架构
switch --> rsyslog --> filebeat --> logstash --> elasticsearch --> kibana
image.png
关闭selinux和防火墙
setenforce 0 # 临时关闭
sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config # 永久关闭
systemctl stop firewalld.service
systemctl disable firewalld.service
检查是否已安装rsyslog(CeontOS 7一般默认安装了此软件)
rpm -qa |grep rsyslog
修改rsyslog.conf配置文件,如下
[root@testhost mnt]# grep -v "^#\|^$" /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none;local6.none /var/log/messages
$template h3c,"/mnt/h3c/%FROMHOST-IP%.log"
local6.* ?h3c
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
重启rsyslog服务
systemctl restart rsyslog.service
检查服务端口
[root@testhost mnt]# netstat -antupl |grep syslog
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 4772/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 4772/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 4772/rsyslogd
udp6 0 0 :::514 :::* 4772/rsyslogd
创建日志存放目录
[root@testhost mnt]# ll
总用量 0
drwxrwxrwx. 2 root root 29 10月 28 20:50 h3c
[root@testhost mnt]# pwd
/mnt
网络设备(H3C)交换机配置
<H3C>dis curr | inc info-center
undo info-center logfile enable
info-center loghost source Vlan-interface3
info-center loghost 192.168.10.100 facility local6
在交换机端输入命令出发产生日志后即可在/mnt/h3c/目录下看到对应的日志文件和交换机日志记录
[root@testhost h3c]# ll
总用量 4
-rw-------. 1 root root 925 10月 28 21:02 192.168.10.111.log
[root@testhost h3c]# pwd
/mnt/h3c
下载并安装filebeat(elk之前已安装)
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.8.1-x86_64.rpm
rpm -ivh filebeat-7.8.1-x86_64.rpm
编辑filebeat配置文件,收集rsyslog的日志文件到logstash
[root@testhost ~]# grep -v "^#\|^$\|^ #" /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /mnt/h3c/*
tags: ["h3c"]
include_lines: ['LOGIN','Failed','failed','error','ERROR','\bDOWN\b','\bdown\b','\bUP\b','\bup\b']
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
output.logstash:
hosts: ["localhost:5044"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
添加logstash配置文件networklog.conf(没有此文件需要自行创建)
[root@testhost ~]# grep -v "^#\|^$" /etc/logstash/conf.d/networklog.conf
input {
beats {
port => 5044
}
}
filter {
if "huawei" in [tags] {
grok{
match => {"message" => "%{SYSLOGTIMESTAMP:time} %{DATA:hostname} %{GREEDYDATA:info}"}
}
}
else if "h3c" in [tags] {
grok{
match => {"message" => "%{SYSLOGTIMESTAMP:time} %{YEAR:year} %{DATA:hostname} %{GREEDYDATA:info}"}
}
}
mutate {
remove_field => ["message","time","year","offset","tags","path","host","@version","[log]","[prospector]","[beat]","[input][type]","[source]"]
}
}
output{
stdout {codec => rubydebug}
elasticsearch {
index => "networklogs-%{+YYYY.MM.dd}"
hosts => ["127.0.0.1:9200"]
sniffing => false
}
}
调整logstash管道配置文件
vim /etc/logstash/pipelines.yml
- pipeline.id: main
path.config: "/etc/logstash/conf.d/*.conf" # 加载networklog.conf配置
- pipeline.id: elastiflow
path.config: "/etc/logstash/elastiflow/conf.d/*.conf" # 加载elastiflow配置(sflow使用)
重启logstash,systemctl restart filebeat.service,检查networklog.conf中定义的5044端口是否正常监听
[root@testhost ~]# netstat -antupl |grep 5044
tcp6 0 0 :::5044 :::* LISTEN 5957/java
kibana配置
浏览器打开http://127.0.0.1:5601
打开管理页面:Home --> Management --> Stack Management
image.png
image.png
image.png
image.png
image.png
image.png
image.png
参考链接:
https://cloud.tencent.com/developer/article/1539522
https://elasticsearch.cn/question/8247
https://blog.csdn.net/tladagio/article/details/120436242
