ELK监控交换机日志
一、首先部署logstash监控UDP514端口,新建一个配置文件cisco.conf
交换机是通过配置rsyslog服务器来将日志发送到日志服务器的,所以需要在logstash上配置rsyslog监听端口既514端口
[root@server- conf.d]# cd /etc/logstash/conf.d/
[root@server- conf.d]# vim cisco.conf
input{
syslog{
port => 514
}
}
output{
stdout{
codec => rubydebug
}
}
二、加载配置文件
[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
三、测试UDP
首先看看514端口是否被监听
[root@server- conf.d]# netstat -tunlp|grep java
tcp6 ::: :::* LISTEN /java
tcp6 172.28.18.69: :::* LISTEN /java
tcp6 ::: :::* LISTEN /java
tcp6 172.28.18.69: :::* LISTEN /java
tcp6 127.0.0.1: :::* LISTEN /java
tcp6 172.28.18.69: :::* LISTEN /java
udp 0.0.0.0: 0.0.0.0:* /java
然后,使用tcpdump命令在514端口从抓包,确认有数据包发送过来
[root@server- conf.d]# tcpdump -i em1 udp port -c -n -vvv
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size bytes
,在另外一台172.28.18.71服务器上,设置好rssyslog服务器地址,就可以发送日志到514端口了
[root@localhost ~]# vim /etc/rsyslog.conf
在"rule"下增加如下语句“*.* @@172.28.18.69“
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
*.* @@172.28.18.69
重启rsyslog服务
[root@localhost ~]# systemctl restart rsyslog
然后重启登录172.28.18.71,此时在172.28.18.69上tcpdump监听的514端口显示抓包的数据
[root@server- conf.d]# tcpdump -i em1 udp port -c -n -vvv
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size bytes
::09.093962 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility authpriv (), Severity info ()
Msg: Nov :: localhost sshd[]: Accepted password for root from 172.28.146.109 port ssh2
0x0000: 3c38 363e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 5b36 375d 3a20
0x0030: 6f72 666f
0x0040: 726f 6f74 726f 6d20 322e
0x0050: 2e31 2e31 6f72
0x0060:
::09.101472 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility auth (), Severity info ()
Msg: Nov :: localhost systemd-logind: New session of user root.
0x0000: 3c33 383e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 656d 642d 6c6f 6e64 3a20 4e65
0x0030: 696f 6e20 206f
0x0040: 6f6f 742e
::09.101738 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility daemon (), Severity info ()
Msg: Nov :: localhost systemd: Started Session of user root.
0x0000: 3c33 303e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 656d 643a
0x0030: 6f6e 6f66
0x0040: 726f 6f74 2e
::09.102645 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility authpriv (), Severity info ()
Msg: Nov :: localhost sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
0x0000: 3c38 363e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 5b36 375d 3a20 6d5f 756e
0x0030: 643a 696f 6e29
0x0040: 3a20 696f 6e20 6f70 656e
0x0050: 6f72 726f 6f74
0x0060: 3d30
但是查看logstash,却没有数据输出到控制台上,此时查看logstash日志
[root@server- log]# tail -f /home/logstash/log/logstash-plain.log
ck in start_input'"]}
[--05T10::,][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:514"}
[--05T10::,][WARN ][logstash.inputs.udp ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}
[--05T10::,][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:514"}
[--05T10::,][WARN ][logstash.inputs.udp ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}
从日志看出报:exception=>#<SocketError: bind: name or service not known>错误,百度一下,发现是由于514端口,必须要root用户才能启动,而logstash默认是logstash用户启动服务,所以修改logstash服务的用户
停止logstash服务
[root@server- conf.d]# systemctl stop logstash
修改服务配置
[root@server- conf.d]# vim /etc/systemd/system/logstash.service
[Unit]
Description=logstash [Service]
Type=simple
User=logstash
Group=logstash
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=
LimitNOFILE= [Install]
WantedBy=multi-user.target
将User Group改为root
[Unit]
Description=logstash [Service]
Type=simple
#User=logstash
#Group=logstash
User=root
Group=root
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=
LimitNOFILE= [Install]
WantedBy=multi-user.target
保存,重启logstash服务
[root@server- conf.d]# systemctl start logstash
关闭514端口监听进程,重新加载UDP监听配置文件
[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:53.164 [Ruby-0-Thread-17: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40654"}
[INFO ] 2019-11-05 14:18:53.183 [Ruby-0-Thread-18: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40656"}
再次测试发送数据
{
"@version" => "",
"logsource" => "localhost",
"priority" => ,
"facility" => ,
"host" => "172.28.18.71",
"@timestamp" => --05T06::.000Z,
"timestamp" => "Nov 5 14:18:53",
"program" => "systemd",
"facility_label" => "system",
"severity" => ,
"message" => "Stopping System Logging Service...\n",
"severity_label" => "Informational"
}
{
"@version" => "",
"logsource" => "localhost",
"priority" => ,
"facility" => ,
"host" => "172.28.18.71",
"@timestamp" => --05T06::.000Z,
"timestamp" => "Nov 5 14:18:53",
"program" => "rsyslogd",
"facility_label" => "syslogd",
"severity" => ,
"message" => "action 'action 0' resumed (module 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]\n",
"severity_label" => "Informational"
}
logstash显示日志数据了,修改配置文件将日志输出到elastcisearch
output{
input{
syslog{
port =>
}
}
#输出到elastcisearch
output{
elasticsearch{
hosts => ["172.28.18.69:9200"] #elasticsearch服务地址
index => "system-cisco-log-%{+YYYY.MM}" #创建的索引
}
}
重启加载配置文件,在elastcisearch服务器上查看索引
[root@server- conf.d]# curl http://172.28.18.69:9200/_cat/indices
yellow open nginx-172.28.18.75-2019.11. WK6Zr5guQ7KSoCLPd8JjqQ .5mb .5mb
yellow open system-cisco-log-2019.11 IR__HXPvTfe3HNtQ1HOwFw .7kb .7kb
green open .kibana QkF9i3nXSAKlNLMLNROM1A .5kb .5kb
已经生成了system-cisco-log-2019.11文件
四、配置交换机
这样,logstash就可以接收到交换机日志了
ELK监控交换机日志的更多相关文章
- ELK 收集交换机日志(以华为交换机为例)
大概思路 交换机日志----> 服务器---->服务器rsyslog设置指定存储路径文件--->随后就跟elk 监控本机日志一样了 huawei switch: #指定发送消息基本, ...
