elasticsearch配置
elasticsearch.yml
cluster.name: elasticsearch node.name: node-1 path.data: /usr/local/elasticsearch/elasticsearch-7.6.0/data path.logs: /usr/local/elasticsearch/elasticsearch-7.6.0/logs network.host: 0.0.0.0 network.bind_host: 0.0.0.0 http.port: 9200 cluster.initial_master_nodes: ["node-1"] http.cors.enabled: true http.cors.allow-origin: "*" xpack.security.enabled: true # 这条配置表示开启xpack认证机制 xpack.security.transport.ssl.enabled: true
jvm.options
-Xms1g -Xmx1g
kibana
kibana.yml
1. i18n.locale: "zh-CN" 2. server.port: 5601 3. server.host: 0.0.0.0 4. elasticsearch.username: "xxxx" 5. elasticsearch.password: "xxx" 6. xpack.reporting.encryptionKey: "a_random_string" 7. xpack.security.encryptionKey: "something_at_least_32_characters"
logstash
logstash.yml
1. http.host: "192.168.xx.xx" 2. xpack.monitoring.enabled: true 3. xpack.monitoring.elasticsearch.hosts: "http://192.168.xx.xx:9200" 4. xpack.monitoring.elasticsearch.username: "xxxx" 5. xpack.monitoring.elasticsearch.password: "xxxx"
log_to_es.conf
input{ tcp { mode => "server" host => "0.0.0.0" port => 5000 codec => json_lines type=> "datalog" } tcp { mode => "server" host => "0.0.0.0" port => 4999 codec => json_lines type=> "loginlog" } } filter{ if[type] == "loginlog"{ grok { match => {"message" => "\|%{GREEDYDATA:loginMsg}\|%{GREEDYDATA:timeFormat}\|%{GREEDYDATA:userName}"} } if([message] =~ "^(?!.*?登录系统).*$") { ### 丢弃 drop{} } } if[type] == "datalog"{ grok { match => {"message" => "\|%{DATA:userName}\|%{GREEDYDATA:operationName}\|%{DATA:timeFormat}\|%{DATA:ip}\|%{DATA:systemType}\|%{GREEDYDATA:logType}\|%{GREEDYDATA:method}\|%{GREEDYDATA:input}"} } } ruby { code => "event['time'] = event['@timestamp']" } mutate { add_field => ["time", "%{@timestamp}"] } } output{ if[type] == "datalog"{ elasticsearch{ hosts=>["192.168.xx.xx:9200"] user => "elastic" password => "xxxx" index => "xxxx-%{+YYYY.MM.dd}" } } if[type] == "loginlog"{ elasticsearch{ hosts=>["192.168.xx.xx:9200"] user => "elastic" password => "xxxx" index => "xxxx-%{+YYYY.MM.dd}" } } }
