1在elk101中安装elasticsearch
[root@elk101 ~]# ls
anaconda-ks.cfg elasticsearch-7.17.3-x86_64.rpm filebeat-7.17.3-x86_64.rpm kibana-7.17.3-x86_64.rpm
[root@elk101 ~]# scp elasticsearch-7.17.3-x86_64.rpm elk102:/root
elasticsearch-7.17.3-x86_64.rpm 100% 297MB 172.9MB/s 00:01
[root@elk101 ~]# scp elasticsearch-7.17.3-x86_64.rpm elk103:/root
elasticsearch-7.17.3-x86_64.rpm 100% 297MB 176.4MB/s 00:01
[root@elk101 ~]# yum -y localinstall elasticsearch-7.17.3-x86_64.rpm
Repository extras is listed more than once in the configuration
上次元数据过期检查:1:48:06 前,执行于 2023年03月16日 星期四 15时14分25秒。
依赖关系解决。
===========================================================================================================================================
软件包 架构 版本 仓库 大小
===========================================================================================================================================
安装:
elasticsearch x86_64 7.17.3-1 @commandline 297 M
事务概要
===========================================================================================================================================
安装 1 软件包
总计:297 M
安装大小:494 M
下载软件包:
运行事务检查
事务检查成功。
运行事务测试
事务测试成功。
运行事务
准备中 : 1/1
运行脚本: elasticsearch-7.17.3-1.x86_64 1/1
Creating elasticsearch group... OK
Creating elasticsearch user... OK
安装 : elasticsearch-7.17.3-1.x86_64 1/1
运行脚本: elasticsearch-7.17.3-1.x86_64 1/1
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
sudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch/elasticsearch.keystore
[/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.
验证 : elasticsearch-7.17.3-1.x86_64 1/1
已安装:
elasticsearch-7.17.3-1.x86_64
完毕!
[root@elk101 ~]# systemctl start elasticsearch
[root@elk101 ~]# curl 127.0.0.1:9200
{
"name" : "elk101",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "qVkInulZTPG9B-l0tglE4w",
"version" : {
"number" : "7.17.3",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "5ad023604c8d7416c9eb6c0eadb62b14e766caff",
"build_date" : "2022-04-19T08:11:19.070913226Z",
"build_snapshot" : false,
"lucene_version" : "8.11.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[root@elk101 ~]# vim /etc/elasticsearch/elasticsearch.yml
[root@elk101 ~]# ls
anaconda-ks.cfg elasticsearch-7.17.3-x86_64.rpm filebeat-7.17.3-x86_64.rpm kibana-7.17.3-x86_64.rpm
[root@elk101 ~]# egrep -v "^#|^$" /etc/elasticsearch/elasticsearch.yml
cluster.name: tyjs09-elk
node.name: elk101 #这里写节点的名称
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
discovery.seed_hosts: ["10.0.0.101", "10.0.0.102", "10.0.0.103"]
cluster.initial_master_nodes: ["elk101","elk102","elk103"]
[root@elk101 ~]# ll /var/log/elasticsearch/
总用量 212
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_audit.json
-rw-r--r--. 1 elasticsearch elasticsearch 797 3月 16 17:03 elasticsearch_deprecation.json
-rw-r--r--. 1 elasticsearch elasticsearch 509 3月 16 17:03 elasticsearch_deprecation.log
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_index_indexing_slowlog.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_index_indexing_slowlog.log
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_index_search_slowlog.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_index_search_slowlog.log
-rw-r--r--. 1 elasticsearch elasticsearch 24239 3月 16 17:03 elasticsearch.log
-rw-r--r--. 1 elasticsearch elasticsearch 49125 3月 16 17:03 elasticsearch_server.json
-rw-r--r--. 1 elasticsearch elasticsearch 78228 3月 16 18:02 gc.log
-rw-r--r--. 1 elasticsearch elasticsearch 2114 3月 16 17:02 gc.log.00
[root@elk101 ~]# systemctl restart elasticsearch
[root@elk101 ~]# ll /var/log/elasticsearch/
总用量 268
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_audit.json
-rw-r--r--. 1 elasticsearch elasticsearch 797 3月 16 17:03 elasticsearch_deprecation.json
-rw-r--r--. 1 elasticsearch elasticsearch 509 3月 16 17:03 elasticsearch_deprecation.log
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_index_indexing_slowlog.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_index_indexing_slowlog.log
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_index_search_slowlog.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 17:02 elasticsearch_index_search_slowlog.log
