NOTE: 与Filebeat的集成需要Manticore Buddy。如果不起作用，请确保已安装Buddy。

Filebeat 是一个轻量级的转发器，用于转发和集中日志数据。安装并作为代理运行后，它会监控您指定的日志文件或位置，收集日志事件，并将它们转发进行索引，通常到Elasticsearch或Logstash。

现在，Manticore 也支持使用 Filebeat 作为处理管道。这允许收集和转换后的数据像发送到 Elasticsearch 一样发送到 Manticore。目前支持的版本为 7.17-9.3。

配置取决于您使用的Filebeat版本。

重要: Filebeat版本7.17.0, 8.0.0和8.1.0与glibc 2.35+（用于Ubuntu 22.04及更高版本的发行版）存在已知问题。这些版本可能会因“致命glibc错误：rseq注册失败”而崩溃。要修复此问题，请按以下所示添加seccomp配置。

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/dpkg.log
  close_eof: true
  scan_frequency: 1s
output.elasticsearch:
  hosts: ["http://localhost:9308"]
  index: "dpkg_log"
  compression_level: 0
  allow_older_versions: true  # Required for 8.1
# Fix for glibc 2.35+ compatibility (Ubuntu 22.04+)
seccomp:
  default_action: allow
  syscalls:
    - action: allow
      names:
        - rseq
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.name: "dpkg_log"
setup.template.pattern: "dpkg_log"

参考: Issue #30576，PR #30620

对于版本8.1到8.10，您需要添加allow_older_versions选项：

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/dpkg.log
  close_eof: true
  scan_frequency: 1s
output.elasticsearch:
  hosts: ["http://localhost:9308"]
  index: "dpkg_log"
  compression_level: 0
  allow_older_versions: true
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.name: "dpkg_log"
setup.template.pattern: "dpkg_log"

从版本8.11开始，输出压缩默认启用，因此您必须显式设置compression_level: 0以与Manticore兼容：

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/dpkg.log
  close_eof: true
  scan_frequency: 1s
output.elasticsearch:
  hosts: ["http://localhost:9308"]
  index: "dpkg_log"
  compression_level: 0
  allow_older_versions: true
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.name: "dpkg_log"
setup.template.pattern: "dpkg_log"

Filebeat 9.0引入了主要的架构更改，用filestream替换log输入类型。从版本9.0开始，文件识别方法也已更改，使用指纹法，这需要文件至少为1024字节（请参阅issue #44780）。为了与任何大小的文件兼容，您必须禁用指纹识别。

以下是Filebeat 9.0及更高版本所需的配置：

filebeat.inputs:
- type: filestream
  id: dpkg-log-input
  enabled: true
  paths:
    - /var/log/dpkg.log
  prospector.scanner.check_interval: 1s
  prospector.scanner.fingerprint.enabled: false
output.elasticsearch:
  hosts: ["http://localhost:9308"]
  index: "dpkg_log"
  compression_level: 0
  allow_older_versions: true
setup.ilm.enabled: false
setup.template.enabled: false
setup.template.name: "dpkg_log"
setup.template.pattern: "dpkg_log"

Filebeat 9.0+的重要注意事项:

• type: filestream输入替换旧的type: log
• prospector.scanner.fingerprint.enabled: false设置是必需的，以禁用基于指纹的文件识别，确保可靠处理小于1024字节的文件
• id字段是filestream输入所需的，并且必须是唯一的

一旦使用此配置运行Filebeat，日志数据将发送到Manticore并正确索引。以下是Manticore创建的表的结构示例以及插入的文档示例：

mysql> DESCRIBE dpkg_log;
+------------------+--------+--------------------+
| Field            | Type   | Properties         |
+------------------+--------+--------------------+
| id               | bigint |                    |
| @timestamp       | text   | indexed stored     |
| message          | text   | indexed stored     |
| log              | json   |                    |
| input            | json   |                    |
| ecs              | json   |                    |
| host             | json   |                    |
| agent            | json   |                    |
+------------------+--------+--------------------+

mysql> SELECT * FROM dpkg_log LIMIT 1\G
*************************** 1. row ***************************
id: 7280000849080753116
@timestamp: 2023-06-16T09:27:38.792Z
message: 2023-04-12 02:06:08 status half-installed libhogweed5:amd64 3.5.1+really3.5.1-2
input: {"type":"filestream"}
ecs: {"version":"1.6.0"}
host: {"name":"logstash-db848f65f-lnlf9"}
agent: {"ephemeral_id":"587c2ebc-e7e2-4e27-b772-19c611115996","id":"2e3d985b-3610-4b8b-aa3b-2e45804edd2c","name":"logstash-db848f65f-lnlf9","type":"filebeat","version":"7.10.0","hostname":"logstash-db848f65f-lnlf9"}
log: {"offset":80,"file":{"path":"/var/log/dpkg.log"}}

