ELK监控交换机日志
一、首先部署logstash监控UDP514端口,新建一个配置文件cisco.conf
交换机是通过配置rsyslog服务器来将日志发送到日志服务器的,所以需要在logstash上配置rsyslog监听端口既514端口
- [root@server- conf.d]# cd /etc/logstash/conf.d/
- [root@server- conf.d]# vim cisco.conf
input{
syslog{
port => 514
}
}
output{
stdout{
codec => rubydebug
}
}
二、加载配置文件
[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
三、测试UDP
首先看看514端口是否被监听
- [root@server- conf.d]# netstat -tunlp|grep java
- tcp6 ::: :::* LISTEN /java
- tcp6 172.28.18.69: :::* LISTEN /java
- tcp6 ::: :::* LISTEN /java
- tcp6 172.28.18.69: :::* LISTEN /java
- tcp6 127.0.0.1: :::* LISTEN /java
- tcp6 172.28.18.69: :::* LISTEN /java
- udp 0.0.0.0: 0.0.0.0:* /java
然后,使用tcpdump命令在514端口从抓包,确认有数据包发送过来
- [root@server- conf.d]# tcpdump -i em1 udp port -c -n -vvv
- tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size bytes
,在另外一台172.28.18.71服务器上,设置好rssyslog服务器地址,就可以发送日志到514端口了
- [root@localhost ~]# vim /etc/rsyslog.conf
在"rule"下增加如下语句“*.* @@172.28.18.69“
- #### RULES ####
- # Log all kernel messages to the console.
- # Logging much else clutters up the screen.
- #kern.* /dev/console
- *.* @@172.28.18.69
重启rsyslog服务
- [root@localhost ~]# systemctl restart rsyslog
然后重启登录172.28.18.71,此时在172.28.18.69上tcpdump监听的514端口显示抓包的数据
- [root@server- conf.d]# tcpdump -i em1 udp port -c -n -vvv
- tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size bytes
- ::09.093962 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
- 172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
- Facility authpriv (), Severity info ()
- Msg: Nov :: localhost sshd[]: Accepted password for root from 172.28.146.109 port ssh2
- 0x0000: 3c38 363e 4e6f 303a
- 0x0010: 3a30 6c6f 6c68 6f73
- 0x0020: 5b36 375d 3a20
- 0x0030: 6f72 666f
- 0x0040: 726f 6f74 726f 6d20 322e
- 0x0050: 2e31 2e31 6f72
- 0x0060:
- ::09.101472 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
- 172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
- Facility auth (), Severity info ()
- Msg: Nov :: localhost systemd-logind: New session of user root.
- 0x0000: 3c33 383e 4e6f 303a
- 0x0010: 3a30 6c6f 6c68 6f73
- 0x0020: 656d 642d 6c6f 6e64 3a20 4e65
- 0x0030: 696f 6e20 206f
- 0x0040: 6f6f 742e
- ::09.101738 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
- 172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
- Facility daemon (), Severity info ()
- Msg: Nov :: localhost systemd: Started Session of user root.
- 0x0000: 3c33 303e 4e6f 303a
- 0x0010: 3a30 6c6f 6c68 6f73
- 0x0020: 656d 643a
- 0x0030: 6f6e 6f66
- 0x0040: 726f 6f74 2e
- ::09.102645 IP (tos 0x0, ttl , id , offset , flags [DF], proto UDP (), length )
- 172.28.18.71. > 172.28.18.69.syslog: [udp sum ok] SYSLOG, length:
- Facility authpriv (), Severity info ()
- Msg: Nov :: localhost sshd[]: pam_unix(sshd:session): session opened for user root by (uid=)
- 0x0000: 3c38 363e 4e6f 303a
- 0x0010: 3a30 6c6f 6c68 6f73
- 0x0020: 5b36 375d 3a20 6d5f 756e
- 0x0030: 643a 696f 6e29
- 0x0040: 3a20 696f 6e20 6f70 656e
- 0x0050: 6f72 726f 6f74
- 0x0060: 3d30
但是查看logstash,却没有数据输出到控制台上,此时查看logstash日志
- [root@server- log]# tail -f /home/logstash/log/logstash-plain.log
- ck in start_input'"]}
- [--05T10::,][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:514"}
- [--05T10::,][WARN ][logstash.inputs.udp ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}
- [--05T10::,][INFO ][logstash.inputs.udp ] Starting UDP listener {:address=>"0.0.0.0:514"}
- [--05T10::,][WARN ][logstash.inputs.udp ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:200:in `bind'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:101:in `udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-udp-3.3.1/lib/logstash/inputs/udp.rb:57:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:514:in `inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:507:in `block in start_input'"]}
从日志看出报:exception=>#<SocketError: bind: name or service not known>错误,百度一下,发现是由于514端口,必须要root用户才能启动,而logstash默认是logstash用户启动服务,所以修改logstash服务的用户
停止logstash服务
- [root@server- conf.d]# systemctl stop logstash
修改服务配置
- [root@server- conf.d]# vim /etc/systemd/system/logstash.service
- [Unit]
- Description=logstash
- [Service]
- Type=simple
- User=logstash
- Group=logstash
- # Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
- # Prefixing the path with '-' makes it try to load, but if the file doesn't
- # exist, it continues onward.