-rw-r--r--. 1 elasticsearch elasticsearch 25759 3月 16 18:03 elasticsearch.log
-rw-r--r--. 1 elasticsearch elasticsearch 52848 3月 16 18:03 elasticsearch_server.json
-rw-r--r--. 1 elasticsearch elasticsearch 38133 3月 16 18:03 gc.log
-rw-r--r--. 1 elasticsearch elasticsearch 2114 3月 16 17:02 gc.log.00
-rw-r--r--. 1 elasticsearch elasticsearch 78959 3月 16 18:03 gc.log.01
-rw-r--r--. 1 elasticsearch elasticsearch 2114 3月 16 18:03 gc.log.02
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:03 tyjs09-elk_audit.json
-rw-r--r--. 1 elasticsearch elasticsearch 794 3月 16 18:03 tyjs09-elk_deprecation.json
-rw-r--r--. 1 elasticsearch elasticsearch 509 3月 16 18:03 tyjs09-elk_deprecation.log
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:03 tyjs09-elk_index_indexing_slowlog.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:03 tyjs09-elk_index_indexing_slowlog.log
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:03 tyjs09-elk_index_search_slowlog.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:03 tyjs09-elk_index_search_slowlog.log
-rw-r--r--. 1 elasticsearch elasticsearch 14725 3月 16 18:03 tyjs09-elk.log
-rw-r--r--. 1 elasticsearch elasticsearch 28244 3月 16 18:03 tyjs09-elk_server.json
[root@elk101 ~]#
2分别在elk102和elk103中安装es
#1把elk101节点的配置文件传给其它两台机器
[root@elk101 ~]# scp /etc/elasticsearch/elasticsearch.yml elk102:/etc/elasticsearch/
elasticsearch.yml 100% 3443 1.7MB/s 00:00
[root@elk101 ~]# scp /etc/elasticsearch/elasticsearch.yml elk103:/etc/elasticsearch/
elasticsearch.yml 100% 3443 2.0MB/s 00:00
#2修改elk102机器上的配置文件
[root@elk102 ~]# egrep -v "^#|^$" /etc/elasticsearch/elasticsearch.yml
cluster.name: tyjs09-elk
node.name: elk102
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
discovery.seed_hosts: ["10.0.0.101", "10.0.0.102", "10.0.0.103"]
cluster.initial_master_nodes: ["elk101", "elk102", "elk103"]
#3修改elk103机器上的配置文件
[root@elk103 ~]# egrep -v "^#|^$" /etc/elasticsearch/elasticsearch.yml
cluster.name: tyjs09-elk
node.name: elk103
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
discovery.seed_hosts: ["10.0.0.101", "10.0.0.102", "10.0.0.103"]
cluster.initial_master_nodes: ["elk101", "elk102", "elk103"]
#4停掉elk101上正在运行的es并清理临时数据目录以及之前单机部署的es数据和日志
[root@elk101 ~]# systemctl stop elasticsearch
[root@elk101 ~]# rm -rf /var/lib/elasticsearch/*
[root@elk101 ~]# rm -rf /var/log/elasticsearch/*
[root@elk101 ~]# rm -rf /tmp/*
#5顺便也清理一下elk102和elk103上的临时数据目录
[root@elk102 ~]# rm -rf /tmp/*
[root@elk103 ~]# rm -rf /tmp/*
#6启动所有节点
[root@elk101 ~]# systemctl start elasticsearch
[root@elk102 ~]# systemctl start elasticsearch
[root@elk103 ~]# systemctl start elasticsearch
#7检查集群是否正常
[root@elk101 ~]# ll /var/log/elasticsearch/
总用量 136
-rw-r--r--. 1 elasticsearch elasticsearch 56699 3月 16 18:43 gc.log
-rw-r--r--. 1 elasticsearch elasticsearch 2114 3月 16 18:39 gc.log.00
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:39 tyjs09-elk_audit.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:39 tyjs09-elk_deprecation.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:39 tyjs09-elk_deprecation.log
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:39 tyjs09-elk_index_indexing_slowlog.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:39 tyjs09-elk_index_indexing_slowlog.log
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:39 tyjs09-elk_index_search_slowlog.json
-rw-r--r--. 1 elasticsearch elasticsearch 0 3月 16 18:39 tyjs09-elk_index_search_slowlog.log
-rw-r--r--. 1 elasticsearch elasticsearch 30324 3月 16 18:43 tyjs09-elk.log
-rw-r--r--. 1 elasticsearch elasticsearch 43613 3月 16 18:43 tyjs09-elk_server.json
[root@elk101 ~]# tail -2f /var/log/elasticsearch/tyjs09-elk.log
[2023-03-16T18:43:48,102][WARN ][o.e.c.c.ClusterFormationFailureHelper] [elk101] master not discovered yet, this node has not previously joined a bootstrapped (v7+) cluster, and [cluster.initial_master_nodes] is empty on this node: have discovered [{elk101}{SjBn6fZKQ8i1lQaYaWWW6Q}{UEd9psd8SI66nnR1uGLivg}{10.0.0.101}{10.0.0.101:9300}{cdfhilmrstw}, {elk102}{Qqw592LGRRyt3EwH8SR0Xg}{oKWGPhsgQiORvc1v5J15VQ}{10.0.0.102}{10.0.0.102:9300}{cdfhilmrstw}, {elk103}{U1E-_8loQY2tFXi-3m4SKA}{SZRF9fkvRaa_yMQNS_N7NA}{10.0.0.103}{10.0.0.103:9300}{cdfhilmrstw}]; discovery will continue using [10.0.0.102:9300, 10.0.0.103:9300] from hosts providers and [{elk101}{SjBn6fZKQ8i1lQaYaWWW6Q}{UEd9psd8SI66nnR1uGLivg}{10.0.0.101}{10.0.0.101:9300}{cdfhilmrstw}] from last-known cluster state; node term 0, last-accepted version 0 in term 0