注意：与 Fluent Bit 的集成需要 Manticore Buddy。如果不起作用，请确保已安装 Buddy。

Fluent Bit 是一个开源的跨平台日志处理器，可以从许多来源聚合数据并将其发送到多个目的地。你可以将 Fluent Bit 的输出直接输入 Manticore，使收集的数据能够实时搜索。

以下操作指南演示了如何使用 Fluent Bit 和 Manticore 对 Debian 的 dpkg.log 进行索引。

2023-05-31 10:42:55 status triggers-awaited ca-certificates-java:all 20190405ubuntu1.1
2023-05-31 10:42:55 trigproc libc-bin:amd64 2.31-0ubuntu9.9 <none>
2023-05-31 10:42:55 status half-configured libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 status installed libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 trigproc systemd:amd64 245.4-4ubuntu3.21 <none>

创建一个配置文件，例如 fluent-bit.conf：

[SERVICE]
    flush        1
    daemon       On
    log_level    info
[INPUT]
    name tail
    path /var/log/dpkg.log
    inotify_watcher false
    read_from_head true
[OUTPUT]
    name es
    match *
    host 127.0.0.1
    port 9308
    index dpkg_log

• [SERVICE] 块以守护进程模式启动 Fluent Bit，这对于基于 Docker 的设置非常方便。如果你想在前台运行，请禁用守护进程标志。
• inotify_watcher 已关闭，以避免容器内部的文件通知限制。
• 输出插件 (name es) 可以通过端口 9308 与 Manticore 的 HTTP 端点通信。
• index 定义了当第一批数据到达时 Manticore 自动创建的表名。

使用此配置运行 Fluent Bit，它将跟踪 dpkg.log，然后将每一行转发到 Manticore。

将配置保存为 fluent-bit.conf，然后启动 Fluent Bit：

fluent-bit -c fluent-bit.conf

要在 Docker 中运行，请挂载日志文件（只读）和配置：

docker run --rm -v /var/log/dpkg.log:/var/log/dpkg.log:ro \
  -v $(pwd)/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf:ro \
  fluent/fluent-bit:latest -c /fluent-bit/etc/fluent-bit.conf

数据摄入开始后，Manticore 会自动创建 dpkg_log 表。以下是表定义和示例数据：

mysql> DESCRIBE dpkg_log;
+-------------+--------+----------------+
| Field       | Type   | Properties     |
+-------------+--------+----------------+
| id          | bigint |                |
| @timestamp  | text   | indexed stored |
| log         | text   | indexed stored |
+-------------+--------+----------------+
mysql> SELECT * FROM dpkg_log LIMIT 3\G
*************************** 1. row ***************************
id: 7856533729353662465
@timestamp: 2023-08-04T15:09:21.191Z
log: 2023-06-05 14:03:04 startup archives install
*************************** 2. row ***************************
id: 7856533729353662466
@timestamp: 2023-08-04T15:09:21.191Z
log: 2023-06-05 14:03:04 install base-passwd:amd64 <none> 3.5.47
*************************** 3. row ***************************
id: 7856533729353662467
@timestamp: 2023-08-04T15:09:21.191Z
log: 2023-06-05 14:03:04 status half-installed base-passwd:amd64 3.5.47

通过这个轻量级的管道，Fluent Bit 处理日志收集和传输，而 Manticore 对事件进行索引以实现快速搜索和分析。这种方法同样适用于其他日志源——只需添加更多输入并重用指向你 Manticore 集群的相同 Elasticsearch 兼容输出。

注意：与 Fluent Bit 的集成需要 Manticore Buddy。如果无法正常工作，请确保已安装 Buddy。

Vector by Datadog 是一个开源的可观测性数据管道，可以收集、转换和路由日志或指标。虽然 Vector 可以自行聚合数据，但将其与 Manticore 配合使用可提供专用的存储和搜索层。

