Elasticsearch Logstash Kibana（ELK 堆栈）+ 在 t3.large 上的 ubuntu 22.04 AWS EC2 实例上设置 filebeat 以可视化系统日志

我正在尝试在 t3.large 上的 ubuntu 22.04 AWS EC2 实例上设置 ELK stack + filebeat 以可视化系统日志。

以下是我正在遵循的过程

（注意 - 这些步骤不是从 ChatGPT 复制的，这些步骤是多个互联网来源的组合，包括 DigitalOcean、YouTube 等）

我面临的问题是 filebeat 失败并出现以下错误，并且我面临着设置堆栈的困难

我还在0.0.0.0/0的安全组中开放了端口9200、5601、5044

`Aug 12 06:59:12 ip-172-31-25-190 systemd[1]: filebeat.service: Start request repeated too quickly.
Aug 12 06:59:12 ip-172-31-25-190 systemd[1]: filebeat.service: Failed with result 'exit-code'.
Aug 12 06:59:12 ip-172-31-25-190 systemd[1]: Failed to start Filebeat sends log files to Logstash or directly to Elasticsearch..`

sudo apt update
sudo apt upgrade
sudo apt install openjdk-11-jdk

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.9.0-amd64.deb
sudo dpkg -i elasticsearch-8.9.0-amd64.deb

> sudo vim /etc/elasticsearch/elasticsearch.yml

network.host: localhost
http.port: 9200
xpack.security.enabled: false
xpack.security.enrollment.enabled: false

sudo systemctl start elasticsearch
sudo systemctl enable elasticsearch

curl -X GET "localhost:9200"

_ - - - - - _

wget https://artifacts.elastic.co/downloads/kibana/kibana-8.9.0-amd64.deb
sudo dpkg -i kibana-8.9.0-amd64.deb


> sudo vim /etc/kibana/kibana.yml

server.port: 5601
server.host: "0.0.0.0"
elasticsearch.hosts: ["http://localhost:9200"]

echo "kibanaadmin:`openssl passwd -apr1`" | sudo tee -a /etc/nginx/htpasswd.users

_ - - - - - _

wget https://artifacts.elastic.co/downloads/logstash/logstash-8.9.0-amd64.deb
sudo dpkg -i logstash-8.9.0-amd64.deb

> sudo vim /etc/logstash/conf.d/02-beats-input.conf

input {
  beats {
    port => 5044
  }
}

> sudo vim /etc/logstash/conf.d/30-elasticsearch-output.conf

output {
  if [@metadata][pipeline] {
    elasticsearch {
      hosts => ["localhost:9200"]
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
      pipeline => "%{[@metadata][pipeline]}"
    }
  } else {
    elasticsearch {
      hosts => ["localhost:9200"]
      manage_template => false
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    }
  }
}

sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash -t
sudo systemctl start logstash
sudo systemctl enable logstash

_ - - - - - _

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.9.0-amd64.deb
sudo dpkg -i filebeat-8.9.0-amd64.deb

sudo vim /etc/filebeat/filebeat.yml

#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

output.logstash:
  hosts: ["localhost:5044"]

sudo filebeat modules enable system
sudo filebeat setup --pipelines --modules system
sudo filebeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]'
sudo filebeat setup -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["localhost:9200"]' -E setup.kibana.host=localhost:5601

sudo systemctl start filebeat
sudo systemctl enable filebeat

curl -XGET 'http://localhost:9200/filebeat-*/_search?pretty'



earlier used openjdk-19 then shifted to openjdk-11
shifted from t3.medium to t3.large

used the below logstash config earlier

sudo vi /etc/logstash/conf.d/logstash.conf
 
input {
  beats {
    port => 5044
  }
}
 
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}