8.12.0 [50.2 MB]
Fetched 50.2 MB in 2s (21.1 MB/s)
Selecting previously unselected package filebeat.
(Reading database ... 102292 files and directories currently installed.)
Preparing to unpack .../filebeat_8.12.0_amd64.deb ...
Unpacking filebeat (8.12.0) ...
Setting up filebeat (8.12.0) ...
Scanning processes...
Scanning linux images...

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
root@ubuntu:/home/ubuntu# sudo systemctl enable filebeat
Synchronizing state of filebeat.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable filebeat
Created symlink /etc/systemd/system/multi-user.target.wants/filebeat.service → /lib/systemd/system/filebeat.service.

---

설정 및 실행

root@ubuntu:/home/ubuntu# vi /etc/filebeat/filebeat.yml
#수정
# ---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #  hosts: ["localhost:9200"]

  # Performance preset - one of "balanced", "throughput", "scale",
  # "latency", or "custom".
  #  preset: balanced

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"
#주석처리

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]
  hosts: ["(ELK_IP):5044"]
#설정

root@ubuntu:/home/ubuntu# systemctl restart filebeat.service
#재시작

---

대상 log 수집 설정 (예시)

root@ubuntu:/home/ubuntu# vi /etc/filebeat/filebeat.yml

- type: log

  enabled: true

  paths:
    - /var/log/postgresql/postgresql-14-main.log*
  fields:
    topic: postgres14-log
    log_type: "postgrsql-14"

# postgresql 14의 로그 수집

- type: log

  enabled: true

  paths:
    - /var/log/postgresql/postgresql-9.5-main.log*
  fields:
    topic: postgres9.5-log
    log_type: "postgrsql-9.5"
    
# postgresql 9.5의 로그수집