以下示例展示了如何通过 Vector.dev 转发 Debian 的 dpkg.log，并将其索引到 Manticore 中。

2023-05-31 10:42:55 status triggers-awaited ca-certificates-java:all 20190405ubuntu1.1
2023-05-31 10:42:55 trigproc libc-bin:amd64 2.31-0ubuntu9.9 <none>
2023-05-31 10:42:55 status half-configured libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 status installed libc-bin:amd64 2.31-0ubuntu9.9
2023-05-31 10:42:55 trigproc systemd:amd64 245.4-4ubuntu3.21 <none>

创建一个类似于以下内容的 vector.toml：

[sources.test_file]
type = "file"
include = [ "/var/log/dpkg.log" ]
[transforms.modify_test_file]
type = "remap"
inputs = [ "test_file" ]
source = """
.vec_timestamp = del(.timestamp)"""
[sinks.manticore]
type = "elasticsearch"
inputs = [ "modify_test_file" ]
endpoints = ["http://127.0.0.1:9308"]
bulk.index = "dpkg_log"

• endpoints 指向 Manticore 的 HTTP 接口（默认端口为 9308）。如果您的实例在其他位置监听，请进行调整。
• remap 转换将 Vector 的默认 timestamp 字段移动到 vec_timestamp，因为 timestamp 在 Manticore 中是保留字段。
• bulk.index 定义了当 Vector 开始发送数据时将自动创建的表。

使用此配置启动 Vector.dev，它将跟踪日志文件，转换每个事件，并直接将其转发到 Manticore。

将配置保存为 vector.toml，然后启动代理：

vector --config vector.toml

如果在 Docker 中运行 Vector.dev，请挂载配置文件和日志目录，例如：

docker run --rm -v /var/log/dpkg.log:/var/log/dpkg.log:ro \
  -v $(pwd)/vector.toml:/etc/vector/vector.toml:ro \
  timberio/vector:latest --config /etc/vector/vector.toml

当管道运行时，Manticore 会自动创建 dpkg_log 表。其模式和示例文档如下所示：

mysql> DESCRIBE dpkg_log;
+-----------------+---------+--------------------+
| Field           | Type    | Properties         |
+-----------------+---------+--------------------+
| id              | bigint  |                    |
| file            | text    | indexed stored     |
| host            | text    | indexed stored     |
| message         | text    | indexed stored     |
| source_type     | text    | indexed stored     |
| vec_timestamp   | text    | indexed stored     |
+-----------------+---------+--------------------+
mysql> SELECT * FROM dpkg_log LIMIT 3\G
*************************** 1. row ***************************
id: 7856533729353672195
file: /var/log/dpkg.log
host: logstash-787f68f6f-nhdd2
message: 2023-06-05 14:03:04 startup archives install
source_type: file
vec_timestamp: 2023-08-04T15:32:50.203091741Z
*************************** 2. row ***************************
id: 7856533729353672196
file: /var/log/dpkg.log
host: logstash-787f68f6f-nhdd2
message: 2023-06-05 14:03:04 install base-passwd:amd64 <none> 3.5.47
source_type: file
vec_timestamp: 2023-08-04T15:32:50.203808861Z
*************************** 3. row ***************************
id: 7856533729353672197
file: /var/log/dpkg.log
host: logstash-787f68f6f-nhdd2
message: 2023-06-05 14:03:04 status half-installed base-passwd:amd64 3.5.47
source_type: file
vec_timestamp: 2023-08-04T15:32:50.203814031Z

将 Vector.dev 与 Manticore 结合使用，您可以从几乎所有来源收集日志，在传输过程中丰富或清理日志，并将结果存储在可搜索的数据库中。此工作流程在保持可观测性管道简单的同时，仍可在需要时启用高级转换。

Kibana 是一个可视化界面，允许您探索、可视化和创建日志数据的仪表盘。将 Kibana 与 Manticore Search 集成可以比 Elasticsearch 加快 Kibana 可视化加载速度高达 3 倍，如该演示中所示。此集成使用户能够通过交互式仪表盘、自定义可视化和实时搜索功能无缝分析其数据。它还通过支持 Logstash 和 Filebeat 等工具简化了处理多样数据源的过程，从而实现流畅的数据摄取，使其成为日志分析工作流的绝佳选择。

1. 下载 Kibana：确保下载与 Manticore 兼容的 Kibana 版本。目前，推荐并测试的版本为 7.6.0。其他 7.x 版本可能可用，但可能带来问题。不支持 8.x 版本。
2. 验证 Manticore：确保您的 Manticore 实例正在运行且其 HTTP API 可访问（默认地址：http://localhost:9308）。

