跟我之前Zabbix-agent批量部署脚本Linux and Windows(部署300+可用)文章的套路一样,在使用该脚本前,请先准备好安装包及配置好安装包的资源下载点,由于我这边是纯内网,所以我就找了一个NAS做了共享目录,用于安装脚本去下载安装包
至于怎么做共享目录就不多说,我的目录包含4个文件:
dart
filebeat.service
#用于配置filebeat服务及自启动
filebeat.yml
#filebeat的配置文件
filebeat-8.3.3-linux-x86_64.tar.gz
#filebeat的主要安装包
http_ca.crt
#与Elasticsearch连接的证书文件测试参数,请酌情修改:
Elasticsearch服务器:192.168.1.1
Elasticsearch账号:elastic/123456
Kibana服务器:192.168.1.1
资源下载点:192.168.1.2
访问资源的账号:nasuser/123456
临时客户端IP:192.168.1.3 (这个在批量部署脚本中是可以被自动修改为实际IP的)
Filebeat配置文件详情:
dart
filebeat.inputs:
# 配置日志输入
- type: log
enabled: true
paths:
- /var/log/messages
- /var/log/secure
processors:
# 处理器,过滤不包含特定关键词的日志事件
- drop_event.when.not.regexp.message: "error|exception|fail"
- add_tags:
tags: ["error_logs"]
tags: ["192.168.1.3 "] # 添加额外的标签
- type: log
enabled: true
paths:
- /var/log/secure
processors:
- drop_event.when.not.regexp.message: "sshd|login|logout|session|pam_unix|pam_succeed_if|Accepted|Failed|Invalid user|user .* from|pam_unix(sshd:session)"
- add_tags:
tags: ["login_logs"]
tags: ["192.168.1.3 "] # 添加额外的标签
output.elasticsearch:
# 输出到Elasticsearch
hosts: ["192.168.1.1:9200"]
protocol: "https"
username: "elastic"
password: "123456"
allow_older_versions: true
ssl.certificate_authorities: ["/elkbeat/filebeat/http_ca.crt"]
indices:
# 根据标签将日志事件发送到不同的索引
- index: "linux-error-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "error_logs"
- index: "linux-login-%{[beat.version]}-%{+yyyy.MM}"
when.contains:
tags: "login_logs"
processors:
- drop_fields:
fields: ["agent", "ecs", "@metadata", "input"] # 删除指定的字段
setup.kibana:
host: "192.168.1.1:5601" # 配置连接到Kibana的地址
logging.level: error
logging.to_files: true
logging.files:
path: /var/log/filebeat # 日志文件输出路径
name: filebeat.log # 日志文件名
keepfiles: 7 # 保留的日志文件数量批量部署脚本如下:
shell
#!/bin/bash
# 检查是否已安装filebeat相关软件包(通过文件查询方式)
is_installed_check() {
file="/elkbeat/filebeat/filebeat"
if [ -e "$file" ]; then
return 0
else
return 1
fi
}
# 获取已安装的filebeat相关软件包列表(通过脚本方式)
get_installed_packages_sh() {
installed_packages=$(/elkbeat/filebeat/filebeat version)
echo "已安装软件包:$installed_packages"
}
# 获取主机的IP地址(以192.168开头)
get_ip_address() {
ip_address=$(ip addr | awk '/inet / && /192\.168\./ {gsub(/\/[0-9]+/, "", $2); print $2}')
echo "主机IP:$ip_address"
}
# 下载安装包
download_packages() {
mkdir -p /elkbeat
wget -nc --ftp-user=test --ftp-password=123456 ftp://192.168.1.2/Temp/yum/* -P /elkbeat/ &> /dev/null
}
#安装软件包
install_packages() {
cd /elkbeat
mkdir -p /elkbeat/filebeat/
rm -rf /elkbeat/filebeat/*
tar -xzf filebeat-8.3.3-linux-x86_64.tar.gz
mv /elkbeat/filebeat-8.3.3-linux-x86_64/* /elkbeat/filebeat/
cp /elkbeat/filebeat.service /lib/systemd/system/
cp /elkbeat/http_ca.crt /elkbeat/filebeat/
cd /elkbeat
rm -rf filebeat-8.3.3*
}
# 替换配置文件
replace_config() {
cd /elkbeat/filebeat
cp filebeat.yml filebeat.yml.bak
cp -f /elkbeat/filebeat.yml /elkbeat/filebeat/
sed -i "s/tags: \[\"10\.115\.85\.195\"\]/tags: \[\"$ip_address\"\]/g" /elkbeat/filebeat/filebeat.yml
}
# 检查服务状态
check_service_status() {
systemctl restart filebeat
service_status=$(systemctl is-active filebeat.service --quiet && echo "active" || echo "inactive")
echo "服务状态:$service_status"
}
# 设置服务启动及开机启动
set_service() {
# 启动服务
systemctl start filebeat
# 设置开机启动
systemctl enable filebeat
}
# 执行主程序
is_installed_check
if [ $? -eq 0 ]; then
echo "已安装filebeat相关软件包"
get_installed_packages_sh
else
echo "未安装filebeat相关软件包"
get_ip_address
download_packages
install_packages
replace_config
check_service_status
set_service
fi