logstash 6.x 收集syslog日志

最新推荐文章于 2024-03-14 16:11:53 发布
最新推荐文章于 2024-03-14 16:11:53 发布
阅读量4.5k 收藏 2
点赞数
分类专栏: ElasticSearch学习笔记 Elasticsearch 6.x 学习笔记 文章标签: logstash syslog
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/chengyuqiang/article/details/80093892
版权

1、logstash端

关闭logstash所在机器的rsyslog,释放514端口号

[root@node1 config]# systemctl stop rsyslog
[root@node1 config]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Thu 2018-04-26 14:32:34 CST; 1min 58s ago
  Process: 3915 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 3915 (code=exited, status=0/SUCCESS)

Apr 26 14:25:16 node1 systemd[1]: Starting System Logging Service...
Apr 26 14:25:16 node1 systemd[1]: Started System Logging Service.
Apr 26 14:32:34 node1 systemd[1]: Stopping System Logging Service...
Apr 26 14:32:34 node1 systemd[1]: Stopped System Logging Service.
[root@node1 config]#

编写logstash配置文件

[root@node1 logstash-6.2.3]# vi config/local_syslog.conf
[root@node1 logstash-6.2.3]# cat config/local_syslog.conf
input {
 syslog {
    type => "rsyslog"
    port => "514"
  }
}
output{
  stdout{
    codec => rubydebug
  }
}

启动logstash

[root@node1 logstash-6.2.3]# bin/logstash -f config/local_syslog.conf
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
[2018-04-26T14:39:57,627][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/opt/logstash-6.2.3/modules/netflow/configuration"}
[2018-04-26T14:39:57,650][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/opt/logstash-6.2.3/modules/fb_apache/configuration"}
[2018-04-26T14:39:58,301][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-04-26T14:39:59,346][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"6.2.3"}
[2018-04-26T14:40:00,022][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2018-04-26T14:40:04,438][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-04-26T14:40:04,901][INFO ][logstash.pipeline        ] Pipeline started succesfully {:pipeline_id=>"main", :thread=>"#<Thread:0x518728c7 run>"}
[2018-04-26T14:40:04,989][INFO ][logstash.inputs.syslog   ] Starting syslog udp listener {:address=>"0.0.0.0:514"}
[2018-04-26T14:40:05,013][INFO ][logstash.inputs.syslog   ] Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[2018-04-26T14:40:05,034][INFO ][logstash.agent           ] Pipelines running {:count=>1, :pipelines=>["main"]}

查看端口号

[root@node1 config]# netstat -anp|grep 514
tcp6       0      0 :::514                  :::*                    LISTEN      4260/java           
udp        0      0 0.0.0.0:514             0.0.0.0:*                           4260/java           
unix  2      [ ACC ]     STREAM     LISTENING     15141    822/mcelog           /var/run/mcelog-client
unix  2      [ ]         DGRAM                    15147    828/chronyd          
[root@node1 config]#

