ELK监控交换机日志
一、首先部署logstash监控UDP514端口,新建一个配置文件cisco.conf
交换机是通过配置rsyslog服务器来将日志发送到日志服务器的,所以需要在logstash上配置rsyslog监听端口既514端口
[root@server- conf.d]# cd /etc/logstash/conf.d/
[root@server- conf.d]# vim cisco.conf
input{
syslog{
port => 514
}
}
output{
stdout{
codec => rubydebug
}
}
二、加载配置文件
[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
三、测试UDP
首先看看514端口是否被监听
[root@server- conf.d]# netstat -tunlp|grep java
tcp6 ::: :::* LISTEN /java
tcp6 172.28.18.69: :::* LISTEN /java
tcp6 ::: :::* LISTEN /java
tcp6 172.28.18.69: :::* LISTEN /java
tcp6 127.0.0.1: :::* LISTEN /java
tcp6 172.28.18.69: :::* LISTEN /java
udp 0.0.0.0: 0.0.0.0:* /java
然后,使用tcpdump命令在514端口从抓包,确认有数据包发送过来
[root@server- conf.d]# tcpdump -i em1 udp port -c -n -vvv
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size bytes
,在另外一台172.28.18.71服务器上,设置好rssyslog服务器地址,就可以发送日志到514端口了
[root@localhost ~]# vim /etc/rsyslog.conf
在"rule"下增加如下语句“*.* @@172.28.18.69“
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
*.* @@172.28.18.69
重启rsyslog服务
[root@localhost ~]# systemctl restart rsyslog
然后重启登录172.28.18.71,此时在172.28.18.69上tcpdump监听的514端口显示抓包的数据
[root@server- conf.d]# tcpdump -i em1 udp port -c -n -vvv
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size bytes
::09.093962 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility authpriv (), Severity info ()
Msg: Nov :: localhost sshd[]: Accepted password for root from 172.28.146.109 port ssh2
0x0000: 3c38 363e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 5b36 375d 3a20
0x0030: 6f72 666f
0x0040: 726f 6f74 726f 6d20 322e
0x0050: 2e31 2e31 6f72
0x0060:
::09.101472 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility auth (), Severity info ()
Msg: Nov :: localhost systemd-logind: New session of user root.
0x0000: 3c33 383e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 656d 642d 6c6f 6e64 3a20 4e65
0x0030: 696f 6e20 206f
0x0040: 6f6f 742e
::09.101738 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility daemon (), Severity info ()
Msg: Nov :: localhost systemd: Started Session of user root.
0x0000: 3c33 303e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 656d 643a
0x0030: 6f6e 6f66
0x0040: 726f 6f74 2e
::09.102645 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility authpriv (), Severity info ()
Msg: Nov :: localhost sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
0x0000: 3c38 363e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 5b36 375d 3a20 6d5f 756e
0x0030: 643a 696f 6e29
0x0040: 3a20 696f 6e20 6f70 656e
0x0050: 6f72 726f 6f74
0x0060: 3d30
但是查看logstash,却没有数据输出到控制台上,此时查看logstash日志
[root@server- log]# tail -f /home/logstash/log/logstash-plain.log
ck in start_input'"]}
[--05T10::,][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:514"}
[--05T10::,][WARN ][logstash.inputs.udp ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}
[--05T10::,][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:514"}
[--05T10::,][WARN ][logstash.inputs.udp ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}
从日志看出报:exception=>#<SocketError: bind: name or service not known>错误,百度一下,发现是由于514端口,必须要root用户才能启动,而logstash默认是logstash用户启动服务,所以修改logstash服务的用户
停止logstash服务
[root@server- conf.d]# systemctl stop logstash
修改服务配置
[root@server- conf.d]# vim /etc/systemd/system/logstash.service
[Unit]
Description=logstash [Service]
Type=simple
User=logstash
Group=logstash
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=
LimitNOFILE= [Install]
WantedBy=multi-user.target
将User Group改为root
[Unit]
Description=logstash [Service]
Type=simple
#User=logstash
#Group=logstash
User=root
Group=root
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=
LimitNOFILE= [Install]
WantedBy=multi-user.target
保存,重启logstash服务
[root@server- conf.d]# systemctl start logstash
关闭514端口监听进程,重新加载UDP监听配置文件
[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:53.164 [Ruby-0-Thread-17: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40654"}
[INFO ] 2019-11-05 14:18:53.183 [Ruby-0-Thread-18: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40656"}
再次测试发送数据
{
"@version" => "",
"logsource" => "localhost",
"priority" => ,
"facility" => ,
"host" => "172.28.18.71",
"@timestamp" => --05T06::.000Z,
"timestamp" => "Nov 5 14:18:53",
"program" => "systemd",
"facility_label" => "system",
"severity" => ,
"message" => "Stopping System Logging Service...\n",
"severity_label" => "Informational"
}
{
"@version" => "",
"logsource" => "localhost",
"priority" => ,
"facility" => ,
"host" => "172.28.18.71",
"@timestamp" => --05T06::.000Z,
"timestamp" => "Nov 5 14:18:53",
"program" => "rsyslogd",
"facility_label" => "syslogd",
"severity" => ,
"message" => "action 'action 0' resumed (module 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]\n",
"severity_label" => "Informational"
}
logstash显示日志数据了,修改配置文件将日志输出到elastcisearch
output{
input{
syslog{
port =>
}
} #输出到elastcisearch
output{
elasticsearch{
hosts => ["172.28.18.69:9200"] #elasticsearch服务地址
index => "system-cisco-log-%{+YYYY.MM}" #创建的索引
}
}
重启加载配置文件,在elastcisearch服务器上查看索引
[root@server- conf.d]# curl http://172.28.18.69:9200/_cat/indices
yellow open nginx-172.28.18.75-2019.11. WK6Zr5guQ7KSoCLPd8JjqQ .5mb .5mb
yellow open system-cisco-log-2019.11 IR__HXPvTfe3HNtQ1HOwFw .7kb .7kb
green open .kibana QkF9i3nXSAKlNLMLNROM1A .5kb .5kb
已经生成了system-cisco-log-2019.11文件
四、配置交换机
这样,logstash就可以接收到交换机日志了
ELK监控交换机日志的更多相关文章
- ELK 收集交换机日志(以华为交换机为例)
大概思路 交换机日志----> 服务器---->服务器rsyslog设置指定存储路径文件--->随后就跟elk 监控本机日志一样了 huawei switch: #指定发送消息基本, ...
