zoukankan      html  css  js  c++  java
  • logstash收集TCP与UDP日志

    通过 logstash 的 tcp/udp 插件收集日志,通常用于在向 elasticsearch 日志补录丢
    失的部分日志,可以将丢失的日志写到一个文件,然后通过 TCP 日志收集方式直
    接发送给 logstash 然后再写入到 elasticsearch 服务器。

    https://www.elastic.co/guide/en/logstash/5.6/input-plugins.html
    

    准备条件:
    环境:jdk,安装好 logstash
    安装nc

    [root@es-web2 ~]# apt install nc
    

    安装jdk

    [root@es-web2 ~]# apt install openjdk-8-jdk -y
    

    dpkg安装

    [root@es-web2 src]# dpkg -i logstash-7.12.1-amd64.deb
    

    配置个文件,先进行收集测试

    [root@es-web2 ]# vim /etc/logstash/conf.d/tcp-log-es.conf
    
    input{
      tcp{
        port => 8899
        type => "tcplog"
        mode => "server"
      }
    }
    
    output{
      stdout{
        codec => rubydebug
      }                                                                     
    }
    

    验证

    [root@es-web2 ]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp-log-es.conf
    

    其他服务器安装 “瑞士军刀” nc

    [root@es-web2 ]# apt install nc
    

    测试

    [root@es-web2 ]# echo "nc test" | nc 172.31.2.107 8899
    

    检查端口

    [root@es-web2 ]# ss -tnl | grep 8899
    
    LISTEN  0        128                          *:8899                   *:*
    

    测试接收文件

    [root@es-web2 ]# nc 172.31.2.107 8899 < /etc/passwd
    

    将输出改为 elasticsearch

    root@long:~# vim /etc/logstash/conf.d/tcp-log-es.conf
    
    input{
      tcp{
        port => 8899
        type => "tcplog"
        mode => "server"
      }
    }
    
    output{
      elasticsearch{
        hosts => ["172.31.2.101:9200"]
        index => "long-tcplog-%{+YYYY.MM.dd}"
      }
    }
    

    重启

    root@long:~# systemctl restart logstash
    

    再用nc 传数据

    root@long:~# echo "nc test1" | nc 172.31.2.108 8899
    root@long:~# echo "伪设备1" > /dev/tcp/172.31.2.108/8899
    

    查看es

    添加到kibana

    logstash收集UDP日志

    准备一台CentOS代替交换机
    安装rsyslog和haproxy

    [root@localhost ~]# yum install rsyslog
    [root@localhost ~]# yum install haproxy -y
    

    rsyslog配置

    [ root@localhost ~]# vim /etc/rsyslog.conf
    
    $ModLoad imudp
    $UDPServerRun 514
    
    # 最后一行添加
    local2.* @@remote-host:514
    

    haproxy配置

    [ root@localhost ~]# vim /etc/haproxy/haproxy.cfg
    
    listen web-port
      bind 0.0.0.0:80
      server 172.31.2.108 172.31.2.108:80 check inter 3s fall 3 rise 5
    

    重启

    [ root@localhost ~]# systemctl restart haproxy
    

    测试网页,可以访问即可

    配置rsyslog写入日志

    [ root@localhost ~]# vim /etc/rsyslog.conf
    
    #local2.* @@remote-host:514
    local2.* /var/log/haproxy.log
    

    重启

    [ root@localhost ~]# systemctl restart rsyslog
    

    改haproxy配置

    [ root@localhost ~]# vim /etc/haproxy/haproxy.cfg
    
    listen web-port
      bind 0.0.0.0:80
      log  global
      mode http
      server 172.31.2.108 172.31.2.108:80 check inter 3s fall 3 rise 5
    

    重启

    [ root@localhost ~]# systemctl restart haproxy
    

    查看日志写入

    [ root@localhost ~]# tail -f /var/log/haproxy.log
    

    配置测试logstash输出到终端显示

    
    input{
      syslog{
        host => "172.31.0.18"
        port => "6514"
        type => "ststem-rsyslog"
      }
    }
    
    output {
      stdout {}                                                             
    }
    

    停止

    root@long:~# systemctl stop logstash
    

    启动

    root@long:~# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/rsys-log-es.conf
    

    然后在centos-18服务器改rsyslog配置

    [ root@localhost ~]# systemctl restart rsyslog
    
    local2.* @@172.31.0.18:6514
    

    重启

    [ root@localhost ~]# systemctl restart rsyslog
    

    启动

    root@long:~# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/rsys-log-es.conf
    

    然后刷新页面看看机台有没有获取到信息,获取到信息说明是成功的

    在haproxy配置添加

    [ root@localhost ~]# vim /etc/haproxy/haproxy.cfg
    
    listen web1-port
      bind 172.31.2.108:5601
      log  global
      mode tcp
      server 172.31.2.101 172.31.2.101:5601 check inter 3s fall 3 rise 5
      server 172.31.2.102 172.31.2.102:5601 check inter 3s fall 3 rise 5
    

    重启

    [ root@localhost ~]# systemctl restart haproxy
    

    检查端口

    [ root@localhost ~]# ss -tnl
    9200
    

    在上面的基础上修改配置(Ubuntu的rsyslog日志配置有问题,所有这里使用的CentOS系统)

    [root@es-web2 ~]# vim /etc/logstash/conf.d/tcp-log-es.conf
    
    input{
      tcp{
        port => 8899
        type => "tcplog"
        mode => "server"
      }
      syslog {
        type => "ststem-rsyslog"
        port => "6514"
      }
    }
    
    #output{
    #  stdout{
    #    codec => rubydebug
    #  }
    #}
    
    output{
      if [type] == "tcplog" {
      elasticsearch {
        hosts => ["172.31.2.101:9200"]
        index => "long-tcplog-%{+YYYY.MM.dd}"
      }}
    
      if [type] == "ststem-rsyslog" {
      elasticsearch {
        hosts => ["172.31.2.101:9200"]
        index => "long-rsyslog-%{+YYYY.MM.dd}"
      }}
    }
    

    启动

    root@long:~# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/rsys-log-es.conf
    

    访问几下网页,出现下面的即可

    然后添加到 kibana

    如果时间没有同步,执行下面命令即可

    [root@localhost ~]# ntpdate time1.aliyun.com
    [root@localhost ~]# hwclock -w
    

    重启

    [ root@localhost ~]# systemctl restart rsyslog
    

    时区不对,执行如下命令即可(CentOS7)

    [root@localhost ~]# cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
    

  • 相关阅读:
    laravel MethodNotAllowedHttpException错误一个原因
    laravel查看执行sql的
    二维,多维数组排序array_multisort()函数的使用
    REMOTE_ADDR,HTTP_CLIENT_IP,HTTP_X_FORWARDED_FOR获取客户端IP
    学习正则笔记
    关于apidoc文档生成不了的一个原因
    laravel 表单验证 Exists 规则的基本使用方法
    laravel 500错误的一个解决办法
    关于laravel 用paginate()取值取不到的问题
    C语言寒假大作战02
  • 原文地址:https://www.cnblogs.com/xuanlv-0413/p/15374796.html
Copyright © 2011-2022 走看看