发现514端口已经被logstash占有

2、syslog端

切换到另一台服务器node2上,配置syslog

[root@node2 ~]# vi /etc/rsyslog.conf

添加一行*.* @@node1:514,把日志输送到远端的logstash上。

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
*.* @@node1:514

重新rsyslogd程序

[root@node2 ~]# systemctl restart rsyslog

3、logstash端收集数据

这时发现logstash端已经收集到node2的syslog日志数据

[2018-04-26T14:45:18,361][INFO ][logstash.inputs.syslog   ] new connection {:client=>"10.17.12.157:55204"}
{
    "severity_label" => "Informational",
    "facility_label" => "system",
         "timestamp" => "Apr 26 14:39:23",
          "severity" => 6,
              "host" => "10.17.12.157",
           "message" => "Stopping System Logging Service...\n",
          "@version" => "1",
           "program" => "systemd",
        "@timestamp" => 2018-04-26T06:39:23.000Z,
              "type" => "rsyslog",
          "priority" => 30,
         "logsource" => "node2",
          "facility" => 3
}
{
    "severity_label" => "Informational",
    "facility_label" => "system",
         "timestamp" => "Apr 26 14:39:23",
          "severity" => 6,
              "host" => "10.17.12.157",
           "message" => "Stopped System Logging Service.\n",
          "@version" => "1",
           "program" => "systemd",
        "@timestamp" => 2018-04-26T06:39:23.000Z,
              "type" => "rsyslog",
          "priority" => 30,
         "logsource" => "node2",
          "facility" => 3
}
{
    "severity_label" => "Notice",
    "facility_label" => "security/authorization",
         "timestamp" => "Apr 26 14:39:23",
          "severity" => 5,
              "host" => "10.17.12.157",
           "message" => "Unregistered Authentication Agent for unix-process:4601:59761164 (system bus name :1.2556, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8) (disconnected from bus)\n",
          "@version" => "1",
           "program" => "polkitd",
        "@timestamp" => 2018-04-26T06:39:23.000Z,
              "type" => "rsyslog",
          "priority" => 85,
               "pid" => "762",
         "logsource" => "node2",
          "facility" => 10
}
{
    "severity_label" => "Informational",
    "facility_label" => "system",
         "timestamp" => "Apr 26 14:40:01",
          "severity" => 6,
              "host" => "10.17.12.157",
           "message" => "Started Session 1235 of user root.\n",
          "@version" => "1",
           "program" => "systemd",
        "@timestamp" => 2018-04-26T06:40:01.000Z,
              "type" => "rsyslog",
          "priority" => 30,
         "logsource" => "node2",
          "facility" => 3
}
{
    "severity_label" => "Informational",
    "facility_label" => "system",
         "timestamp" => "Apr 26 14:40:01",
          "severity" => 6,
              "host" => "10.17.12.157",
           "message" => "Starting Session 1235 of user root.\n",
          "@version" => "1",
           "program" => "systemd",
        "@timestamp" => 2018-04-26T06:40:01.000Z,
              "type" => "rsyslog",
          "priority" => 30,
         "logsource" => "node2",
          "facility" => 3
}
{
    "severity_label" => "Informational",
    "facility_label" => "clock",
         "timestamp" => "Apr 26 14:40:01",
          "severity" => 6,
              "host" => "10.17.12.157",
           "message" => "(root) CMD (/usr/lib64/sa/sa1 1 1)\n",
          "@version" => "1",
           "program" => "CROND",