- EnvironmentFile=-/etc/default/logstash
- EnvironmentFile=-/etc/sysconfig/logstash
- ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
- Restart=always
- WorkingDirectory=/
- Nice=
- LimitNOFILE=
- [Install]
- WantedBy=multi-user.target
将User Group改为root
- [Unit]
- Description=logstash
- [Service]
- Type=simple
- #User=logstash
- #Group=logstash
- User=root
- Group=root
- # Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
- # Prefixing the path with '-' makes it try to load, but if the file doesn't
- # exist, it continues onward.
- EnvironmentFile=-/etc/default/logstash
- EnvironmentFile=-/etc/sysconfig/logstash
- ExecStart=/usr/share/logstash/bin/logstash "--path.settings" "/etc/logstash"
- Restart=always
- WorkingDirectory=/
- Nice=
- LimitNOFILE=
- [Install]
- WantedBy=multi-user.target
保存,重启logstash服务
- [root@server- conf.d]# systemctl start logstash
关闭514端口监听进程,重新加载UDP监听配置文件
[root@server-1 conf.d]# logstash -f /etc/logstash/conf.d/cisco.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2019-11-05 14:18:11.331 [main] scaffold - Initializing module {:module_name=>"fb_apache", :directory=>"/usr/share/logstash/modules/fb_apache/configuration"}
[INFO ] 2019-11-05 14:18:11.339 [main] scaffold - Initializing module {:module_name=>"netflow", :directory=>"/usr/share/logstash/modules/netflow/configuration"}
[WARN ] 2019-11-05 14:18:12.069 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2019-11-05 14:18:12.376 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.2.4"}
[INFO ] 2019-11-05 14:18:12.621 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-11-05 14:18:13.955 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2019-11-05 14:18:14.536 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] pipeline - Pipeline started successfully {:pipeline_id=>"main", :thread=>"#<Thread:0x24057f7e@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:247 run>"}
[INFO ] 2019-11-05 14:18:14.545 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Pipelines running {:count=>1, :pipelines=>["main"]}
[INFO ] 2019-11-05 14:18:14.578 [Ruby-0-Thread-15: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:109] syslog - Starting syslog udp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:14.595 [Ruby-0-Thread-16: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:113] syslog - Starting syslog tcp listener {:address=>"0.0.0.0:514"}
[INFO ] 2019-11-05 14:18:53.164 [Ruby-0-Thread-17: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40654"}
[INFO ] 2019-11-05 14:18:53.183 [Ruby-0-Thread-18: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:174] syslog - new connection {:client=>"172.28.18.71:40656"}
再次测试发送数据
- {
- "@version" => "",
- "logsource" => "localhost",
- "priority" => ,
- "facility" => ,
- "host" => "172.28.18.71",
- "@timestamp" => --05T06::.000Z,
- "timestamp" => "Nov 5 14:18:53",
- "program" => "systemd",
- "facility_label" => "system",
- "severity" => ,
- "message" => "Stopping System Logging Service...\n",
- "severity_label" => "Informational"
- }
- {
- "@version" => "",
- "logsource" => "localhost",
- "priority" => ,
- "facility" => ,
- "host" => "172.28.18.71",
- "@timestamp" => --05T06::.000Z,
- "timestamp" => "Nov 5 14:18:53",
- "program" => "rsyslogd",
- "facility_label" => "syslogd",
- "severity" => ,
- "message" => "action 'action 0' resumed (module 'builtin:omfwd') [v8.24.0-34.el7 try http://www.rsyslog.com/e/2359 ]\n",
- "severity_label" => "Informational"
- }
logstash显示日志数据了,修改配置文件将日志输出到elastcisearch
- output{
- input{
- syslog{
- port =>
- }
- }
- #输出到elastcisearch
- output{
- elasticsearch{
- hosts => ["172.28.18.69:9200"] #elasticsearch服务地址
- index => "system-cisco-log-%{+YYYY.MM}" #创建的索引
- }
- }
重启加载配置文件,在elastcisearch服务器上查看索引
- [root@server- conf.d]# curl http://172.28.18.69:9200/_cat/indices
- yellow open nginx-172.28.18.75-2019.11. WK6Zr5guQ7KSoCLPd8JjqQ .5mb .5mb
- yellow open system-cisco-log-2019.11 IR__HXPvTfe3HNtQ1HOwFw .7kb .7kb
- green open .kibana QkF9i3nXSAKlNLMLNROM1A .5kb .5kb
已经生成了system-cisco-log-2019.11文件
四、配置交换机
这样,logstash就可以接收到交换机日志了
ELK监控交换机日志的更多相关文章
- ELK 收集交换机日志(以华为交换机为例)
大概思路 交换机日志----> 服务器---->服务器rsyslog设置指定存储路径文件--->随后就跟elk 监控本机日志一样了 huawei switch: #指定发送消息基本, ...
