说明:

Filebeat 的 S3模块是用来采集AWS 的 S3存储的服务器访问日志的,通过配置 S3的事件通知,将s3的事件通知发送到 SQS,然后再用 Filebeat从 SQS 采集日志到 es 里

前提:

  1. 单独申请个 SQS,用于存储 s3的事件通知

S3配置

配置 S3: 启用和配置事件通知,配置All object create events, 将事件发送到 SQS 中

SQS配置

刚才已经申请了SQS, 但 S3还不能访问SQS,需要添加S3 send message权限,可以编辑权限 Edit Policy Document(advanced),添加类似以下内容,注意修改对应的参数

{
 "Version": "2012-10-17",
 "Id": "example-ID",
 "Statement": [
  {
   "Sid": "example-statement-ID",
   "Effect": "Allow",
   "Principal": {
    "AWS":"*"  
   },
   "Action": [
    "SQS:SendMessage"
   ],
   "Resource": "SQS-queue-ARN",
   "Condition": {
      "ArnLike": { "aws:SourceArn": "arn:aws:s3:*:*:bucket-name" }
   }
  }
 ]
}

配置filebeat.yml

filebeat.inputs:
- type: s3
  queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
  access_key_id: '<access_key_id>'
  secret_access_key: '<secret_access_key>'

或者:

filebeat.inputs:
- type: s3
  queue_url: https://sqs.us-east-1.amazonaws.com/123/test-queue
  shared_credential_file: ~/.aws/credentials

注:

  1. queue_url: 上面专门申请的 SQS 地址
  2. AWS的access_key 的权限:
    • s3:GetObject
    • sqs:ReceiveMessage
    • sqs:ChangeMessageVisibility
    • sqs:DeleteMessage