        "@timestamp" => 2018-04-26T06:40:01.000Z,
              "type" => "rsyslog",
          "priority" => 78,
               "pid" => "4640",
         "logsource" => "node2",
          "facility" => 9
}
{
    "severity_label" => "Notice",
    "facility_label" => "security/authorization",
         "timestamp" => "Apr 26 14:45:18",
          "severity" => 5,
              "host" => "10.17.12.157",
           "message" => "Registered Authentication Agent for unix-process:4786:59796608 (system bus name :1.2559 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8)\n",
          "@version" => "1",
           "program" => "polkitd",
        "@timestamp" => 2018-04-26T06:45:18.000Z,
              "type" => "rsyslog",
          "priority" => 85,
               "pid" => "762",
         "logsource" => "node2",
          "facility" => 10
}
{
    "severity_label" => "Informational",
    "facility_label" => "system",
         "timestamp" => "Apr 26 14:45:18",
          "severity" => 6,
              "host" => "10.17.12.157",
           "message" => "Starting System Logging Service...\n",
          "@version" => "1",
           "program" => "systemd",
        "@timestamp" => 2018-04-26T06:45:18.000Z,
              "type" => "rsyslog",
          "priority" => 30,
         "logsource" => "node2",
          "facility" => 3
}
{
    "severity_label" => "Informational",
    "facility_label" => "system",
         "timestamp" => "Apr 26 14:45:18",
          "severity" => 6,
              "host" => "10.17.12.157",
           "message" => "Started System Logging Service.\n",
          "@version" => "1",
           "program" => "systemd",
        "@timestamp" => 2018-04-26T06:45:18.000Z,
              "type" => "rsyslog",
          "priority" => 30,
         "logsource" => "node2",
          "facility" => 3
}
{
    "severity_label" => "Notice",
    "facility_label" => "security/authorization",
         "timestamp" => "Apr 26 14:45:18",
          "severity" => 5,
              "host" => "10.17.12.157",
           "message" => "Unregistered Authentication Agent for unix-process:4786:59796608 (system bus name :1.2559, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.utf8) (disconnected from bus)\n",
          "@version" => "1",
           "program" => "polkitd",
        "@timestamp" => 2018-04-26T06:45:18.000Z,
              "type" => "rsyslog",
          "priority" => 85,
               "pid" => "762",
         "logsource" => "node2",
          "facility" => 10
}
{
    "severity_label" => "Informational",
    "facility_label" => "syslogd",
         "timestamp" => "Apr 26 14:45:18",
          "severity" => 6,
              "host" => "10.17.12.157",
           "message" => "[origin software=\"rsyslogd\" swVersion=\"7.4.7\" x-pid=\"4792\" x-info=\"http://www.rsyslog.com\"] start\n",
          "@version" => "1",
           "program" => "rsyslogd",
        "@timestamp" => 2018-04-26T06:45:18.000Z,
              "type" => "rsyslog",
          "priority" => 46,
         "logsource" => "node2",
          "facility" => 5
}
程裕强
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
logstash6.x安装手册
07-02
logstash6.x安装手册,接收UDP端口数据,按小时存储在日志文件中
logstash 向多目标输出多份日志&输出syslog
LegendHonor的博客
01-16 1155
logstash 向多目标输出多份日志&输出syslog,安装logstash-output-logstash插件
Logstash 详细介绍、安装与使用
最新发布
一个认真学习的女孩子的博客
03-14 1047