- 使用ELK监控Nginx日志实现接口流量访问统计
前段时间自己看书学习了一下elasticSearch,后面自己实践了使用elasticSearch.logStash.kibana搭建一个网站接口流量访问统计的监控看板.在这里做一些记录学习. 先看一 ...
- ELK监控nginx日志总结
ELK介绍 ELK即ElasticSearch + Logstash + kibana ES:作为存储引擎 Logstash:用来采集日志 Kibana可以将ES中的数据进行可视化,可以进行数据分析中 ...
- ELK监控系统nginx / mysql慢日志
ELK监控系统nginx / mysql慢日志 elasticsearch logstash kibana ELK监控系统nginx日志 1.环境准备 centos6.8_64 mini IP:192 ...
- 用elk+filebeat监控容器日志
elk 为 elasticsearch(查询搜索引擎),logstash(对日志进行分析和过滤,然后转发给elasticsearch),kibana(一个web图形界面用于可视化elasticsea ...
- ELK对nginx日志进行流量监控
ELK对nginx日志进行流量监控 一.前言 线上有一套ELK单机版,版本为5.2.1.现在想把nginx访问日志接入到elk里,进行各个域名使用流量带宽的统计分析.要把nginx日志传输到elk上, ...
- 利用 ELK系统分析Nginx日志并对数据进行可视化展示
一.写在前面 结合之前写的一篇文章:Centos7 之安装Logstash ELK stack 日志管理系统,上篇文章主要讲了监控软件的作用以及部署方法.而这篇文章介绍的是单独监控nginx 日志分析 ...
- ELK搭建实时日志分析平台之二Logstash和Kibana搭建
本文书接前回<ELK搭建实时日志分析平台之一ElasticSearch> 文:铁乐与猫 四.安装Logstash logstash是一个数据分析软件,主要目的是分析log日志. 1)下载和 ...
- ELK搭建实时日志分析平台之一ElasticSearch搭建
文:铁乐与猫 系统:CentOS Linux release 7.3.1611 (Core) 注:我这里为测试和实验方便,ELK整套都装在同一台服务器环境中了,生产环境的话,可以分开搭建在不同的服务器 ...
随机推荐
- 七十六:flask.Restful之flask-Restful插件的基本使用
安装:flask 0.8以上.python2.6或者3.3以上:pip install flask-restful 使用方法:1.从flask_restful中导入Api,来创建对象 2.写一个视图函 ...
- Maven打包时出现无法下载org.apache.maven.plugins插件
解决方式: 方式1:使用 mvn clean package -U 打包即可(注意:出于性能原因,Maven缓存插件无法下载的信息.根据您的设置,您可能需要通过将标志添加-U到命令行来清除此缓存,以使 ...
- springboot项目启动无法访问到controller原因之一:引导类位置有问题
新建的springboot项目启动后,无法访问到controller 页面是404错误 查看项目结构,发现是新建工程的启动类位置有问题,controller类应该位于引导类的同级包或者子级包中.需要将 ...
- 深入理解红黑树及C++实现
介绍 红黑树是一种特殊的平衡二叉树(AVL),可以保证在最坏的情况下,基本动态集合操作的时间复杂度为O(logn).因此,被广泛应用于企业级的开发中. 红黑树的性质 在一棵红黑树中,其每个结点上增加了 ...
- NLP之中文自然语言处理工具库:SnowNLP(情感分析/分词/自动摘要)
一 安装与介绍 1.1 概述 SnowNLP是一个python写的类库,可以方便的处理中文文本内容,是受到了TextBlob的启发而写的,由于现在大部分的自然语言处理库基本都是针对英文的,于是写了一个 ...
- 前端vscode常用插件
Auto Rename Tag 这是一个html标签的插件,可以让你修改一边标签,另外一边自动改变. Beautify 格式化代码插件 Braket Pair Colorizer 给js文件中的每一个 ...
- CISCO路由器WAN口动态ISP配置
Building configuration... version 15.0 service timestamps debug datetime msec service timestamps ...
- 【Linux开发】linux设备驱动归纳总结(五):3.操作硬件——IO静态映射
linux设备驱动归纳总结(五):3.操作硬件--IO静态映射 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ...
- 纯Js ——文字上下左右滚动
ScrollBaseJs.js var $$ = function (id) { return typeof id == 'string' ? document.getElementById(id) ...
- [转帖]MySQL5.7.20编译安装
MySQL5.7.20编译安装 尝试一下 想着 我在arm上面最终安装失败了. https://www.cnblogs.com/shengdimaya/p/8027507.html 1:官网下载sou ...