ELK监控交换机日志

一、首先部署logstash监控UDP514端口，新建一个配置文件cisco.conf

交换机是通过配置rsyslog服务器来将日志发送到日志服务器的，所以需要在logstash上配置rsyslog监听端口既514端口

[root@server-1 conf.d]# cd /etc/logstash/conf.d/
[root@server-1 conf.d]# vim cisco.conf

input{
 syslog{
   port => 514
 }
}

output{

  stdout{
   codec => rubydebug
  }
}

二、加载配置文件 

[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}

三、测试UDP

 首先看看514端口是否被监听

[root@server-1 conf.d]# netstat -tunlp|grep java
tcp6       0      0 :::5002                 :::*                    LISTEN      16102/java          
tcp6       0      0 172.28.18.69:9200       :::*                    LISTEN      18608/java          
tcp6       0      0 :::10001                :::*                    LISTEN      16102/java          
tcp6       0      0 172.28.18.69:9300       :::*                    LISTEN      18608/java          
tcp6       0      0 127.0.0.1:9600          :::*                    LISTEN      19444/java          
tcp6       0      0 172.28.18.69:9600       :::*                    LISTEN      16102/java          
udp        0      0 0.0.0.0:514             0.0.0.0:*                           19444/java

然后，使用tcpdump命令在514端口从抓包，确认有数据包发送过来

[root@server-1 conf.d]# tcpdump -i em1 udp  port 514 -c 100 -n -vvv
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes

，在另外一台172.28.18.71服务器上，设置好rssyslog服务器地址，就可以发送日志到514端口了

[root@localhost ~]# vim /etc/rsyslog.conf

在"rule"下增加如下语句“*.*  @@172.28.18.69“

#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
*.*                                                     @@172.28.18.69

重启rsyslog服务

[root@localhost ~]# systemctl restart rsyslog

然后重启登录172.28.18.71，此时在172.28.18.69上tcpdump监听的514端口显示抓包的数据

[root@server-1 conf.d]# tcpdump -i em1 udp  port 514 -c 100 -n -vvv
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:14:09.093962 IP (tos 0x0, ttl 64, id 40767, offset 0, flags [DF], proto UDP (17), length 132)
    172.28.18.71.60481 > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length: 104
        Facility authpriv (10), Severity info (6)
        Msg: Nov  5 10:14:09 localhost sshd[6587]: Accepted password for root from 172.28.146.109 port 59567 ssh2
        0x0000:  3c38 363e 4e6f 7620 2035 2031 303a 3134
        0x0010:  3a30 3920 6c6f 6361 6c68 6f73 7420 7373
        0x0020:  6864 5b36 3538 375d 3a20 4163 6365 7074
        0x0030:  6564 2070 6173 7377 6f72 6420 666f 7220
        0x0040:  726f 6f74 2066 726f 6d20 3137 322e 3238
        0x0050:  2e31 3436 2e31 3039 2070 6f72 7420 3539
        0x0060:  3536 3720 7373 6832
10:14:09.101472 IP (tos 0x0, ttl 64, id 40769, offset 0, flags [DF], proto UDP (17), length 104)
    172.28.18.71.60481 > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length: 76
        Facility auth (4), Severity info (6)
        Msg: Nov  5 10:14:09 localhost systemd-logind: New session 4231 of user root.
        0x0000:  3c33 383e 4e6f 7620 2035 2031 303a 3134
        0x0010:  3a30 3920 6c6f 6361 6c68 6f73 7420 7379
        0x0020:  7374 656d 642d 6c6f 6769 6e64 3a20 4e65
        0x0030:  7720 7365 7373 696f 6e20 3432 3331 206f
        0x0040:  6620 7573 6572 2072 6f6f 742e
10:14:09.101738 IP (tos 0x0, ttl 64, id 40770, offset 0, flags [DF], proto UDP (17), length 101)
    172.28.18.71.60481 > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length: 73
        Facility daemon (3), Severity info (6)
        Msg: Nov  5 10:14:09 localhost systemd: Started Session 4231 of user root.
        0x0000:  3c33 303e 4e6f 7620 2035 2031 303a 3134
        0x0010:  3a30 3920 6c6f 6361 6c68 6f73 7420 7379
        0x0020:  7374 656d 643a 2053 7461 7274 6564 2053
        0x0030:  6573 7369 6f6e 2034 3233 3120 6f66 2075
        0x0040:  7365 7220 726f 6f74 2e
10:14:09.102645 IP (tos 0x0, ttl 64, id 40771, offset 0, flags [DF], proto UDP (17), length 133)
    172.28.18.71.60481 > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length: 105
        Facility authpriv (10), Severity info (6)
        Msg: Nov  5 10:14:09 localhost sshd[6587]: pam_unix(sshd:session): session opened for user root by (uid=0)
        0x0000:  3c38 363e 4e6f 7620 2035 2031 303a 3134
        0x0010:  3a30 3920 6c6f 6361 6c68 6f73 7420 7373
        0x0020:  6864 5b36 3538 375d 3a20 7061 6d5f 756e
        0x0030:  6978 2873 7368 643a 7365 7373 696f 6e29
        0x0040:  3a20 7365 7373 696f 6e20 6f70 656e 6564
        0x0050:  2066 6f72 2075 7365 7220 726f 6f74 2062
        0x0060:  7920 2875 6964 3d30 29

