logstash收集syslog日志
logstash收集syslog日志
注意:生产用syslog收集日志!!!
编写logstash配置文件
#首先我用rubydebug测试数据
[root@elk-node1 conf.d]# cat syslog.conf
input{
syslog{
type => "system-syslog"
host => "192.168.247.135"
port => "514"
}
}
output{
stdout{
codec => "rubydebug"
}
#检查语法
[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/syslog.conf --configtest
Configuration OK
You have new mail in /var/spool/mail/root
[root@elk-node1 ~]# ss -lntp|grep 514
LISTEN 0 50 ::ffff:192.168.247.135:514 :::* users:(("java",pid=9605,fd=14))
#修改rsyslog配置文件让其能访问
[root@elk-node1 ~]# vim /etc/rsyslog.conf
*.* @@192.168.247.135:514
[root@elk-node1 ~]# systemctl restart rsyslog
[root@elk-node1 ~]#
#运行测试
[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/syslog.conf
Settings: Default filter workers: 1
Logstash startup completed
{
"message" => "Registered Authentication Agent for unix-process:9680:2638370 (system bus name :1.490 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)\n",
"@version" => "1",
"@timestamp" => "2018-07-15T10:08:58.000Z",
"type" => "system-syslog",
"host" => "192.168.247.135",
"priority" => 85,
"timestamp" => "Jul 15 18:08:58",
"logsource" => "elk-node1",
"program" => "polkitd",
"pid" => "686",
"severity" => 5,
"facility" => 10,
"facility_label" => "security/authorization",
"severity_label" => "Notice"
}
#添加到elk-log.yml文件
[root@elk-node1 conf.d]# cat elk_log.conf
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
file {
path => "/var/log/elasticsearch/hejianlai.log"
type => "es-error"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
file {
path => "/var/log/nginx/access_json.log"
codec => json
start_position => "beginning"
type => "nginx-log"
}
syslog{
type => "system-syslog"
host => "192.168.247.135"
port => "514"
}
}
output { if [type] == "system"{
elasticsearch {
hosts => ["192.168.247.135:9200"]
index => "systemlog-%{+YYYY.MM.dd}"
}
} if [type] == "es-error"{
elasticsearch {
hosts => ["192.168.247.135:9200"]
index => "es-error-%{+YYYY.MM.dd}"
}
}
if [type] == "nginx-log"{
elasticsearch {
hosts => ["192.168.247.135:9200"]
index => "nginx-log-%{+YYYY.MM.dd}"
}
}
if [type] == "system-syslog"{
elasticsearch {
hosts => ["192.168.247.135:9200"]
index => "system-syslog-log-%{+YYYY.MM.dd}"
}
}
} #检查语法
[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/elk_log.conf --configtestConfiguration OK
#后台运行
[root@elk-node1 conf.d]# ps aux|grep elk|awk '{print $2}'|xargs kill -9
kill: sending signal to 9780 failed: No such process
You have new mail in /var/spool/mail/root
[root@elk-node1 conf.d]# ps aux|grep elk|awk '{print $2}'
9785
[1]+ Killed /opt/logstash/bin/logstash -f /etc/logstash/conf.d/elk_log.conf (wd: ~)
(wd now: /etc/logstash/conf.d)
[root@elk-node1 conf.d]# ps aux|grep elk
root 9788 0.0 0.0 112704 972 pts/0 R+ 18:18 0:00 grep --color=auto elk
[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/elk_log.conf &
[1] 9789
#手动添加日志
[root@elk-node1 conf.d]# logger "you hao"
[root@elk-node1 conf.d]# logger "hello world"
[root@elk-node1 conf.d]# logger "跟我一起学猫叫,一起喵喵喵"
Kibana设置
看hand插件上我们能看到system-syslog索引
Kibana上添加system-syslog索引
完美
logstash收集syslog日志的更多相关文章
- logstash收集springboot日志
logstash收集springboot日志 maven依赖 <dependency> <groupId>net.logstash.logback</groupId> ...
