Debian下配置Filebeat网络设置指南
首先确保Debian系统已更新,然后通过官方仓库安装Filebeat(以7.x版本为例):
sudo apt update && sudo apt upgrade -y
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
sudo apt update && sudo apt install filebeat -y
Filebeat的网络设置主要涉及输出目标、监听端口、绑定地址和TLS加密,需编辑主配置文件/etc/filebeat/filebeat.yml:
指定日志发送的目标(如Elasticsearch、Logstash),根据需求选择其一:
output.elasticsearch:
hosts: ["localhost:9200"] # 替换为Elasticsearch服务器IP及端口(如["192.168.1.100:9200"])
username: "elastic" # 若启用X-Pack安全,填写用户名(如elastic)
password: "your_password" # 填写对应密码
output.logstash:
hosts: ["localhost:5044"] # 替换为Logstash服务器IP及端口
若需Filebeat接收外部数据(如通过Packetbeat监控网络流量),需配置监听端口和绑定地址:
server.port: 5044 # 更改默认监听端口(如5045),避免冲突
network.host: "0.0.0.0" # 绑定到所有网络接口(若仅需本地访问,设为"127.0.0.1")
为保障数据传输安全,配置SSL证书(需提前生成证书文件):
output.elasticsearch:
hosts: ["localhost:9200"]
ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"] # CA证书路径
ssl.certificate: "/etc/filebeat/certs/filebeat.crt" # 客户端证书路径
ssl.key: "/etc/filebeat/certs/filebeat.key" # 客户端私钥路径
若需监控网络流量(如TCP/UDP流量),需启用packetbeat模块并指定监听端口:
filebeat.inputs:
- type: packetbeat
enabled: true
protocols:
tcp:
ports: [80, 443, 5044] # 监控的TCP端口(如HTTP、HTTPS、Filebeat输出端口)
udp:
ports: [53, 123] # 监控的UDP端口(如DNS、NTP)
修改配置文件后,需重启Filebeat使更改生效:
sudo systemctl restart filebeat
sudo systemctl status filebeat
sudo journalctl -u filebeat -f
curl命令测试连接:curl -XGET 'localhost:9200/_cluster/health?pretty'
若系统启用了ufw防火墙,需开放Filebeat使用的端口(如Elasticsearch的9200端口、Packetbeat的5044端口):
sudo ufw allow 9200/tcp # 允许Elasticsearch端口
sudo ufw allow 5044/tcp # 允许Packetbeat监控端口
sudo ufw reload # 重新加载防火墙规则
elasticsearch-certutil工具);network.host(如仅本地访问设为127.0.0.1,避免暴露到公网);/var/log/filebeat/filebeat),监控数据发送情况。
