# 6.4.6.2 X-Pack on Logstash 请参考[官方文档](https://www.elastic.co/guide/en/logstash/6.2/installing-xpack-log.html)完成部署 , 部署步骤如下 ![](https://1785474312-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lvt5boAx3hwVzQ2DCNd%2F-M2WOs6_DdVcq9_1S4az%2F-M2WOtH2cG8pGS_b2IGa%2FLogstashFlow.jpg?generation=1584329628746177\&alt=media) Run `bin/logstash-plugin install` from the Logstash installation directory. ``` bin/logstash-plugin install x-pack ``` The plugin install scripts require direct internet access to download and install X-Pack. If your server doesn’t have internet access, specify the location of the X-Pack zip file that you downloaded to a temporary directory. ```bash bin/logstash-plugin install file:///path/to/file/x-pack-6.2.4.zip ``` ### [Configuring Security in Logstash](https://www.elastic.co/guide/en/logstash/current/ls-security.html) Logstash needs to be able to manage index templates, create indices, and write and delete documents in the indices it creates. 1. Use the the **Management > Roles** UI in Kibana or the `role` API to create a `logstash_writer` role. For **cluster** privileges, add `manage_index_templates` and `monitor`. For **indices** privileges, add `write`, `create`, `delete`, and `create_index`. If you plan to use [index lifecycle management](https://www.elastic.co/guide/en/elasticsearch/reference/7.6/getting-started-index-lifecycle-management.html), also add `manage_ilm` for cluster and `manage` and `manage_ilm` for indices. ```bash POST _xpack/security/role/logstash_writer { "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "logstash-*" ], "privileges": ["write","create","delete","create_index","manage","manage_ilm"] } ] } ``` > 1. The cluster needs the `manage_ilm` privilege if [index lifecycle management](https://www.elastic.co/guide/en/elasticsearch/reference/7.6/getting-started-index-lifecycle-management.html) is enabled. > 2. If you use a custom Logstash index pattern, specify your custom pattern instead of the default `logstash-*` pattern. > 3. If [index lifecycle management](https://www.elastic.co/guide/en/elasticsearch/reference/7.6/getting-started-index-lifecycle-management.html) is enabled, the role requires the `manage` and `manage_ilm` privileges to load index lifecycle policies, create rollover aliases, and create and manage rollover indices. 2. Create a `logstash_internal` user and assign it the `logstash_writer` role. You can create users from the **Management > Users** UI in Kibana or through the `user` API: ```bash POST _xpack/security/user/logstash_internal { "password" : "x-pack-test-password", "roles" : [ "logstash_writer"], "full_name" : "Internal Logstash User" } ``` 3. Configure Logstash to authenticate as the `logstash_internal` user you just created. You configure credentials separately for each of the Elasticsearch plugins in your Logstash `.conf` file. For example: ```javascript input { elasticsearch { ... user => logstash_internal password => x-pack-test-password } } filter { elasticsearch { ... user => logstash_internal password => x-pack-test-password } } output { elasticsearch { ... user => logstash_internal password => x-pack-test-password } } ``` ## [Monitoring for Logstash](https://www.elastic.co/guide/en/logstash/6.2/configuring-logstash.html#monitoring-settings) ### 关键参数说明 * `xpack.monitoring.enabled` 设置为`true`或`false`来打开或者关闭monitoing, 默认为关闭 * `xpack.monitoring.elasticsearch.url` 接受logstash发送的metries的elasticsearch地址, `["http://es-prod-node-1:9200", "http://es-prod-node-2:9200"]` * **`xpack.monitoring.elasticsearch.username`** and **`xpack.monitoring.elasticsearch.password`** elasticsearch开启了认证功能需要提供`logstash_system`的用户名和密码, * `xpack.monitoring.elasticsearch.sniffing` 将嗅探设置为`true`,以便发现elasticsearch集群的其他节点,默认值为`false`。 * `xpack.monitoring.collection.interval` 控制在logstash端收集和发布metries的时间, 默认为`10s` ### 开启Monitoring 编辑`logstash.yml`, 添加如下内容 ``` xpack.monitoring.enabled: True xpack.monitoring.elasticsearch.username: logstash_system xpack.monitoring.elasticsearch.password: lBJPQyPl0NBwGE6Cq8d0 xpack.monitoring.elasticsearch.url: - "http://es-welog02cn-p004.pek3.example.net:9200" - "http://es-welog02cn-p005.pek4.example.net:9200" xpack.monitoring.elasticsearch.sniffing: true xpack.monitoring.collection.interval: 10s ``` ## [Centralized pipeline management](https://www.elastic.co/guide/en/logstash/6.2/logstash-centralized-pipeline-management.html) 开启X-Pack Management功能后,启动logstash的时候就不用再配置logstash.conf文件了,启动的时候也不用再使用`-f`指定这个文件进行启动了, 开启这个功能 ### 关键参数说明 * `xpack.management.enabled` 设置为`true`表示为Logstash开启X-Pack 集中式配置管理。 * `xpack.management.logstash.poll_interval` Logstash实例轮询来自Elasticsearch的管道更改的频率。默认值为5s。 * `xpack.management.pipeline.id` 指定以逗号分隔的管道标识列表,以便为集中式管道生产管理注册。更改此设置后,您需要重新启动Logstash来使更改生效。 需要登录`kibana` --> `management` --> `logstash` --> `pipelines`创建pipeline * `xpack.management.elasticsearch.url` ``` 存储Logstash管道配置和元数据的Elasticsearch示例。可以是和`outputs`中的相同的实例,也可以是不同的。默认是 `http://localhost:9200`. ``` * **`xpack.management.elasticsearch.username`**and **`xpack.management.elasticsearch.password`** ``` 如果你的Elasticsearch集群使用基本认证进行保护,这些设置提供用户名和密码,Logstash实例使用这些用户名和密码对访问配置数据进行身份验证。你在这里指定的用户名和密码必须具有`logstash_admin`角色,它提供对于`.logstash-*`的索引的认证。 ``` ### 开启pipe集中管理 编辑`logstash.yml`添加如下内容 ``` xpack.management.enabled: True xpack.management.pipeline.id: - "prod_output_es" - "prod_output_kafka_plain" - "prod_output_kafka_json" - "prod_output_k8s_es" - "dev_output_es" xpack.management.elasticsearch.username: logstash_admin_user xpack.management.elasticsearch.password: MzZqbT44FU2oVJxatz4b xpack.management.elasticsearch.url: - "http://es-welog02cn-p004.pek3.example.net:9200" - "http://es-welog02cn-p005.pek4.example.net:9200" xpack.management.logstash.poll_interval: 5s ```