- 使用ELK监控Nginx日志实现接口流量访问统计
前段时间自己看书学习了一下elasticSearch,后面自己实践了使用elasticSearch.logStash.kibana搭建一个网站接口流量访问统计的监控看板.在这里做一些记录学习. 先看一 ...
- ELK监控nginx日志总结
ELK介绍 ELK即ElasticSearch + Logstash + kibana ES:作为存储引擎 Logstash:用来采集日志 Kibana可以将ES中的数据进行可视化,可以进行数据分析中 ...
- ELK监控系统nginx / mysql慢日志
ELK监控系统nginx / mysql慢日志 elasticsearch logstash kibana ELK监控系统nginx日志 1.环境准备 centos6.8_64 mini IP:192 ...
- 用elk+filebeat监控容器日志
elk 为 elasticsearch(查询搜索引擎),logstash(对日志进行分析和过滤,然后转发给elasticsearch),kibana(一个web图形界面用于可视化elasticsea ...
- ELK对nginx日志进行流量监控
ELK对nginx日志进行流量监控 一.前言 线上有一套ELK单机版,版本为5.2.1.现在想把nginx访问日志接入到elk里,进行各个域名使用流量带宽的统计分析.要把nginx日志传输到elk上, ...
- 利用 ELK系统分析Nginx日志并对数据进行可视化展示
一.写在前面 结合之前写的一篇文章:Centos7 之安装Logstash ELK stack 日志管理系统,上篇文章主要讲了监控软件的作用以及部署方法.而这篇文章介绍的是单独监控nginx 日志分析 ...
- ELK搭建实时日志分析平台之二Logstash和Kibana搭建
本文书接前回<ELK搭建实时日志分析平台之一ElasticSearch> 文:铁乐与猫 四.安装Logstash logstash是一个数据分析软件,主要目的是分析log日志. 1)下载和 ...
- ELK搭建实时日志分析平台之一ElasticSearch搭建
文:铁乐与猫 系统:CentOS Linux release 7.3.1611 (Core) 注:我这里为测试和实验方便,ELK整套都装在同一台服务器环境中了,生产环境的话,可以分开搭建在不同的服务器 ...
随机推荐
- vue-router懒加载
require.ensure(dependencies:String [],callback:function(require),errorCallback:function(error),chunk ...
- Git本地初始化并推送到远程仓库
git常用命令 1.全局配置git用户名邮箱 git config --global user.name '你的名字' git config --global user.email '你的邮箱地址' ...
- 【MM系列】SAP技巧之更改布局
公众号:SAP Technical 本文作者:matinal 原文出处:http://www.cnblogs.com/SAPmatinal/ 原文链接:[MM系列]SAP技巧之更改布局 前言部分 ...
- MySQL 查看约束,添加约束,删除约束 添加列,修改列,删除列
查看表的字段信息:desc 表名; 查看表的所有信息:show create table 表名; 添加主键约束:alter table 表名 add constraint 主键 (形如:PK_表名) ...
- Oracle 编写自定义函数
CREATE OR REPLACE function testAdd(js1 in number, js2 in number) return number is v_hj number; v_h ; ...
- C语言中typedef,条件编译,结构体的说明
目录 typedef (类型别名) 条件编译 条件编译在头文件包含中的应用 结构体 使用结构体定义新的结构体变量 结构体成员的引用与赋值 结构体指针及其引用 typedef (类型别名) typede ...
- java学习-3
输入语句Scanner的使用方法 1.导包 import java.util.Scanner 2.创建 从键盘输入:Scanner sc = new Scanner(System.in); 3.使用 ...
- kmp算法分析和C++实现
知乎高赞分析 作者:逍遥行 链接:https://www.zhihu.com/question/21923021/answer/37475572来源:知乎著作权归作者所有.商业转载请联系作者获得授权, ...
- Random Pick with Weight
Given an array w of positive integers, where w[i] describes the weight of index i, write a function ...
- [转帖]从Intel和ARM争霸,谈芯片前世今生
从Intel和ARM争霸,谈芯片前世今生 http://www.itpub.net/2019/07/24/2476/ 长文预警, 写的非常好.. 我尽量写得轻松一些,因为其实这个话题很有趣,仔细探究起 ...