logstash收集syslog日志
logstash收集syslog日志
注意:生产用syslog收集日志!!!
编写logstash配置文件
#首先我用rubydebug测试数据
[root@elk-node1 conf.d]# cat syslog.conf
input{
syslog{
type => "system-syslog"
host => "192.168.247.135"
port => "514"
}
}
output{
stdout{
codec => "rubydebug"
}
#检查语法
[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/syslog.conf --configtest
Configuration OK
You have new mail in /var/spool/mail/root
[root@elk-node1 ~]# ss -lntp|grep 514
LISTEN 0 50 ::ffff:192.168.247.135:514 :::* users:(("java",pid=9605,fd=14))
#修改rsyslog配置文件让其能访问
[root@elk-node1 ~]# vim /etc/rsyslog.conf
*.* @@192.168.247.135:514
[root@elk-node1 ~]# systemctl restart rsyslog
[root@elk-node1 ~]#
#运行测试
[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/syslog.conf
Settings: Default filter workers: 1
Logstash startup completed
{
"message" => "Registered Authentication Agent for unix-process:9680:2638370 (system bus name :1.490 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)\n",
"@version" => "1",
"@timestamp" => "2018-07-15T10:08:58.000Z",
"type" => "system-syslog",
"host" => "192.168.247.135",
"priority" => 85,
"timestamp" => "Jul 15 18:08:58",
"logsource" => "elk-node1",
"program" => "polkitd",
"pid" => "686",
"severity" => 5,
"facility" => 10,
"facility_label" => "security/authorization",
"severity_label" => "Notice"
}
#添加到elk-log.yml文件
[root@elk-node1 conf.d]# cat elk_log.conf
input {
file {
path => "/var/log/messages"
type => "system"
start_position => "beginning"
}
file {
path => "/var/log/elasticsearch/hejianlai.log"
type => "es-error"
start_position => "beginning"
codec => multiline {
pattern => "^\["
negate => true
what => "previous"
}
}
file {
path => "/var/log/nginx/access_json.log"
codec => json
start_position => "beginning"
type => "nginx-log"
}
syslog{
type => "system-syslog"
host => "192.168.247.135"
port => "514"
}
}
output { if [type] == "system"{
elasticsearch {
hosts => ["192.168.247.135:9200"]
index => "systemlog-%{+YYYY.MM.dd}"
}
} if [type] == "es-error"{
elasticsearch {
hosts => ["192.168.247.135:9200"]
index => "es-error-%{+YYYY.MM.dd}"
}
}
if [type] == "nginx-log"{
elasticsearch {
hosts => ["192.168.247.135:9200"]
index => "nginx-log-%{+YYYY.MM.dd}"
}
}
if [type] == "system-syslog"{
elasticsearch {
hosts => ["192.168.247.135:9200"]
index => "system-syslog-log-%{+YYYY.MM.dd}"
}
}
} #检查语法
[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/elk_log.conf --configtestConfiguration OK
#后台运行
[root@elk-node1 conf.d]# ps aux|grep elk|awk '{print $2}'|xargs kill -9
kill: sending signal to 9780 failed: No such process
You have new mail in /var/spool/mail/root
[root@elk-node1 conf.d]# ps aux|grep elk|awk '{print $2}'
9785
[1]+ Killed /opt/logstash/bin/logstash -f /etc/logstash/conf.d/elk_log.conf (wd: ~)
(wd now: /etc/logstash/conf.d)
[root@elk-node1 conf.d]# ps aux|grep elk
root 9788 0.0 0.0 112704 972 pts/0 R+ 18:18 0:00 grep --color=auto elk
[root@elk-node1 conf.d]# /opt/logstash/bin/logstash -f /etc/logstash/conf.d/elk_log.conf &
[1] 9789
#手动添加日志
[root@elk-node1 conf.d]# logger "you hao"
[root@elk-node1 conf.d]# logger "hello world"
[root@elk-node1 conf.d]# logger "跟我一起学猫叫,一起喵喵喵"
Kibana设置
看hand插件上我们能看到system-syslog索引
Kibana上添加system-syslog索引
完美
logstash收集syslog日志的更多相关文章
- logstash收集springboot日志
logstash收集springboot日志 maven依赖 <dependency> <groupId>net.logstash.logback</groupId> ...