- logstash收集的日志输出到elasticsearch中
logstash收集的日志输出到elasticsearch中 一.需求 二.实现步骤 1.编写pipeline文件 1.`elasticsearch`配置参数解析: 2.可能会报的一个异常 2.准备测 ...
- logstash收集rsyslog日志
(1)rsyslog配置 在192.168.1.31配置 #vim /etc/rsyslog.conf *.* @@192.168.1.32:514 //所有设备名,所有日志级别都发送到192.168 ...
- logstash收集java日志,多行合并成一行
使用codec的multiline插件实现多行匹配,这是一个可以将多行进行合并的插件,而且可以使用what指定将匹配到的行与前面的行合并还是和后面的行合并. 1.java日志收集测试 input { ...
- 构建Logstash+tomcat镜像(让logstash收集tomcat日志)
1.首先pull logstash镜像作为父镜像(logstash的Dockerfile在最下面): 2.构建my-logstash镜像,使其在docker镜像实例化时,可以使用自定义的logstas ...
- Logstash收集nginx日志之使用grok过滤插件解析日志
grok作为一个logstash的过滤插件,支持根据模式解析文本日志行,拆成字段. nginx日志的配置: log_format main '$remote_addr - $remote_user [ ...
- logstash收集Nginx日志,转换为JSON格式
Nginx日志处理为JSON格式,并放置在http区块: log_format json '{"@timestamp":"$time_iso8601",' '& ...
- logstash收集nginx日志
(1)安装nginx 1.安装nginx yum install epel-release -y yum install nginx -y 2.修改日志文件格式为json #vim /etc/ngin ...
- Logstash 收集 IIS 日志
日志样例 查看 IIS 日志配置,选择格式为 W3C(默认字段设置)保存生效. 2016-02-25 01:27:04 112.74.74.124 GET /goods/list/0/1.html - ...
随机推荐
- MySQL 1053错误 服务无法正常启动的解决方法
MySQL 1053错误 服务无法正常启动的解决方法 1.右键我的电脑,管理,进入服务 2.右键单击Mysql8 属性,选择登陆 选择此账号 登陆管理员账号
- oracle 关于房贷计算过程
create or replace procedure fd(p_bj in number, --贷款本金 p_nll in number, --年利率 p_ns in number, --贷款年数 ...
- Jmeter 聚合报告---测试结果分析
当我们测试完后,最关心就是结果数据了,下面一起来分析Jmeter聚合报告数据. 首先来看下Jmeter的help是如何解释这些含义的. 1.Label - The label of the sampl ...
- DarwinStreamServer 6.0.3 rtsp服务器搭建
14:46:34 环境:Centos 7.3 编译安装 1.下载Darwin源码 http://dss.macosforge.org/downloads/DarwinStreamingSrvr6.0. ...
- kali 日志
MAC协议安全攻防 kali 攻击 输入 macof -i eth0 -i 选择网卡 防御 使用交换机的安全特性 Port Security DCRS 需要开启 mac地址表学习使用cpu控制 mac ...
- HDU 2516 斐波那契博弈
点这里去看题 n为斐波那契数时,先手败,推断方法见算法讲堂 #include<bits/stdc++.h> using namespace std; int main() { ],i,n, ...
- Borg, Omega, and Kubernetes读后笔记
前言 最近又读了一遍 Borg, Omega, and Kubernetes 这篇文章,觉得这个文章写得很好,让我对架构设计有了进一步的认识,所以想写一篇读后笔记. 原文地址,还有篇中文翻译的,这个中 ...
- Solr Cloud安装
1. zookeeper-3.4.10安装: zoo.cfg配置文件: dataDir=/usr/share/zookeeper/data/ clientPort=2181 server.1=10.0 ...
- xmlhttprequest readyState 属性的五种状态
关于readystate五个状态总结如下: readyState 状态 状态说明(0)未初始化此阶段确认XMLHttpRequest对象是否创建,并为调用open()方法进行未初始化作好准备.值 ...
- 解压->静态库.a文件
1. cd /Volumes/HHD/PQS/apple/Public 2. file com_PQS.a com_PQS.a: Mach-O universal binary with 5 arch ...