如何用Filebeat分析Ubuntu系统日志

How to Analyze Ubuntu System Logs with Filebeat

1. Install Filebeat on Ubuntu

Before configuring Filebeat, you need to install it on your Ubuntu system. Use the following commands to add Elastic’s GPG key, register the Elastic repository, and install Filebeat:

sudo apt update && sudo apt upgrade -y
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install filebeat -y

This installs the latest version of Filebeat (adjust the version in the URL if needed).

2. Enable Filebeat System Module (Recommended)

Filebeat includes a System Module that simplifies the collection and parsing of Ubuntu system logs (e.g., /var/log/syslog, /var/log/auth.log). This module automatically configures inputs, parsers, and dashboards for system logs.
To enable it:

sudo filebeat modules enable system

Verify the module is enabled:

sudo filebeat modules list

The output should show system under “Enabled modules.”

3. Configure Filebeat Inputs (Alternative: Manual Path Setup)

If you prefer not to use the System Module, you can manually configure Filebeat to collect system logs by editing the filebeat.inputs section in /etc/filebeat/filebeat.yml. For example:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/syslog
    - /var/log/auth.log
  ignore_older: 72h  # Ignore logs older than 72 hours

This configuration tells Filebeat to collect logs from the specified paths and ignore files older than 3 days.

4. Configure Output (Elasticsearch or Logstash)

Filebeat needs an output destination to send logs. The most common setups are Elasticsearch (for direct indexing) or Logstash (for advanced parsing).

Option A: Output to Elasticsearch (Direct Indexing)

If you have a local Elasticsearch instance running on localhost:9200, add this to filebeat.yml:

output.elasticsearch:
  hosts: ["localhost:9200"]
  index: "filebeat-system-%{+yyyy.MM.dd}"  # Daily indices for system logs

Option B: Output to Logstash (For Parsing/Enrichment)

If you’re using Logstash for advanced log processing (e.g., grok parsing), configure Filebeat to send logs to Logstash:

output.logstash:
  hosts: ["localhost:5044"]  # Logstash listens on port 5044

Disable Elasticsearch output if using Logstash:

# output.elasticsearch:  # Comment out or remove this section

5. Start and Enable Filebeat

After configuring Filebeat, start the service and enable it to run on boot:

sudo systemctl start filebeat
sudo systemctl enable filebeat

Check the service status to ensure it’s running:

sudo systemctl status filebeat

You should see “active (running)” in the output.

6. Verify Log Collection

To confirm Filebeat is collecting system logs, check the Filebeat logs:

sudo journalctl -u filebeat -f

Look for messages like “Successfully sent log lines” or “Publishing events to Elasticsearch/Logstash.”

To verify logs in Elasticsearch, use curl to list indices:

curl -X GET "localhost:9200/_cat/indices?v"

You should see indices named filebeat-system-* (if using Elasticsearch output) or filebeat-* (if using Logstash).

7. Analyze Logs in Kibana (Optional but Recommended)

If you’re using Kibana, you can visualize and analyze system logs:

1. Open Kibana in your browser (e.g., http://localhost:5601).
2. Navigate to Stack Management > Index Patterns and create a new pattern (e.g., filebeat-system-*).
3. Go to Discover and select the index pattern. You’ll see system logs with fields like @timestamp, host.name, process.name, and message.
4. Use Kibana’s search and visualization tools to create dashboards (e.g., failed login attempts, system errors).

8. (Optional) Advanced Configuration

For more control over log parsing or enrichment, you can:

• Add Processors: Modify log fields (e.g., add GeoIP data for client IPs) by adding processors to filebeat.yml. Example:

  processors:
    - add_cloud_metadata: ~  # Add cloud provider metadata (if applicable)
  

• Custom Grok Patterns: If using Logstash, create custom grok patterns to parse complex log formats (e.g., SSH authentication logs).
• Index Templates: Define index templates to optimize index settings (e.g., number of shards) for system logs.

By following these steps, you can effectively use Filebeat to collect, parse, and analyze Ubuntu system logs, enabling you to monitor system health, troubleshoot issues, and detect security threats.

以上就是关于“如何用Filebeat分析Ubuntu系统日志”的相关介绍，筋斗云是国内较早的云主机应用的服务商，拥有10余年行业经验，提供丰富的云服务器、租用服务器等相关产品服务。云服务器资源弹性伸缩，主机vCPU、内存性能强悍、超高I/O速度、故障秒级恢复；电子化备案，提交快速，专业团队7×24小时服务支持！

简单好用、高性价比云服务器租用链接：https://www.jindouyun.cn/product/cvm