Logstash 是一个具有实时管道功能的开源数据收集引擎。Logstash可以动态统一来自不同来源的数据,并将数据规范化到您选择的目标中。为了多样化的高级下游分析和可视化用例,清理和使所有数据平等化。虽然 Logstash 最初在日志收集方面推动了创新,但它的能力远远超出了该用例。任何类型的事件都可以通过广泛的输入、过滤和输出插件进行增强和转换,许多本地编解码器进一步简化了摄入过程。Logstash 通过利用更多的数据量和种类加速您的洞察力。Logstash 到 Elastic Cloud 无服务器。
Logstash:实用 Logstash 收集 Syslog 日志指南
Elastic 中国社区官方博客
02-09 9723
Syslog 是一种流行的标准,用于集中和格式化网络设备生成的日志数据。 它提供了一种生成和收集日志信息的标准化方式,例如程序错误、通知、警告、状态消息等。 几乎所有类 Unix 操作系统,例如基于 Linux 或 BSD 内核的操作系统,都使用负责收集和存储日志信息的 Syslog 守护进程。 它们通常存储在本地,但如果管理员希望能够从一个位置访问所有日志,它们也可以流式传输到中央服务器。 默认情况下,端口 514 和 UDP 用于传输 Syslog。在我之前的文章 “Beats:使用 Linux 系统
Logstash配置输出Syslog
roughman9999的博客
06-05 1383
Logstash 是一个开源的数据收集引擎,它具有备实时数据传输能力,可以统一过滤来自不同源的数据,并按照开发者的制定的规范输出到目的地,通过安装不同的插件,可以支持不同的输出方式
使用logstash接收syslog,针对同一端口区分不同索引
baalchina的专栏
01-23 3015
概述 之前已经实现了sysloglogstash到elasticsearch的一个syslog收集过程。但是有个问题一直困扰我,就是有些设备因为比较老,不支持将syslog送到不同的端口,所以他们的日志在kibana里就很难区分,也就不太好针对性的去做解析了。 折腾了一下午,google无数+es论坛的帮助,基本解决了这个问题。 解决方法 大致的思路还是在logstash上做文章。我们知道,logstash的配置文件分为三个部分,即input、filter和output。 首先在input这里,参数如下。
Syslog发送日志+Logstash处理日志
weixin_46356409的博客
01-11 1666
Syslog(System Logging Protocol)是一种用于计算机系统日志记录的标准协议。它允许设备(如服务器、路由器、防火墙等)将事件消息发送到指定的日志收集服务器,以便集中管理和分析。通过使用Syslog,您可以跟踪您的网络中的活动并在出现问题时快速识别和解决问题。要将告警日志发送到某台机器的某个端口,您需要在发送端(产生日志的设备)和接收端(日志收集服务器)上配置Syslog。这里我们以rsyslog为例,rsyslog是Linux系统上常用的Syslog服务器。
Logstash常用配置和日志解析
牧竹子
08-12 7万+
logstash logstash是一个数据分析软件,主要目的是分析log日志。整一套软件可以当作一个MVC模型,logstash是controller层,Elasticsearch是一个model层,kibana是view层。 首先将数据传给logstash,它将数据进行过滤和格式化(转成JSON格式),然后传给Elasticsearch进行存储、建搜索的索引,kibana提供前端的页面再进行搜...
日志管理:Syslog日志采集
10-10 528
端口:514。
ELK logstash收集nginx,java,redis,syslog日志到elasticsearch,kibana展示
weixin_42896216的博客
12-04 886
ELK logstash收集nginx,java,redis,syslog日志到elasticsearch,kibana展示
ELK(日志系统)——logstash数据采集+Syslog输入插件+grok/多行过滤插件
qq_46089299的博客
06-13 1849
一、logstash简介 Logstash是一个开源的服务器端数据处理管道。 logstash拥有200多个插件,能够同时从多个来源采集数据,转换数据,然后将数据发送到您最喜欢的 “存储库” 中。(大多都是 Elasticsearch。) Logstash管道有两个必需的元素,输入和输出,以及一个可选元素过滤器。 输入:采集各种样式、大小和来源的数据 Logstash 支持各种输入选择 ,同时从众多常用来源捕捉事件。 能够以连续的流式传输方式,轻松地从您的日志、指标、Web 应用、数据存储以及各种 AWS
syslog日志工具
08-07
专门提取udp以及tcp协议写的日志传输及收集信息,第三方工具
最新版linux logstash-7.9.3.tar.gz
10-26
最新版linux logstash-7.9.3.tar.gz
最新版linux logstash-7.16.1-linux-x86_64.tar.gz
12-16
最新版linux logstash-7.16.1-linux-x86_64.tar.gz
最新版windows logstash-7.17.6-windows-x86_64.zip
09-02
最新版windows logstash-7.17.6-windows-x86_64.zip最新版windows logstash-7.17.6-windows-x86_64.zip
最新版linux logstash-7.16.3-linux-x86_64.tar.gz
01-14
最新版linux logstash-7.16.3-linux-x86_64.tar.gz
完整教程:spring-boot-starter-data-elasticsearch整合elasticsearch 6.x
热门推荐
程裕强的专栏
01-09 10万+
1、前言 网上很多言论: 新版本的SpringBoot 2的spring-boot-starter-data-elasticsearch中支持的Elasticsearch版本是2.X, 但Elasticsearch实际上已经发展到6.5.X版本了,为了更好的使用Elasticsearch的新特性, 所以弃用了spring-boot-starter-data-elasticsearch依赖,而改为直...
Elasticsearch 7.x生产配置
程裕强的专栏
05-05 4万+
虽然Elasticsearch需要很少的配置,但是有一些设置需要手动配置,并且必须在进入生产之前进行配置。 1、官方文档 这些重要配置说明,请参考官方文档: https://www.elastic.co/guide/en/elasticsearch/reference/7.x/important-settings.html 2、参数说明 2.1 path.data和path.logs If yo...
ElasticSearch 6.x 学习笔记:12.字段类型
程裕强的专栏
01-12 3万+
12.1 字段类型概述 一级分类 二级分类 具体类型 核心类型 字符串类型 string,text,keyword 整数类型 integer,long,short,byte 浮点类型 double,float,half_float,scaled_floa
docker 部署logstash7.17.6
07-27
要在Docker中部署Logstash 7.17.6,你可以按照以下步骤进行操作: 1. 确保你已经安装了Docker和Docker Compose。如果没有安装,请先安装它们。 2. 创建一个新的目录,并在该目录下创建一个新的文件,命名为`docker...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值