[2023-03-16T18:43:58,104][WARN ][o.e.c.c.ClusterFormationFailureHelper] [elk101] master not discovered yet, this node has not previously joined a bootstrapped (v7+) cluster, and [cluster.initial_master_nodes] is empty on this node: have discovered [{elk101}{SjBn6fZKQ8i1lQaYaWWW6Q}{UEd9psd8SI66nnR1uGLivg}{10.0.0.101}{10.0.0.101:9300}{cdfhilmrstw}, {elk102}{Qqw592LGRRyt3EwH8SR0Xg}{oKWGPhsgQiORvc1v5J15VQ}{10.0.0.102}{10.0.0.102:9300}{cdfhilmrstw}, {elk103}{U1E-_8loQY2tFXi-3m4SKA}{SZRF9fkvRaa_yMQNS_N7NA}{10.0.0.103}{10.0.0.103:9300}{cdfhilmrstw}]; discovery will continue using [10.0.0.102:9300, 10.0.0.103:9300] from hosts providers and [{elk101}{SjBn6fZKQ8i1lQaYaWWW6Q}{UEd9psd8SI66nnR1uGLivg}{10.0.0.101}{10.0.0.101:9300}{cdfhilmrstw}] from last-known cluster state; node term 0, last-accepted version 0 in term 0
[2023-03-16T18:44:08,109][WARN ][o.e.c.c.ClusterFormationFailureHelper] [elk101] master not discovered yet, this node has not previously joined a bootstrapped (v7+) cluster, and [cluster.initial_master_nodes] is empty on this node: have discovered [{elk101}{SjBn6fZKQ8i1lQaYaWWW6Q}{UEd9psd8SI66nnR1uGLivg}{10.0.0.101}{10.0.0.101:9300}{cdfhilmrstw}, {elk102}{Qqw592LGRRyt3EwH8SR0Xg}{oKWGPhsgQiORvc1v5J15VQ}{10.0.0.102}{10.0.0.102:9300}{cdfhilmrstw}, {elk103}{U1E-_8loQY2tFXi-3m4SKA}{SZRF9fkvRaa_yMQNS_N7NA}{10.0.0.103}{10.0.0.103:9300}{cdfhilmrstw}]; discovery will continue using [10.0.0.102:9300, 10.0.0.103:9300] from hosts providers and [{elk101}{SjBn6fZKQ8i1lQaYaWWW6Q}{UEd9psd8SI66nnR1uGLivg}{10.0.0.101}{10.0.0.101:9300}{cdfhilmrstw}] from last-known cluster state; node term 0, last-accepted version 0 in term 0
^Z
[1]+ 已停止 tail -2f /var/log/elasticsearch/tyjs09-elk.log
[root@elk101 ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 *:9300 *:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:9200 *:*
[root@elk101 ~]# curl 10.0.0.103:9200
{
"name" : "elk103",
"cluster_name" : "tyjs09-elk",
"cluster_uuid" : "_na_",
"version" : {
"number" : "7.17.3",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "5ad023604c8d7416c9eb6c0eadb62b14e766caff",
"build_date" : "2022-04-19T08:11:19.070913226Z",
"build_snapshot" : false,
"lucene_version" : "8.11.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
[root@elk101 ~]#
#8验证服务是否可用
[root@elk101 ~]# curl 10.0.0.101:9200/_cat/nodes
10.0.0.102 13 97 50 0.99 0.33 0.16 cdfhilmrstw * elk102
10.0.0.103 6 97 54 0.89 0.26 0.18 cdfhilmrstw - elk103
10.0.0.101 16 94 49 1.29 0.38 0.18 cdfhilmrstw - elk101
[root@elk101 ~]# curl 10.0.0.102:9200/_cat/nodes
10.0.0.101 35 96 19 1.16 0.38 0.19 cdfhilmrstw - elk101
10.0.0.102 19 96 8 0.84 0.32 0.16 cdfhilmrstw * elk102
10.0.0.103 18 96 17 0.75 0.26 0.18 cdfhilmrstw - elk103
[root@elk101 ~]# curl 10.0.0.103:9200/_cat/nodes
10.0.0.101 35 96 1 1.07 0.38 0.18 cdfhilmrstw - elk101
10.0.0.102 19 96 2 0.77 0.31 0.16 cdfhilmrstw * elk102
10.0.0.103 18 96 1 0.69 0.25 0.18 cdfhilmrstw - elk103
2在elk103中安装kibana
[root@elk103 ~]# ls anaconda-ks.cfg elasticsearch-7.17.3-x86_64.rpm kibana-7.17.3-x86_64.rpm [root@elk103 ~]# yum -y localinstall kibana-7.17.3-x86_64.rpm Repository extras is listed more than once in the configuration 上次元数据过期检查:3:44:46 前,执行于 2023年03月16日 星期四 15时24分44秒。 依赖关系解决。 =========================================================================================================================================== 软件包 架构 版本 仓库 大小 =========================================================================================================================================== 安装: kibana x86_64 7.17.3-1 @commandline 256 M 事务概要 =========================================================================================================================================== 安装 1 软件包 总计:256 M 安装大小:646 M 下载软件包: 运行事务检查 事务检查成功。 运行事务测试 事务测试成功。 