但是查看logstash，却没有数据输出到控制台上，此时查看logstash日志

[root@server-1 log]# tail -f /home/logstash/log/logstash-plain.log

ck in start_input'"]}
[2019-11-05T10:21:56,087][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"0.0.0.0:514"}
[2019-11-05T10:21:56,088][WARN ][logstash.inputs.udp      ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}
[2019-11-05T10:22:01,088][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"0.0.0.0:514"}
[2019-11-05T10:22:01,090][WARN ][logstash.inputs.udp      ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}

从日志看出报:exception=>#<SocketError: bind: name or service not known>错误，百度一下，发现是由于514端口，必须要root用户才能启动，而logstash默认是logstash用户启动服务，所以修改logstash服务的用户

停止logstash服务

[root@server-1 conf.d]# systemctl stop logstash

修改服务配置

[root@server-1 conf.d]# vim /etc/systemd/system/logstash.service

[Unit]
Description=logstash

[Service]
Type=simple
User=logstash
Group=logstash
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384

[Install]
WantedBy=multi-user.target

将User Group改为root

[Unit]
Description=logstash

[Service]
Type=simple
#User=logstash
#Group=logstash
User=root
Group=root
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=19
LimitNOFILE=16384

[Install]
WantedBy=multi-user.target

保存，重启logstash服务

[root@server-1 conf.d]# systemctl start logstash

关闭514端口监听进程，重新加载UDP监听配置文件

[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:53.164 [Ruby-0-Thread-17: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40654"}
[INFO ] 2019-11-05 14:18:53.183 [Ruby-0-Thread-18: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40656"}

再次测试发送数据

{
          "@version" => "1",
         "logsource" => "localhost",
          "priority" => 30,
          "facility" => 3,
              "host" => "172.28.18.71",
        "@timestamp" => 2019-11-05T06:18:53.000Z,
         "timestamp" => "Nov  5 14:18:53",
           "program" => "systemd",
    "facility_label" => "system",
          "severity" => 6,
           "message" => "Stopping System Logging Service...
",
    "severity_label" => "Informational"
}
{
          "@version" => "1",
         "logsource" => "localhost",
          "priority" => 46,
          "facility" => 5,
              "host" => "172.28.18.71",
        "@timestamp" => 2019-11-05T06:18:53.000Z,
         "timestamp" => "Nov  5 14:18:53",
           "program" => "rsyslogd",
    "facility_label" => "syslogd",
          "severity" => 6,
           "message" => "action 'action 0' resumed (module 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]
",
    "severity_label" => "Informational"
}

logstash显示日志数据了，修改配置文件将日志输出到elastcisearch

output{
input{
   syslog{
    port => 514
   }
}

#输出到elastcisearch
output{  
    elasticsearch{
      hosts => ["172.28.18.69:9200"]         #elasticsearch服务地址
      index => "system-cisco-log-%{+YYYY.MM}"   #创建的索引 
    }
}

重启加载配置文件，在elastcisearch服务器上查看索引

[root@server-1 conf.d]# curl http://172.28.18.69:9200/_cat/indices
yellow open nginx-172.28.18.75-2019.11.05 WK6Zr5guQ7KSoCLPd8JjqQ 5 1 12086 0   4.5mb   4.5mb
yellow open system-cisco-log-2019.11      IR__HXPvTfe3HNtQ1HOwFw 5 1    16 0 101.7kb 101.7kb
green  open .kibana                       QkF9i3nXSAKlNLMLNROM1A 1 0     4 1  23.5kb  23.5kb

已经生成了system-cisco-log-2019.11文件

四、配置交换机

 这样，logstash就可以接收到交换机日志了