ELK监控交换机日志
一、首先部署logstash监控UDP514端口,新建一个配置文件cisco.conf
交换机是通过配置rsyslog服务器来将日志发送到日志服务器的,所以需要在logstash上配置rsyslog监听端口既514端口
[root@server- conf.d]# cd /etc/logstash/conf.d/
[root@server- conf.d]# vim cisco.conf
input{
syslog{
port => 514
}
}
output{
stdout{
codec => rubydebug
}
}
二、加载配置文件
[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
三、测试UDP
首先看看514端口是否被监听
[root@server- conf.d]# netstat -tunlp|grep java
tcp6 ::: :::* LISTEN /java
tcp6 172.28.18.69: :::* LISTEN /java
tcp6 ::: :::* LISTEN /java
tcp6 172.28.18.69: :::* LISTEN /java
tcp6 127.0.0.1: :::* LISTEN /java
tcp6 172.28.18.69: :::* LISTEN /java
udp 0.0.0.0: 0.0.0.0:* /java
然后,使用tcpdump命令在514端口从抓包,确认有数据包发送过来
[root@server- conf.d]# tcpdump -i em1 udp port -c -n -vvv
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size bytes
,在另外一台172.28.18.71服务器上,设置好rssyslog服务器地址,就可以发送日志到514端口了
[root@localhost ~]# vim /etc/rsyslog.conf
在"rule"下增加如下语句“*.* @@172.28.18.69“
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
*.* @@172.28.18.69
重启rsyslog服务
[root@localhost ~]# systemctl restart rsyslog
然后重启登录172.28.18.71,此时在172.28.18.69上tcpdump监听的514端口显示抓包的数据
[root@server- conf.d]# tcpdump -i em1 udp port -c -n -vvv
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size bytes
::09.093962 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility authpriv (), Severity info ()
Msg: Nov :: localhost sshd[]: Accepted password for root from 172.28.146.109 port ssh2
0x0000: 3c38 363e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 5b36 375d 3a20
0x0030: 6f72 666f
0x0040: 726f 6f74 726f 6d20 322e
0x0050: 2e31 2e31 6f72
0x0060:
::09.101472 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility auth (), Severity info ()
Msg: Nov :: localhost systemd-logind: New session of user root.
0x0000: 3c33 383e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 656d 642d 6c6f 6e64 3a20 4e65
0x0030: 696f 6e20 206f
0x0040: 6f6f 742e
::09.101738 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility daemon (), Severity info ()
Msg: Nov :: localhost systemd: Started Session of user root.
0x0000: 3c33 303e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 656d 643a
0x0030: 6f6e 6f66
0x0040: 726f 6f74 2e
::09.102645 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
Facility authpriv (), Severity info ()
Msg: Nov :: localhost sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
0x0000: 3c38 363e 4e6f 303a
0x0010: 3a30 6c6f 6c68 6f73
0x0020: 5b36 375d 3a20 6d5f 756e
0x0030: 643a 696f 6e29
0x0040: 3a20 696f 6e20 6f70 656e
0x0050: 6f72 726f 6f74
0x0060: 3d30
但是查看logstash,却没有数据输出到控制台上,此时查看logstash日志
[root@server- log]# tail -f /home/logstash/log/logstash-plain.log
ck in start_input'"]}
[--05T10::,][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:514"}
[--05T10::,][WARN ][logstash.inputs.udp ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}
[--05T10::,][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:514"}
[--05T10::,][WARN ][logstash.inputs.udp ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}
从日志看出报:exception=>#<SocketError: bind: name or service not known>错误,百度一下,发现是由于514端口,必须要root用户才能启动,而logstash默认是logstash用户启动服务,所以修改logstash服务的用户
停止logstash服务
[root@server- conf.d]# systemctl stop logstash
修改服务配置
[root@server- conf.d]# vim /etc/systemd/system/logstash.service
[Unit]
Description=logstash [Service]
Type=simple
User=logstash
Group=logstash
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=
LimitNOFILE= [Install]
WantedBy=multi-user.target
将User Group改为root
[Unit]
Description=logstash [Service]
Type=simple
#User=logstash
#Group=logstash
User=root
Group=root
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/logstash
EnvironmentFile=-/etc/sysconfig/logstash
ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
Restart=always
WorkingDirectory=/
Nice=
LimitNOFILE= [Install]
WantedBy=multi-user.target
保存,重启logstash服务
[root@server- conf.d]# systemctl start logstash
关闭514端口监听进程,重新加载UDP监听配置文件
[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:53.164 [Ruby-0-Thread-17: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40654"}
[INFO ] 2019-11-05 14:18:53.183 [Ruby-0-Thread-18: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40656"}
再次测试发送数据
{
"@version" => "",
"logsource" => "localhost",
"priority" => ,
"facility" => ,
"host" => "172.28.18.71",
"@timestamp" => --05T06::.000Z,
"timestamp" => "Nov 5 14:18:53",
"program" => "systemd",
"facility_label" => "system",
"severity" => ,
"message" => "Stopping System Logging Service...\n",
"severity_label" => "Informational"
}
{
"@version" => "",
"logsource" => "localhost",
"priority" => ,
"facility" => ,
"host" => "172.28.18.71",
"@timestamp" => --05T06::.000Z,
"timestamp" => "Nov 5 14:18:53",
"program" => "rsyslogd",
"facility_label" => "syslogd",
"severity" => ,
"message" => "action 'action 0' resumed (module 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]\n",
"severity_label" => "Informational"
}
logstash显示日志数据了,修改配置文件将日志输出到elastcisearch
output{
input{
syslog{
port =>
}
}
#输出到elastcisearch
output{
elasticsearch{
hosts => ["172.28.18.69:9200"] #elasticsearch服务地址
index => "system-cisco-log-%{+YYYY.MM}" #创建的索引
}
}
重启加载配置文件,在elastcisearch服务器上查看索引
[root@server- conf.d]# curl http://172.28.18.69:9200/_cat/indices
yellow open nginx-172.28.18.75-2019.11. WK6Zr5guQ7KSoCLPd8JjqQ .5mb .5mb
yellow open system-cisco-log-2019.11 IR__HXPvTfe3HNtQ1HOwFw .7kb .7kb
green open .kibana QkF9i3nXSAKlNLMLNROM1A .5kb .5kb
已经生成了system-cisco-log-2019.11文件
四、配置交换机
这样,logstash就可以接收到交换机日志了
ELK监控交换机日志的更多相关文章
- ELK 收集交换机日志(以华为交换机为例)
大概思路 交换机日志----> 服务器---->服务器rsyslog设置指定存储路径文件--->随后就跟elk 监控本机日志一样了 huawei switch: #指定发送消息基本, ...