运行事务 准备中 : 1/1 运行脚本: kibana-7.17.3-1.x86_64 1/1 安装 : kibana-7.17.3-1.x86_64 1/1 运行脚本: kibana-7.17.3-1.x86_64 1/1 Creating kibana group... OK Creating kibana user... OK Created Kibana keystore in /etc/kibana/kibana.keystore [/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly. 验证 : kibana-7.17.3-1.x86_64 1/1 已安装: kibana-7.17.3-1.x86_64 完毕! [root@elk103 ~]# vim /etc/kibana/kibana.yml [root@elk103 ~]# egrep -v '^$|^#' /etc/kibana/kibana.yml server.port: 5601 server.host: "0.0.0.0" server.name: "10.0.0.103" elasticsearch.hosts: ["http://10.0.0.101:9200","http://10.0.0.102:9200","http://10.0.0.103:9200"] i18n.locale: "zh-CN" [root@elk103 ~]# [root@elk103 ~]# systemctl enable --now kibana [root@elk103 ~]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 128 0.0.0.0:5601 0.0.0.0:* LISTEN 0 128 0.0.0.0:22 0.0.0.0:* LISTEN 0 128 *:9200 *:* LISTEN 0 128 *:9300 *:* LISTEN 0 128 [::]:22 [::]:* [root@elk103 ~]# [root@elk103 ~]# curl http://10.0.0.103:5601
3在elk102中部署filebeat
[root@elk102 ~]# ls
anaconda-ks.cfg elasticsearch-7.17.3-x86_64.rpm elasticsearch.yml filebeat-7.17.3-x86_64.rpm
[root@elk102 ~]# yum -y localinstall filebeat-7.17.3-x86_64.rpm
Repository extras is listed more than once in the configuration
上次元数据过期检查:1:48:05 前,执行于 2023年03月16日 星期四 18时22分38秒。
依赖关系解决。
===========================================================================================================================================
软件包 架构 版本 仓库 大小
===========================================================================================================================================
安装:
filebeat x86_64 7.17.3-1 @commandline 34 M
事务概要
===========================================================================================================================================
安装 1 软件包
总计:34 M
安装大小:138 M
下载软件包:
运行事务检查
事务检查成功。
运行事务测试
事务测试成功。
运行事务
准备中 : 1/1
安装 : filebeat-7.17.3-1.x86_64 1/1
运行脚本: filebeat-7.17.3-1.x86_64 1/1
验证 : filebeat-7.17.3-1.x86_64 1/1
已安装:
filebeat-7.17.3-1.x86_64
完毕!
[root@elk102 ~]# mkdir /etc/filebeat/config
[root@elk102 ~]# cat > /etc/filebeat/config/01-stdin-to-console.yml <<'EOF'
> # 指定输入类型
> filebeat.inputs:
> # 指定输入的类型为 stdin ,表示标准输入
> - type: stdin
> # 指定输出类型
> output.console:
> # 打印漂亮的格式
> pretty: true
> EOF
[root@elk102 ~]# filebeat -e -c /etc/filebeat/config/01-stdin-to-console.yml
2023-03-16T20:12:14.245+0800 INFO instance/beat.go:685 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] Hostfs Path: [/]
2023-03-16T20:12:14.246+0800 INFO instance/beat.go:693 Beat ID: b2e99cfa-205d-4233-b612-de1083bee73d
2023-03-16T20:12:14.247+0800 INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2023-03-16T20:12:14.247+0800 INFO [beat] instance/beat.go:1039 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "b2e99cfa-205d-4233-b612-de1083bee73d"}}}
2023-03-16T20:12:14.247+0800 INFO [beat] instance/beat.go:1048 Build info {"system_info": {"build": {"commit": "1993ee88a11cb34f61a1fb45c7c3cf50533682cb", "libbeat": "7.17.3", "time": "2022-04-19T09:27:20.000Z", "version": "7.17.3"}}}
2023-03-16T20:12:14.247+0800 INFO [beat] instance/beat.go:1051 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.17.8"}}}
2023-03-16T20:12:14.248+0800 INFO [beat] instance/beat.go:1055 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-03-16T14:39:37+08:00","containerized":false,"name":"elk102","ip":["127.0.0.1/8","::1/128","10.0.0.102/24","fe80::20c:29ff:fef0:dd98/64"],"kernel_version":"4.18.0-425.3.1.el8.x86_64","mac":["00:0c:29:f0:dd:98"],"os":{"type":"linux","family":"","platform":"rocky","name":"Rocky Linux","version":"8.7 (Green Obsidian)","major":8,"minor":7,"patch":0},"timezone":"CST","timezone_offset_sec":28800,"id":"4b743c6f50e2489cbc623d4c36599108"}}}
2023-03-16T20:12:14.248+0800 INFO [beat] instance/beat.go:1084 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 12241, "ppid": 12183, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2023-03-16T20:12:13.310+0800"}}}
2023-03-16T20:12:14.248+0800 INFO instance/beat.go:328 Setup Beat: filebeat; Version: 7.17.3
2023-03-16T20:12:14.248+0800 INFO [publisher] pipeline/module.go:113 Beat name: elk102
2023-03-16T20:12:14.249+0800 WARN beater/filebeat.go:202 Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.