- logstash收集的日志输出到elasticsearch中
logstash收集的日志输出到elasticsearch中 一.需求 二.实现步骤 1.编写pipeline文件 1.`elasticsearch`配置参数解析: 2.可能会报的一个异常 2.准备测 ...
- logstash收集rsyslog日志
(1)rsyslog配置 在192.168.1.31配置 #vim /etc/rsyslog.conf *.* @@192.168.1.32:514 //所有设备名,所有日志级别都发送到192.168 ...
- logstash收集java日志,多行合并成一行
使用codec的multiline插件实现多行匹配,这是一个可以将多行进行合并的插件,而且可以使用what指定将匹配到的行与前面的行合并还是和后面的行合并. 1.java日志收集测试 input { ...
- 构建Logstash+tomcat镜像(让logstash收集tomcat日志)
1.首先pull logstash镜像作为父镜像(logstash的Dockerfile在最下面): 2.构建my-logstash镜像,使其在docker镜像实例化时,可以使用自定义的logstas ...
- Logstash收集nginx日志之使用grok过滤插件解析日志
grok作为一个logstash的过滤插件,支持根据模式解析文本日志行,拆成字段. nginx日志的配置: log_format main '$remote_addr - $remote_user [ ...
- logstash收集Nginx日志,转换为JSON格式
Nginx日志处理为JSON格式,并放置在http区块: log_format json '{"@timestamp":"$time_iso8601",' '& ...
- logstash收集nginx日志
(1)安装nginx 1.安装nginx yum install epel-release -y yum install nginx -y 2.修改日志文件格式为json #vim /etc/ngin ...
- Logstash 收集 IIS 日志
日志样例 查看 IIS 日志配置,选择格式为 W3C(默认字段设置)保存生效. 2016-02-25 01:27:04 112.74.74.124 GET /goods/list/0/1.html - ...
随机推荐
- cytoscape.js
http://js.cytoscape.org/ HTML 报告中插入动态网络关系图利器
- 别人的Linux私房菜(13)学习Shell脚本
CentOS6.x以前版本的系统服务启动接口在/etc/init.d/目录下,存放了脚本. Shell脚本因调用外部命令和bash 的一些默认工具,速度较慢,不适合处理大量运算. 执行方式有:直接命令 ...
- 对TIMIT数据进行格式转换(SPHERE2WAV(RIFF))
首先,转换sph2pipe工具所在文件夹(此工具为LDC所提供的SPHERE音频文件转换工具) cd '/home/dream/Research/kaldi-master/tools/sph2pipe ...
- Android端高性能图像分类解决方案
由于公司业务需要,前段时间开始了解AI方面的东西,准备找一个在android端性能较高的前向计算框架,了解了tflite,百度的mdl和腾讯的ncnn,最终敲定ncnn,不失所望,效果很不错,基本达到 ...
- Linux如何挂载U盘
1,以root用户登陆 先加载USB模块 modprobe usb-storage 用fdisk -l 看看U盘的设备 假如U盘是sda1 2,确定在 目录 /mnt 下建立了 文件夹 / ...
- Notepad++编写运行python程序
Notepad++编写运行python程序. 1.菜单栏->语言->P->Python设置语言为Python 2.写好代码后ctrl+s保存文件为py文件 3.菜单栏->运行, ...
- ehcache如何配置
1.pom.xml文件配置(主要针对jar包的引入) <ehcache.version>2.6.9</ehcache.version><ehcache-web.versi ...
- suse 11 pip pip3使用过程中遇到的各种问题
在安装完成python3.6后,使用pip3安装某些插件,报如下错误 linux-9qk9:~ # pip3 install ipython pip is configured with locati ...
- python PyInstaller 库
https://www.cnblogs.com/gopythoner/p/6337543.html https://www.cnblogs.com/duan-qs/p/6548875.html htt ...
- MySQL数据库(五)使用pymysql对数据库进行增删改查
折腾好半天的数据库连接,由于之前未安装 pip ,而且自己用的python 版本为3.6. 只能用 pymysql 来连接数据库,(如果有和我一样未安装 pip 的朋友请 点这里http://blog ...