- 使用ELK监控Nginx日志实现接口流量访问统计
前段时间自己看书学习了一下elasticSearch,后面自己实践了使用elasticSearch.logStash.kibana搭建一个网站接口流量访问统计的监控看板.在这里做一些记录学习. 先看一 ...
- ELK监控nginx日志总结
ELK介绍 ELK即ElasticSearch + Logstash + kibana ES:作为存储引擎 Logstash:用来采集日志 Kibana可以将ES中的数据进行可视化,可以进行数据分析中 ...
- ELK监控系统nginx / mysql慢日志
ELK监控系统nginx / mysql慢日志 elasticsearch logstash kibana ELK监控系统nginx日志 1.环境准备 centos6.8_64 mini IP:192 ...
- 用elk+filebeat监控容器日志
elk 为 elasticsearch(查询搜索引擎),logstash(对日志进行分析和过滤,然后转发给elasticsearch),kibana(一个web图形界面用于可视化elasticsea ...
- ELK对nginx日志进行流量监控
ELK对nginx日志进行流量监控 一.前言 线上有一套ELK单机版,版本为5.2.1.现在想把nginx访问日志接入到elk里,进行各个域名使用流量带宽的统计分析.要把nginx日志传输到elk上, ...
- 利用 ELK系统分析Nginx日志并对数据进行可视化展示
一.写在前面 结合之前写的一篇文章:Centos7 之安装Logstash ELK stack 日志管理系统,上篇文章主要讲了监控软件的作用以及部署方法.而这篇文章介绍的是单独监控nginx 日志分析 ...
- ELK搭建实时日志分析平台之二Logstash和Kibana搭建
本文书接前回<ELK搭建实时日志分析平台之一ElasticSearch> 文:铁乐与猫 四.安装Logstash logstash是一个数据分析软件,主要目的是分析log日志. 1)下载和 ...
- ELK搭建实时日志分析平台之一ElasticSearch搭建
文:铁乐与猫 系统:CentOS Linux release 7.3.1611 (Core) 注:我这里为测试和实验方便,ELK整套都装在同一台服务器环境中了,生产环境的话,可以分开搭建在不同的服务器 ...
随机推荐
- C# Await
每次提到异步我都选择绕开,感觉深不可测,最近打算看看异步,但又不愿意看书,网上找了几个视频看,发现传智播客的老师讲异步都不是很深入,关键的问题一笔带过,倒是把我弄糊涂了,印象最深刻的是那个老师说的一句 ...
- freetye2使用
使用环境和版本:qt ubuntu 16.04 freetype-2.10.0 1.下载 https://sourceforge.net/projects/freetype/files/freet ...
- Bug解决:mysql 创建表字段Double类型长度
excel导入数据进行新增时,发现安装高度和可视距离在数据库创建都是double类型 程序跑完,执行成功后,数据库的数据是2,小数点后的数据没有了 打印sql并执行后发现sql并没有错误, 检查数据库 ...
- C++中类中常规变量、const、static、static const(const static)成员变量的声明和初始化
C++类有几种类型的数据成员:普通类型.常量(const).静态(static).静态常量(static const).这里分别探讨以下他们在C++11之前和之后的初始化方式. c++11之前版本的初 ...
- yolo3 车辆检测
1. 使用原在imagenet上训练好的weights用于特征提取 darknet53.conv.74 可从yolo官网下载 2. 车辆检测数据集及其label制作 a. voc car类包含1161 ...
- 人工智能01 刺激响应agent
刺激响应agent 不具有内部状态而仅对其所处环境的即刻刺激有所反应的机器称为刺激响应(SR)agent 感知和动作 一机器人可以感知出周围8个单元是否空缺.这些传感器输入用二进制变量s1,s2 ,s ...
- WIN10远程协助无法控制的解决方法
这个问题比较常见小编整理的解决方法如下: 方法一:用QQ远程协助对方电脑,需要QQ告诉对方右键单击计算机(这台电脑)点管理打开计算机管理界面选择本地用户和组,再选择用户,右侧会出现所有的本地用户,包括 ...
- Mongo分片+副本集集群搭建
一. 概念简单描述 1. MongoDB分片集群包含组件: mongos,configserver,shardding分片 2. Mongos:路由服务是Sharded cluster的访问入口,本身 ...
- MY TESTS
励志整理所有的n次考试的博客: [五一qbxt]test1 [五一qbxt]test2 [校内test]桶哥的问题 [6.10校内test] noip模拟 6.12校内test [6.12校内test ...
- 如何决定使用 HashMap 还是 TreeMap? (转)
问:如何决定使用 HashMap 还是 TreeMap? 介绍 TreeMap<K,V>的Key值是要求实现java.lang.Comparable,所以迭代的时候TreeMap默认是按照 ...