ELK logstash

2023-07-18 23:21| 来源: 网络整理| 查看: 265

问题：有人反馈说7.x版本收集不了交换机日志，在此记录一次logstash-7.5收集华为交换机的日志记录。

前提：ELK环境已经安装完成，具体操作查看另外篇文章

一、交换机配置

添加：info-center loghost 192.168.14.210，IP地址是logstash服务器，华为交换机默认是UDP514端口发送数据

1、查看交换机版本 [SW30]display version Huawei Versatile Routing Platform Software VRP (R) software, Version 5.70 (S2700 V100R006C05) Copyright (C) 2003-2013 HUAWEI TECH CO., LTD Quidway S2700-9TP-SI-AC Routing Switch uptime is 23 weeks, 5 days, 7 hours, 28 minutes E8FED 0(Master) : uptime is 23 weeks, 5 days, 7 hours, 27 minutes 64M bytes DDR Memory 16M bytes FLASH Pcb Version : VER E Basic BOOTROM Version : 149 Compiled at Mar 15 2013, 11:02:25 Software Version : VRP (R) Software, Version 5.70 (V100R006C05) 2、配置内容 [SW30]display current-configuration | in info info-center loghost 192.168.14.210 snmp-agent sys-info version all 二、logstash7.5安装

1、安装JDK

[root@localhost ~]# tar -zxvf jdk-11.0.5_linux-x64_bin.tar.gz -C /usr/local/ [root@localhost ~]# vim /etc/profile export JAVA_HOME=/usr/local/jdk-11.0.5/ export PATH=$PATH:$JAVA_HOME/bin export CLASSPATH=.:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar:$CLASSPATH [root@localhost ~]# source /etc/profile

2、解压logstash二进制包

[root@localhost ~]#tar -zxvf logstash-7.5.0.tar.gz -C /usr/local/

3、添加环境变量

[root@localhost ~]# vi /etc/profile export PATH=$PATH:/usr/local/logstash-7.5.0/bin [root@localhost ~]# source /etc/profile 三、logstash7.5配置

1、关闭rsyslog服务，因为这个会占用514端口

[root@localhost ~]# systemctl stop rsyslog

2、添加logstash配置文件，根据监听交换机端口区分不通网络设备型号(直接复制可用，修改下IP地址)

[root@localhost ~]# vi /usr/local/logstash-7.5.0/config/switch.conf [root@localhost ~]# cat /usr/local/logstash-7.5.0/config/switch.conf input{ tcp { port => 5002 type => "Cisco"} udp { port => 514 type => "HUAWEI"} udp { port => 5002 type => "Cisco"} udp { port => 5003 type => "H3C"} } filter { if [type] == "Cisco" { grok { match => { "message" => "%{NUMBER:log_sequence}: .%{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:severity}-%{CISCO_REASON:mnemonic}: %{GREEDYDATA:message}" } match => { "message" => "%{NUMBER:log_sequence}: %{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:severity}-%{CISCO_REASON:mnemonic}: %{GREEDYDATA:message}" } add_field => {"severity_code" => "%{severity}"} overwrite => ["message"] } } elseif [type] == "H3C" { grok { match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{YEAR:year} %{DATA:hostname} %%%{DATA:vvmodule}/%{POSINT:severity}/%{DATA:digest}: %{GREEDYDATA:message}" } remove_field => [ "year" ] add_field => {"severity_code" => "%{severity}"} overwrite => ["message"] } } elseif [type] == "HUAWEI" { grok { match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{DATA:hostname} %%%{DATA:ddModuleName}/%{POSINT:severity}/%{DATA:Brief}:%{GREEDYDATA:message}"} match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{DATA:hostname} %{DATA:ddModuleName}/%{POSINT:severity}/%{DATA:Brief}:%{GREEDYDATA:message}"} remove_field => [ "timestamp" ] add_field => {"severity_code" => "%{severity}"} overwrite => ["message"] } } #mutate { # gsub => [ # "severity", "0", "Emergency", # "severity", "1", "Alert", # "severity", "2", "Critical", # "severity", "3", "Error", # "severity", "4", "Warning", # "severity", "5", "Notice", # "severity", "6", "Informational", # "severity", "7", "Debug" # ] # } } output{ stdout { codec => rubydebug } elasticsearch { index => "syslog-%{+YYYY.MM.dd}" hosts => ["192.168.14.211:9200"] user => "elastic" password => "password" } }

这里为了方便查看，直接输出到终端显示了，工作环境可以删除stdout的配置。并且添加了用户名和密码认证

3、启动，在终端可以查看到数据

[root@localhost ~]# logstash -f /usr/local/logstash-7.5.0/config/switch.conf