- 部署两个 logstash 高可用
- 全部交换机配置日志发送给两个 logstash
- logstash 分别从 514 和 5000 两个 udp 端口接收 H3C 和 Cisco 的日志
- logstash 使用不同的 grok 表达式解析两种交换机的日志,将日志级别作为告警阈值
- logstash 设置 @timestamp 字段为当前时区的时间,作为日志采集时间
- logstash 通过 fingerprint 设置两台高可用的去重标识,供 es 进行去重处理
- logstash 将数据发送给 es
- 开发应用程序,每分钟轮循近3分钟内需要但尚未发送的告警日志,发出通知。3分钟是为了避免发版重启服务导致丢失通知,可以适当延长
input {
udp {
port => 514
type => "H3C"
}
udp {
port => 5000
type => "Cisco"
}
}
filter {
if [type] == "H3C"{
grok{
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:time} %{YEAR:year} %{DATA:hostname} %%%{DATA:ddModuleName}/%{POSINT:severity}/" }
#add_field => {"rcv_time" => "%{time} %{year}"}
remove_field => ["syslog_pri", "ddModuleName", "year", "time"]
}
}
if [type] == "Cisco"{
grok{
match => { "message" => "%{DATA:other}-%{POSINT:severity}-" }
#add_field => {"rcv_time" => "%{time} %{year}"}
remove_field => ["other"]
}
}
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
ruby {
code => "event.set('@timestamp', event.get('timestamp'))"
}
mutate {
remove_field => ["timestamp"]
add_field => {"logreceiver" => "1.2.3.4"}
}
fingerprint {
# source => ["rcv_time", "message"]
source => ["message"]
target => "[@metadata][fingerprint]"
method => "MURMUR3"
#concatenate_sources => true
base64encode => true
}
}
output {
elasticsearch {
hosts => ["1.1.1.1:9200","1.1.1.2:9200","1.1.1.3:9200"]
index => "netlog-%{+YYYY.MM.dd}"
document_id => "%{[@metadata][fingerprint]}"
}
}