- 使用ELK监控Nginx日志实现接口流量访问统计
前段时间自己看书学习了一下elasticSearch,后面自己实践了使用elasticSearch.logStash.kibana搭建一个网站接口流量访问统计的监控看板.在这里做一些记录学习. 先看一 ...
- ELK监控nginx日志总结
ELK介绍 ELK即ElasticSearch + Logstash + kibana ES:作为存储引擎 Logstash:用来采集日志 Kibana可以将ES中的数据进行可视化,可以进行数据分析中 ...
- ELK监控系统nginx / mysql慢日志
ELK监控系统nginx / mysql慢日志 elasticsearch logstash kibana ELK监控系统nginx日志 1.环境准备 centos6.8_64 mini IP:192 ...
- 用elk+filebeat监控容器日志
elk 为 elasticsearch(查询搜索引擎),logstash(对日志进行分析和过滤,然后转发给elasticsearch),kibana(一个web图形界面用于可视化elasticsea ...
- ELK对nginx日志进行流量监控
ELK对nginx日志进行流量监控 一.前言 线上有一套ELK单机版,版本为5.2.1.现在想把nginx访问日志接入到elk里,进行各个域名使用流量带宽的统计分析.要把nginx日志传输到elk上, ...
- 利用 ELK系统分析Nginx日志并对数据进行可视化展示
一.写在前面 结合之前写的一篇文章:Centos7 之安装Logstash ELK stack 日志管理系统,上篇文章主要讲了监控软件的作用以及部署方法.而这篇文章介绍的是单独监控nginx 日志分析 ...
- ELK搭建实时日志分析平台之二Logstash和Kibana搭建
本文书接前回<ELK搭建实时日志分析平台之一ElasticSearch> 文:铁乐与猫 四.安装Logstash logstash是一个数据分析软件,主要目的是分析log日志. 1)下载和 ...
- ELK搭建实时日志分析平台之一ElasticSearch搭建
文:铁乐与猫 系统:CentOS Linux release 7.3.1611 (Core) 注:我这里为测试和实验方便,ELK整套都装在同一台服务器环境中了,生产环境的话,可以分开搭建在不同的服务器 ...
随机推荐
- Redis 高级应用
Redis SAVE 命令用于创建当前数据库的备份 该命令将在 redis 安装目录中创建dump.rdb文件. 如果需要恢复数据,只需将备份文件 (dump.rdb) 移动到 redis 安装目录并 ...
- python中日志logging模块的性能及多进程详解
python中日志logging模块的性能及多进程详解 使用Python来写后台任务时,时常需要使用输出日志来记录程序运行的状态,并在发生错误时将错误的详细信息保存下来,以别调试和分析.Python的 ...
- springMVC入门配置案例
1.spring的jar包下载 进入http://repo.springsource.org/libs-release-local/,然后依次点击org/-->springframework-- ...
- cmake生成Makefile时指定c/c++编译器
cmake .. -DCMAKE_CXX_COMPILER:FILEPATH=/usr/local/bin/g++ -DCMAKE_C_COMPILER:FILEPATH=/usr/local/bin ...
- Android开发实例 Unity显示Toast
Android中的Toast是一种简易的消息提示框. 当视图显示给用户,在应用程序中显示为浮动.和Dialog不一样的是,它永远不会获得焦点,无法被点击.用户将可能是在中间键入别的东西.Toast类的 ...
- Python面试简介及并行并发
今天的分享内容大体如下: 一. 面试 1. 什么是面试 2. 优秀的面试 二. Python综述 1. Python设计哲学及版本变迁 2. Python发展现状及其他语言使用场景 3. GIL 4. ...
- OpenStack组件——Glance镜像服务
1.glance介绍 Glance是Openstack项目中负责镜像管理的模块,其功能包括虚拟机镜像的查找.注册和检索等. Glance提供Restful API可以查询虚拟机镜像的metadata及 ...
- (转) Asp.net中实现同一用户名不能同时登录
最近找了一些单点登录的,发现了这篇文章,貌似还是可以实现的,先保存了. Web 项目中经常遇到的问题就是同一用户名多次登录的问题,相应的解决办法也很多,总结起来不外乎这几种解决办法: 将登录后的用 ...
- [转帖]Linux学习笔记之rpm包管理功能全解
Linux学习笔记之rpm包管理功能全解 https://www.cnblogs.com/JetpropelledSnake/p/11177277.html rpm 的管理命令 之前学习过 yum 的 ...
- Java基础(八)
IO流 概述与分类 Java中的IO流技术主要用于传输数据.典型的应用场景有:读写本地文件,上传下载文件等.按照数据传输的方向可以分为两种: l 输入流(Input):既让数据进入应用程序中. l ...