编写logstash配置文件,收集rsyslog

  • 调试模式下配置,让配置文件输出到屏幕
  • [root@master_agent logfile]# vim syslog.cof
input {
#system
    syslog {
        type => "system_rsyslog"
        host => "172.16.1.201"
        port => "514"
        }
}

output {
        stdout {          ###  输出到屏幕
                codec => "rubydebug"
        }
}
  • 修改rsyslog配置文件,远程发送,[root@master_agent logfile]# vim syslog.cof
*.* @@172.16.1.201:514  ## 增加以下配置
  • 重启rsyslog服务
[root@master_agent ~]# systemctl restart rsyslog
  • 执行logstash
[root@master_agent logfile]# /opt/logstash/bin/logstash -f syslog.cof 
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
Settings: Default pipeline workers: 1
Pipeline main started
{
           "message" => "<46>Jun 27 11:02:29 master_agent rsyslogd: [origin software=\"rsyslogd\" swVersion=\"7.4.7\" x-pid=\"27505\" x-info=\"http://www.rsyslog.com\"] start\n",
          "@version" => "1",
        "@timestamp" => "2017-06-27T15:02:29.690Z",
              "type" => "system_rsyslog",
              "host" => "172.16.1.201",
              "tags" => [
        [0] "_grokparsefailure_sysloginput"
    ],
          "priority" => 0,
          "severity" => 0,
          "facility" => 0,
    "facility_label" => "kernel",
    "severity_label" => "Emergency"
}
{
           "message" => "<30>Jun 27 11:02:29 master_agent systemd: Starting System Logging Service...\n",
          "@version" => "1",
        "@timestamp" => "2017-06-27T15:02:29.709Z",
              "type" => "system_rsyslog",
              "host" => "172.16.1.201",
              "tags" => [
        [0] "_grokparsefailure_sysloginput"
    ],
          "priority" => 0,
          "severity" => 0,
          "facility" => 0,
    "facility_label" => "kernel",
    "severity_label" => "Emergency"
}
  • 修改配置文件 [root@master_agent ~]# vim /home/elk/logfile/syslog.cof
input {
#system
    syslog {
        type => "system_rsyslog"
        host => "172.16.1.201"
        port => "514"
        }
}

output {
        if [type] == "system_rsyslog" {
                elasticsearch {
                        hosts => ["172.16.1.201:9200"]
                        index => "system-syslog-%{+YYYY.MM.dd}"
                }

        }
}

如页面: image

在kibna上添加监控页面索引

Configure an index pattern
In order to use Kibana you must configure at least one index pattern. Index patterns are used to identify the Elasticsearch index to run search and analytics against. They are also used to configure fields.
 Index contains time-based events  
 Use event times to create index names [DEPRECATED]
Index name or pattern
Patterns allow you to define dynamic index names using * as a wildcard. Example: logstash-*


system-syslog*
Time-field name      refresh fields
打赏作者

Leave a Reply

Your email address will not be published.