2023-03-16T20:12:14.249+0800 INFO [monitoring] log/log.go:142 Starting metrics logging every 30s
2023-03-16T20:12:14.250+0800 INFO instance/beat.go:492 filebeat start running.
2023-03-16T20:12:14.251+0800 INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2023-03-16T20:12:14.251+0800 INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0
2023-03-16T20:12:14.251+0800 WARN beater/filebeat.go:411 Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.
2023-03-16T20:12:14.251+0800 INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 0
2023-03-16T20:12:14.251+0800 INFO [crawler] beater/crawler.go:71 Loading Inputs: 1
2023-03-16T20:12:14.251+0800 INFO [crawler] beater/crawler.go:117 starting input, keys present on the config: [filebeat.inputs.0.type]
2023-03-16T20:12:14.251+0800 INFO [crawler] beater/crawler.go:148 Starting input (ID: 16876905907669988323)
2023-03-16T20:12:14.251+0800 INFO [crawler] beater/crawler.go:106 Loading and starting Inputs completed. Enabled inputs: 1
2023-03-16T20:12:14.251+0800 INFO [stdin.harvester] log/harvester.go:309 Harvester started for paths: [] {"harvester_id": "049abf4a-2fe0-4b30-8fc6-60d752252c06"}
hello
{
"@timestamp": "2023-03-16T12:12:21.964Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.17.3"
},
"message": "hello",
"input": {
"type": "stdin"
},
"ecs": {
"version": "1.12.0"
},
"host": {
"name": "elk102"
},
"agent": {
"hostname": "elk102",
"ephemeral_id": "006788ce-23b5-46b7-aa99-d46bfa7f926b",
"id": "b2e99cfa-205d-4233-b612-de1083bee73d",
"name": "elk102",
"type": "filebeat",
"version": "7.17.3"
},
"log": {
"file": {
"path": ""
},
"offset": 0
}
}
2023-03-16T20:12:22.971+0800 ERROR file/states.go:125 State for should have been dropped, but couldn't as state is not finished.
^Z
[1]+ 已停止 filebeat -e -c /etc/filebeat/config/01-stdin-to-console.yml
[root@elk102 ~]#
4filebeat输出日志到屏幕测试案例
#在第一个elk102窗口中执行
[root@elk102 ~]# rm -rf /var/lib/filebeat/*
[root@elk102 ~]# mkdir ~/config
[root@elk102 ~]# vim ~/config/04-log-to-console.yml
[root@elk102 ~]# cat ~/config/04-log-to-console.yml
#输入
filebeat.inputs:
- type: log
enabled: true #是否启用
paths:
- /tmp/test.log #数据路径
tags: ["tyjs09-linux80","容器运维"] #给此输入打个标记
fields:
school: "北京市昌平区沙河镇"
class: "linux80"
- type: log
enabled: true #是否启用
paths:
- /tmp/test.log #数据路径
tags: ["13800130888"] #给此输入打个标记
fields:
name: "张三"
phone: "13800130888"
adds: "北京市朝阳区酒仙桥北路甲10"
#fields_under_root: true #是否设为顶级字段,意思就是把fields里的所有的value值都放入到input中
#输出
output.console:
pretty: true
[root@elk102 ~]# filebeat -e -c ~/config/04-log-to-console.yml
#2再新开一个elk102窗口执行
[root@elk102 ~]# echo " hahahaha" > /tmp/test.log
#3再次回到第一个elk102窗口观察
[root@elk102 ~]# filebeat -e -c ~/config/04-log-to-console.yml
2023-03-16T20:24:46.721+0800 INFO instance/beat.go:685 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat] Hostfs Path: [/]
2023-03-16T20:24:46.724+0800 INFO instance/beat.go:693 Beat ID: 68ebae66-7e3c-4f9a-9670-cc5c83a08505