1. 打开 Kibana 配置文件（kibana.yml）。
2. 设置您的 Manticore 实例的 URL：

   elasticsearch.hosts: ["http://localhost:9308"]

3. 启动 Kibana 并在浏览器中打开 http://localhost:5601。如有必要，将 localhost 替换为服务器的 IP 或主机名。

注意：Manticore 在与 Kibana 配合使用时不需要进行身份验证设置。另请注意，Manticore 必须在实时模式下工作才能与 Kibana 集成。

    listen = 127.0.0.1:9308:http
    pid_file = /var/run/manticore/searchd.pid
    data_dir = /var/lib/manticore
 }

## Supported Features
### Discover
- Use the **Discover** tab in Kibana to search and filter your data interactively.
- Refine your searches using the query bar with simple queries in the %Kibana query language [https://www.elastic.co/guide/en/kibana/current/kuery-query.html] %.

### Visualizations
- Navigate to **Visualizations** to create custom visualizations:
  - Create a table pattern (it’s called an 'index pattern' in Kibana) if one doesn’t already exist to define your data source.
  - Choose a visualization type (e.g., bar chart, line chart, or pie chart).
  - Configure your visualization, execute it, and explore your data.
  - Save your visualizations for future use.

### Dashboards
- Access **Dashboards** to create or view interactive dashboards:
  - Add visualizations, filters, or controls for a personalized experience.
  - Interact with your data directly from the dashboard.
  - Save dashboards for future use.

### Management
- Go to **Management > Kibana** to customize settings like default time zones and visualization preferences.

## Limitations
- Currently, Kibana version 7.6.0 is tested and recommended. Other 7.x versions may work but could cause issues. Versions 8.x are not supported.
- The following Elasticsearch-specific field types are not supported:
  - %Spatial data types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#spatial_datatypes] %
  - %Structured data types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#structured-data-types] %
  - %Document ranking types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#document-ranking-types] %
  - %Text search types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#text-search-types] % (except for plain 'text')
  - %Relational data types [https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html#object-types] %
- Metric aggregation functions are limited to %those supported by Manticore [../Searching/Grouping.md#Aggregation-functions] %.
- The following Kibana tools are not supported:
  - %Canvas [https://www.elastic.co/guide/en/kibana/7.6/canvas.html] % – A visualization and presentation tool for combining data with colors and images.
  - %Elastic Maps [https://www.elastic.co/guide/en/kibana/7.6/maps.html] % – A tool for analyzing geographical data.
  - %Metrics [https://www.elastic.co/guide/en/kibana/7.6/xpack-infra.html] % – An app for monitoring infrastructure metrics.
  - %Logs [https://www.elastic.co/guide/en/kibana/7.6/xpack-logs.html] % – A console-like display for exploring logs from common services.
  - Monitoring:
    - %Uptime [https://www.elastic.co/guide/en/kibana/7.6/xpack-uptime.html] % – Monitors the status of network endpoints via HTTP/S, TCP, and ICMP.
    - %APM (Application Performance Monitoring) [https://www.elastic.co/guide/en/kibana/7.6/xpack-apm.html] % – Collects in-depth performance metrics from applications.
    - %SIEM (Security Information and Event Management) [https://www.elastic.co/guide/en/kibana/7.6/xpack-siem.html] % – An interactive workspace for security teams to triage events and conduct initial investigations.
    - %ILM (Index lifecycle management) [https://www.elastic.co/guide/en/elasticsearch/reference/7.6/index-lifecycle-management.html] % - Automatically manage indices according to performance, resiliency, and retention requirements.
    - %Stack Monitoring [https://www.elastic.co/guide/en/kibana/7.6/xpack-monitoring.html] % – Provides visualizations of monitoring data across the Elastic Stack.
  - %Elasticsearch Management [https://www.elastic.co/guide/en/kibana/7.6/management.html] % – A UI for managing Elastic Stack objects, including ILM (Index Lifecycle Management), etc.

## Data Ingestion and Exploration
Integrate Manticore with tools like %Logstash [../Integration/Logstash.md] %, %Filebeat [../Integration/Filebeat.md] %, %Fluentbit [https://manticoresearch.com/blog/integration-of-manticore-with-fluentbit/] %, or %Vector.dev [https://manticoresearch.com/blog/integration-of-manticore-with-vectordev/] % to ingest data from sources like web logs. Once the data is loaded into Manticore, you can explore and visualize it in Kibana.