十三、系統日模組外掛(二)
13.1 syslog日誌模組
syslog{
host => "0.0.0.0"
port => 514
type => "syslog"
}
–rsyslog.conf配置向程序傳送資料
local0.info@@192.168.4.10:514
–寫syslog,檢視狀態
logger -p local0.info -t test_logstash'test message'
練習
更改配置檔案
[root@logstash logstash]# vim /etc/logstash/logstash.conf
。。。。。。
syslog {
host => "0.0.0.0"
port => 514
type => "syslog"
}
}
filter{ }
output{
stdout{ codec => "rubydebug" }
}
更改完成後啟動logstash
[root@logstash logstash]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
Settings: Default pipeline workers: 2
Pipeline main started
檢視是否啟動成功
[root@logstash ~]# netstat -utnlp | grep java
tcp6 0 0 :::8888 :::* LISTEN 2116/java
tcp6 0 0 :::514 :::* LISTEN 2116/java
udp6 0 0 :::514 :::* 2116/java
udp6 0 0 192.168.0.18:9999 :::* 2116/java
[root@logstash ~]# ssh 192.168.0.16
把kabana的系統日誌寫過去檢視
①定義日誌
[root@kibana ~]# vim /etc/rsyslog.conf
local0.info /var/log/info.log #追加寫入
[root@kibana ~]# systemctl restart rsyslog.service
[root@kibana ~]# cd /var/log
發現info.log檔案不存在
為保證寫入的日誌在info.log檔案裡我們要使用loggger,具體使用方法可以man
[root@kibana log]# logger -p local0.info -t "testlog" "a b c d"
[root@kibana log]# cat /var/log/info.log #現在發現寫入成功
Aug 19 23:26:13 kibana testlog: a b c d
繼續修改配置檔案,把local0.info寫入遠端主機如下
[root@kibana ~]# vim /etc/rsyslog.conf
local0.info @@192.168.0.18:514
local0.info @192.168.0.18:514
注:兩個@和一個@都可以遠端寫入,@:udp寫;@@tcp寫
[root@kibana log]# systemctl restart rsyslog.service
[root@kibana log]# logger -p local0.info -t "testlog" "hello world"
檢視本地檔案
[root@kibana log]# cat /var/log/info.log
Aug 19 23:26:13 kibana testlog: a b c d
Aug 19 23:32:02 kibana testlog: hello world
檢視遠端主機
[root@logstash logstash]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
Settings: Default pipeline workers: 2
Pipeline main started
{
"message" => "hello world\n",
"@version" => "1",
"@timestamp" => "2021-08-19T15:32:02.000Z",
"type" => "syslog",
"host" => "192.168.0.16",
"priority" => 134,
"timestamp" => "Aug 19 23:32:02",
"logsource" => "kibana",
"program" => "testlog",
"severity" => 6,
"facility" => 16,
"facility_label" => "local0",
"severity_label" => "Informational"
}