2023-03-16T20:24:46.725+0800 INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2023-03-16T20:24:46.725+0800 INFO [beat] instance/beat.go:1039 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "68ebae66-7e3c-4f9a-9670-cc5c83a08505"}}}
2023-03-16T20:24:46.725+0800 INFO [beat] instance/beat.go:1048 Build info {"system_info": {"build": {"commit": "1993ee88a11cb34f61a1fb45c7c3cf50533682cb", "libbeat": "7.17.3", "time": "2022-04-19T09:27:20.000Z", "version": "7.17.3"}}}
2023-03-16T20:24:46.725+0800 INFO [beat] instance/beat.go:1051 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.17.8"}}}
2023-03-16T20:24:46.726+0800 INFO [beat] instance/beat.go:1055 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-03-16T14:39:37+08:00","containerized":false,"name":"elk102","ip":["127.0.0.1/8","::1/128","10.0.0.102/24","fe80::20c:29ff:fef0:dd98/64"],"kernel_version":"4.18.0-425.3.1.el8.x86_64","mac":["00:0c:29:f0:dd:98"],"os":{"type":"linux","family":"","platform":"rocky","name":"Rocky Linux","version":"8.7 (Green Obsidian)","major":8,"minor":7,"patch":0},"timezone":"CST","timezone_offset_sec":28800,"id":"4b743c6f50e2489cbc623d4c36599108"}}}
2023-03-16T20:24:46.727+0800 INFO [beat] instance/beat.go:1084 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 12306, "ppid": 12272, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2023-03-16T20:24:45.810+0800"}}}
2023-03-16T20:24:46.727+0800 INFO instance/beat.go:328 Setup Beat: filebeat; Version: 7.17.3
2023-03-16T20:24:46.727+0800 INFO [publisher] pipeline/module.go:113 Beat name: elk102
2023-03-16T20:24:46.728+0800 WARN beater/filebeat.go:202 Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.
2023-03-16T20:24:46.728+0800 INFO [monitoring] log/log.go:142 Starting metrics logging every 30s
2023-03-16T20:24:46.728+0800 INFO instance/beat.go:492 filebeat start running.
2023-03-16T20:24:46.729+0800 INFO memlog/store.go:119 Loading data file of '/var/lib/filebeat/registry/filebeat' succeeded. Active transaction id=0
2023-03-16T20:24:46.729+0800 INFO memlog/store.go:124 Finished loading transaction log file for '/var/lib/filebeat/registry/filebeat'. Active transaction id=0
2023-03-16T20:24:46.730+0800 WARN beater/filebeat.go:411 Filebeat is unable to load the ingest pipelines for the configured modules because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines or are using Logstash pipelines, you can ignore this warning.
2023-03-16T20:24:46.730+0800 INFO [registrar] registrar/registrar.go:109 States Loaded from registrar: 0
2023-03-16T20:24:46.730+0800 INFO [crawler] beater/crawler.go:71 Loading Inputs: 2
2023-03-16T20:24:46.730+0800 INFO [crawler] beater/crawler.go:117 starting input, keys present on the config: [filebeat.inputs.0.enabled filebeat.inputs.0.fields.class filebeat.inputs.0.fields.school filebeat.inputs.0.paths.0 filebeat.inputs.0.tags.0 filebeat.inputs.0.tags.1 filebeat.inputs.0.type]
2023-03-16T20:24:46.730+0800 WARN [cfgwarn] log/input.go:89 DEPRECATED: Log input. Use Filestream input instead.
