zoukankan      html  css  js  c++  java
  • logstash

    录:

    1、安装logstash
    2、logstash快速入门
    3、logstash收集系统日志-file
    4、logstash收集java日志-codec
    5、logstash收集nginx访问日志-json
    6、使用syslog收集系统日志
    7、logstash收集tcp日志
    8、logstash收集slowlog-grok
    9、logstash解耦之消息队列

    1、安装logstash    <--返回目录

    下载并安装GPG key
    rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

    添加yum仓库
    vim /etc/yum.repos.d/logstash.repo

    [logstash-2.1]
    name=Logstash repository for 2.1.x packages
    baseurl=http://packages.elastic.co/logstash/2.1/centos
    gpgcheck=1
    gpgkey=http://packages.elastic.co/GPG-KEY-elasticsearch
    enabled=1


    安装logstash
    yum install -y logstash

    查看安装文件目录:rpm -ql logstash

    2、logstash快速入门    <--返回目录

      /opt/logstash/bin/logstash -e 'input {stdin{}} output {stdout{}}'

       /opt/logstash/bin/logstash -e 'input {stdin{}} output {stdout{ codec => rubydebug }}'

       /opt/logstash/bin/logstash -e 'input {stdin{}} output {elasticsearch{ hosts => ["192.168.213.200:9200"] }}'

       查看es:

      可以配置多个输出:/opt/logstash/bin/logstash -e 'input {stdin{}} output {elasticsearch{ hosts => ["192.168.213.200:9200"] } stdout{ codec => rubydebug }}'

    3、logstash收集系统日志-file    <--返回目录

    3.1、控制台输入数据作为input

      vim /etc/logstash/conf.d/01-logstash.conf,添加以下内容:

    input { stdin{} } 
    output {
        elasticsearch{ hosts => ["192.168.213.200:9200"] } 
        stdout{ codec => rubydebug }
    }

      控制台输入指令 /opt/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash.conf,然后再控制台输入一些文本,

     3.2、文件输入作为input

      vim /etc/logstash/conf.d/01-logstash.conf,添加以下内容:

    input {
        file {
            path => "/var/log/a.log"
            type => "a_type"
            start_position => "beginning"
        }
    } 
        
    output {
        elasticsearch{ hosts => ["192.168.213.200:9200"] } 
        stdout{ codec => rubydebug }
    }

      vim /var/log/a.log,添加一些测试的文本数据,然后输入指令 /opt/logstash/bin/logstash -f /etc/logstash/conf.d/01-logstash.conf启动logstash。

      start_position => "beginning" 表示从文件开始读入,如果是"end"则是从文件末尾开始读。重启后并不会重复读取文件:

       但是当在文件/var/log/a.log中添加一行文本"444"后,a.log文件又从文件开始读取了。

      type => "a_type" 自定义的一个类型标识名称(名称自己取)。后面elasticsearch的索引可以与a_type一致。

    input {
        file {
            path => "/var/log/a.log"
            type => "a_type"
            start_position => "beginning"
        }
    } 
        
    output {
        elasticsearch{
            hosts => ["192.168.213.200:9200"] 
            index => "a_type-%{+YYYY.MM.dd}"
        } 
        stdout{ codec => rubydebug }
    }

    4、logstash收集java日志-codec    <--返回目录

      vim /etc/logstash/conf.d/02-logstash.conf,添加以下内容:

    input {
        file {
            path => "/var/log/a.log"
            type => "a_type"
            start_position => "beginning"
        }
        file {
            path => "/var/log/java.log"
            type => "java_type"
            start_position => "beginning"
            codec => multiline {
                #pattern => "^[" #多行文本合并的正则规则
                pattern => "^2021"
                negate => true
                what => "previous" #合并到前面
            }
        }
    } 
        
    output {
        if [type] == "a_type" {
            elasticsearch{
                hosts => ["192.168.213.200:9200"] 
                index => "a_type-%{+YYYY.MM.dd}"
            } 
        }
        if [type] == "java_type" {
            elasticsearch{
                hosts => ["192.168.213.200:9200"] 
                index => "java_type-%{+YYYY.MM.dd}"
            } 
        }
        
        stdout{ codec => rubydebug }
    }

      多行合并的效果:

    5、logstash收集nginx访问日志-json    <--返回目录

       nginx修改访问日志格式为json

      或者将access_log 配置在server

      访问日志 access.log

       vim /etc/logstash/conf.d/02-logstash.conf,添加以下内容:

    input {
        file {
            path => "/var/log/a.log"
            type => "a_type"
            start_position => "beginning"
        }
        file {
            path => "/var/log/java.log"
            type => "java_type"
            start_position => "beginning"
            codec => multiline {
                #pattern => "^[" #多行文本合并的正则规则
                pattern => "^2021"
                negate => true
                what => "previous" #合并到前面
            }
        }
        
        file {
            path => "/var/log/nginx/access_json.log"
            codec => json
            type => "nginx_access_log_type"
            start_position => "beginning"
        }
    } 
        
    output {
        if [type] == "a_type" {
            elasticsearch{
                hosts => ["192.168.213.200:9200"] 
                index => "a_type-%{+YYYY.MM.dd}"
            } 
        }
        if [type] == "java_type" {
            elasticsearch{
                hosts => ["192.168.213.200:9200"] 
                index => "java_type-%{+YYYY.MM.dd}"
            } 
        }
        
        if [type] == "nginx_access_log_type" {
            elasticsearch{
                hosts => ["192.168.213.200:9200"] 
                index => "nginx_access_log_type-%{+YYYY.MM.dd}"
            } 
        }
        
        stdout{ codec => rubydebug }
    }

      /opt/logstash/bin/logstash -f /etc/logstash/conf.d/02-logstash.conf

    6、使用syslog收集系统日志    <--返回目录

      vim /etc/logstash/conf.d/system_syslog_type.conf,添加以下内容:

    input {
        syslog {
            type => "system_syslog_type"
            host => "192.168.213.200"
            port => "514"
        }
        
    } 
        
    output {
        if [type] == "system_syslog_type" {
            elasticsearch{
                hosts => ["192.168.213.200:9200"] 
                index => "system_syslog_type-%{+YYYY.MM.dd}"
            } 
        }
        
        stdout{ codec => rubydebug }
    }

      启动logstash: /opt/logstash/bin/logstash -f /etc/logstash/conf.d/system_syslog_type.conf

      查看是否监听514端口:

      配置 vim /etc/rsyslog.conf

      对应的操作记录也被收集了:

       测试时直接在控制台输入: logger "test syslog..."

    7、logstash收集tcp日志    <--返回目录

      vim /etc/logstash/conf.d/tcp_type.conf,添加以下内容:

    input {
        tcp {
            type => "tcp_type"
            host => "192.168.213.200"
            port => "6666"
        }
        
    } 
        
    output {
        if [type] == "tcp_type" {
            elasticsearch{
                hosts => ["192.168.213.200:9200"] 
                index => "tcp_type-%{+YYYY.MM.dd}"
            } 
        }
        
        stdout{ codec => rubydebug }
    }

      启动logstash: /opt/logstash/bin/logstash -f /etc/logstash/conf.d/tcp_type.conf

      查看是否正在监听6666端口

      安装 nc: yum install -y nc

      通过nc发送

      查看es

    8、logstash收集slowlog-grok    <--返回目录

       vim /etc/logstash/conf.d/grok_type.conf,添加以下内容:

    input {
        stdin {}
    } 
    filter {
        grok {
            match => {
                "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}"
            }
        }
    }
    output {
        if [type] == "grok_type" {
            elasticsearch{
                hosts => ["192.168.213.200:9200"] 
                index => "grok_type-%{+YYYY.MM.dd}"
            } 
        }
        
        stdout{ codec => rubydebug }
    }

      启动logstash:/opt/logstash/bin/logstash -f /etc/logstash/conf.d/grok_type.conf

      控制台输入:55.3.244.1 GET /index.html 15824 0.043

      "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}"的解释: IP是logstash内置定义的正则匹配规则

    9、logstash解耦之消息队列    <--返回目录

     

     其他参考:

      1)ELK学习笔记之Logstash详解

      2)废物大师兄--Logstash介绍

  • 相关阅读:
    【黑客免杀攻防】读书笔记2
    【逆向工具】IDA使用5-( string、图形化与视图的切换、图形化显示反汇编地址、自动注释、标签使用)
    定位内网中毒主机IP经历小记
    【黑客免杀攻防】读书笔记1
    对HUAWEI-ManagedProvisioning的一次不完整分析
    【PE结构】由浅入深PE基础学习-菜鸟手动查询导出表、相对虚拟地址(RVA)与文件偏移地址转换(FOA)
    一份通过IPC$和lpk.dll感染方式的病毒分析报告
    浅析
    HTTP协议/RTSP协议/RTMP协议的区别
    iOS
  • 原文地址:https://www.cnblogs.com/xy-ouyang/p/14408812.html
Copyright © 2011-2022 走看看