2023-03-16T20:24:46.730+0800 INFO [input] log/input.go:171 Configured paths: [/tmp/test.log] {"input_id": "294d18c6-e4b4-46b3-bcaa-5d2b1ae9de1b"}
2023-03-16T20:24:46.730+0800 INFO [crawler] beater/crawler.go:148 Starting input (ID: 6048882312929343489)
2023-03-16T20:24:46.730+0800 INFO [crawler] beater/crawler.go:117 starting input, keys present on the config: [filebeat.inputs.1.enabled filebeat.inputs.1.fields.adds filebeat.inputs.1.fields.name filebeat.inputs.1.fields.phone filebeat.inputs.1.paths.0 filebeat.inputs.1.tags.0 filebeat.inputs.1.type]
2023-03-16T20:24:46.730+0800 INFO [input] log/input.go:171 Configured paths: [/tmp/test.log] {"input_id": "5faf9526-4a90-4203-80eb-ed377f408427"}
2023-03-16T20:24:46.730+0800 INFO [crawler] beater/crawler.go:148 Starting input (ID: 18090793055986617323)
2023-03-16T20:24:46.730+0800 INFO [crawler] beater/crawler.go:106 Loading and starting Inputs completed. Enabled inputs: 2
hello
2023-03-16T20:25:16.744+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cgroup":{"memory":{"id":"session-15.scope","mem":{"limit":{"bytes":9223372036854771712},"usage":{"bytes":58720256}}}},"cpu":{"system":{"ticks":100,"time":{"ms":104}},"total":{"ticks":200,"time":{"ms":212},"value":200},"user":{"ticks":100,"time":{"ms":108}}},"handles":{"limit":{"hard":262144,"soft":1024},"open":12},"info":{"ephemeral_id":"1dd971b6-c108-468a-9ee8-958cbfd98ded","uptime":{"ms":30080},"version":"7.17.3"},"memstats":{"gc_next":20467872,"memory_alloc":16529800,"memory_sys":37307400,"memory_total":55555992,"rss":128761856},"runtime":{"goroutines":32}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"type":"console"},"pipeline":{"clients":2,"events":{"active":0},"queue":{"max_events":4096}}},"registrar":{"states":{"current":0}},"system":{"cpu":{"cores":2},"load":{"1":0.24,"15":0.26,"5":0.26,"norm":{"1":0.12,"15":0.13,"5":0.13}}}}}}
2023-03-16T20:25:46.749+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":-2015232}}}},"cpu":{"system":{"ticks":160,"time":{"ms":61}},"total":{"ticks":290,"time":{"ms":87},"value":290},"user":{"ticks":130,"time":{"ms":26}}},"handles":{"limit":{"hard":262144,"soft":1024},"open":12},"info":{"ephemeral_id":"1dd971b6-c108-468a-9ee8-958cbfd98ded","uptime":{"ms":60076},"version":"7.17.3"},"memstats":{"gc_next":18985744,"memory_alloc":9689016,"memory_total":56245272,"rss":124735488},"runtime":{"goroutines":32}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.15,"15":0.25,"5":0.23,"norm":{"1":0.075,"15":0.125,"5":0.115}}}}}}
2023-03-16T20:26:16.739+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":12288}}}},"cpu":{"system":{"ticks":170,"time":{"ms":11}},"total":{"ticks":300,"time":{"ms":11},"value":300},"user":{"ticks":130}},"handles":{"limit":{"hard":262144,"soft":1024},"open":12},"info":{"ephemeral_id":"1dd971b6-c108-468a-9ee8-958cbfd98ded","uptime":{"ms":90074},"version":"7.17.3"},"memstats":{"gc_next":18985744,"memory_alloc":10176072,"memory_total":56732328,"rss":124735488},"runtime":{"goroutines":32}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.16,"15":0.25,"5":0.22,"norm":{"1":0.08,"15":0.125,"5":0.11}}}}}}
2023-03-16T20:26:46.738+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":36864}}}},"cpu":{"system":{"ticks":190,"time":{"ms":17}},"total":{"ticks":320,"time":{"ms":17},"value":320},"user":{"ticks":130}},"handles":{"limit":{"hard":262144,"soft":1024},"open":12},"info":{"ephemeral_id":"1dd971b6-c108-468a-9ee8-958cbfd98ded","uptime":{"ms":120075},"version":"7.17.3"},"memstats":{"gc_next":18985744,"memory_alloc":11191552,"memory_total":57747808,"rss":124735488},"runtime":{"goroutines":32}},"filebeat":{"harvester":{"open_files":0,"running":0}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":2,"events":{"active":0}}},"registrar":{"states":{"current":0}},"system":{"load":{"1":0.16,"15":0.25,"5":0.22,"norm":{"1":0.08,"15":0.125,"5":0.11}}}}}}
2023-03-16T20:26:46.810+0800 INFO [input.harvester] log/harvester.go:309 Harvester started for paths: [/tmp/test.log] {"input_id": "294d18c6-e4b4-46b3-bcaa-5d2b1ae9de1b", "source": "/tmp/test.log", "state_id": "native::33641184-64768", "finished": false, "os_id": "33641184-64768", "harvester_id": "1ae90814-f6f8-49ef-a375-65636fa27f0e"}
2023-03-16T20:26:46.810+0800 INFO [input.harvester] log/harvester.go:309 Harvester started for paths: [/tmp/test.log] {"input_id": "5faf9526-4a90-4203-80eb-ed377f408427", "source": "/tmp/test.log", "state_id": "native::33641184-64768", "finished": false, "os_id": "33641184-64768", "harvester_id": "27b7e44e-9a9c-4d45-892f-2ca28d9f0ca3"}
2023-03-16T20:27:16.734+0800 INFO [monitoring] log/log.go:184 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cgroup":{"memory":{"mem":{"usage":{"bytes":61440}}}},"cpu":{"system":{"ticks":200,"time":{"ms":10}},"total":{"ticks":330,"time":{"ms":10},"value":330},"user":{"ticks":130}},"handles":{"limit":{"hard":262144,"soft":1024},"open":14},"info":{"ephemeral_id":"1dd971b6-c108-468a-9ee8-958cbfd98ded","uptime":{"ms":150072},"version":"7.17.3"},"memstats":{"gc_next":18985744,"memory_alloc":11739520,"memory_total":58295776,"rss":124735488},"runtime":{"goroutines":42}},"filebeat":{"events":{"added":2,"done":2},"harvester":{"open_files":2,"running":2,"started":2}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":2,"events":{"active":0,"filtered":2,"total":2}}},"registrar":{"states":{"current":1,"update":2},"writes":{"success":2,"total":2}},"system":{"load":{"1":0.73,"15":0.29,"5":0.34,"norm":{"1":0.365,"15":0.145,"5":0.17}}}}}}
{
"@timestamp": "2023-03-16T12:27:21.863Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.17.3"
},
"ecs": {
"version": "1.12.0"
},
"host": {
"name": "elk102"
},
"agent": {
"id": "68ebae66-7e3c-4f9a-9670-cc5c83a08505",
"name": "elk102",
"type": "filebeat",
"version": "7.17.3",
"hostname": "elk102",
"ephemeral_id": "1dd971b6-c108-468a-9ee8-958cbfd98ded"
},
"log": {
"offset": 0,
"file": {
"path": "/tmp/test.log"
}
},
"message": " hahahaha",
"tags": [
"tyjs09-linux80",
"容器运维"
],
"input": {
"type": "log"
},
"fields": {
"class": "linux80",
"school": "北京市昌平区沙河镇"
}
}
{
"@timestamp": "2023-03-16T12:27:21.863Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.17.3"
},
"input": {
"type": "log"
},
"fields": {
"adds": "北京市朝阳区酒仙桥北路甲10",
"name": "张三",
"phone": "13800130888"
},
"ecs": {
"version": "1.12.0"
},
"host": {
"name": "elk102"
},
"agent": {
"name": "elk102",
"type": "filebeat",
"version": "7.17.3",
"hostname": "elk102",
"ephemeral_id": "1dd971b6-c108-468a-9ee8-958cbfd98ded",
"id": "68ebae66-7e3c-4f9a-9670-cc5c83a08505"
},
"log": {
"offset": 0,
"file": {
"path": "/tmp/test.log"
}
},
"message": " hahahaha",
"tags": [
"13800130888"
]
}
^Z
[1]+ 已停止 filebeat -e -c ~/config/04-log-to-console.yml
[root@elk102 ~]#
5filebeat输出日志到es测试案例
[root@elk102 ~]# rm -rf /var/lib/filebeat/*
[root@elk102 ~]# cp ~/config/04-log-to-console.yml ~/config/05-log-to-console.yml
[root@elk102 ~]# vim ~/config/05-log-to-console.yml
[root@elk102 ~]# cat ~/config/05-log-to-console.yml
#输入
filebeat.inputs:
- type: log
enabled: true #是否启用
paths:
- /tmp/test.log #数据路径
tags: ["tyjs09-linux80","容器运维"] #给此输入打个标记
fields:
school: "北京市昌平区沙河镇"
class: "linux80"
- type: log
enabled: true #是否启用
paths:
- /tmp/test.log #数据路径
tags: ["13800130888"] #给此输入打个标记
fields:
name: "张三"
phone: "13800130888"
adds: "北京市朝阳区酒仙桥北路甲10"
#fields_under_root: true #是否设为顶级字段,意思就是把fields里的所有的value值都放入到input中
#输出
#output.console:
# pretty: true
output.elasticsearch:
hosts: ["http://10.0.0.101:9200","http://10.0.0.102:9200","http://10.0.0.103:9200"]
[root@elk102 ~]# filebeat -e -c ~/config/05-log-to-console.yml
#4打开http://10.0.0.103:5601/app/home#/
自己浏览--点左上角主菜单--Stack Management--索引管理--此时你会看到索引名称filebeat-7.17.3-2023.03.16-000001--回到Stack Management页面选择索引模式--创建索引模式--索引名称输入filebeat-7.17.3-2023.03*表示要取3月份的所有数据--时间戳选择@timestamp即可--创建索引模式
#5在kibana的发现页面中查看数据
主菜单--选择discover--选择索引--选择时间我选择的是本周因为选择当天没有出现数据,之后你会看到左侧边栏会出现一些可用字段,右侧大区域你会看到很多抓取的日志,展开日志后选择jaon格式,然后你会看到你前面测试配置文件内定义的数据--点击左侧边栏message字段然后点击+号后你会看到字段的内容
#6往日志文件存储文件追加内容再次观察kibana
[root@elk102 ~]# cat /tmp/test.log
111
222
[root@elk102 ~]# echo AAA >> /tmp/test.log
[root@elk102 ~]# cat /tmp/test.log
111
222
AAA
kibana操作:主菜单--discover--点击message旁边的加号查看消息
标签:elk,filebeat,log,03,elasticsearch,2023,root From: https://www.cnblogs.com/tyjs09/p/17246284.html