溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
? 計劃將公司的防火墻+交換機+服務器(centos7)+ Vmware+Windows server納入到監控范圍,所以開啟了ELK監控之旅。
? 本文采用ELK架構棧進行組建,萬丈高樓平地起,雖然開始比較簡陋,后期會不斷完善這個日志分析系統。
? 全文框架如下:
? Hillstone: syslog→logstash→elasticsearch→kibana
? H3C: syslog→logstash→elasticsearch→kibana
? ESXI: syslog→logstash→elasticsearch→kibana
? Vcenter: syslog→logstash→elasticsearch→kibana
? Windows server: winlogbeat→logstash→elasticsearch→kibana
? linux server: filebeate→lasticsearch→kibana
? ELK說明:
? ELK1: 192.168.20.18:9200
? ELK2: 192.168.20.19:9200
? 規劃:
? Logstash: 192.168.20.18
? 不同服務根據端口不同進行標記,創建不同的索引。
?
? 本文通過web界面配置,當然也能進行命令行配置,具體配置請參考鏈接。
? 找到Stoneos-日志管理-log配置-日志管理器,配置服務器日志:
? 主機名: 192.168.20.18
? 綁定方式: 虛擬路由器 trust-vr
? 協議: UDP
? 端口: 514
? //我使用的root運行,非root賬號使用端口在1024以上。
? 
elk收集數據中心網絡設備日志
hillstone常見配置命令
cat > /data/config/test-hillstone.config << EOF
input{
udp {port => 518 type => "Hillstone"}
}
output {
stdout { codec=> rubydebug }
}
EOF
logstash -f test-hillstone.config<190>Nov 29 17:24:52 1404726150004842(root) 44243624 Traffic@FLOW: SESSION: 10.6.2.43:49608->192.168.20.160:11800(TCP), application TCP-ANY, interface tunnel6, vr trust-vr, policy 1, user -@-, host -, send packets 1,send bytes 74,receive packets 1,receive bytes 110,start time 2019-11-29 17:24:50,close time 2019-11-29 17:24:52,session end,TCP RST\n\u0000 可以通過grok debug網站進行自動匹配(https://grokdebug.herokuapp.com/discover?#),再根據分析出來的日志,進行二次調整。
同樣晚上有很多案例進行參考,可以先去參考別人想法,再補充自己的想法。
關于grok部分詳細講解,請參考https://coding.imooc.com/class/181.html,老師講的很棒,當然吾愛破解論壇和B站,有免費版。? 只選取了會話+NAT部分
cat > /data/config/hillstone.config<< EOF
input{
udp {
port => 518
type => "hillstone"
}
}
filter {
grok {
##流量日志
#SESSION會話結束日志
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), application %{USER:app}\, interface %{DATA:interface}\, vr %{USER:vr}\, policy %{DATA:policy}\, user %{USERNAME:user}\@%{DATA:AAAserver}\, host %{USER:HOST}\, send packets %{BASE10NUM:sendPackets}\,send bytes %{BASE10NUM:sendBytes}\,receive packets %{BASE10NUM:receivePackets}\,receive bytes %{BASE10NUM:receiveBytes}\,start time %{TIMESTAMP_ISO8601:startTime}\,close time %{TIMESTAMP_ISO8601:closeTime}\,session %{WORD:state}\,%{GREEDYDATA:reason}"}
#SESSION會話開始日志
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), interface %{DATA:interface}\, vr %{DATA:vr}\, policy %{DATA:policy}\, user %{USERNAME:user}\@%{DATA:AAAserver}\, host %{USER:HOST}\, session %{WORD:state}%{GREEDYDATA:reason}"}
#SNAT日志
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), %{WORD:state} to %{IPV4:snatip}\:%{BASE10NUM:snatport}\, vr\ %{DATA:vr}\, user\ %{USERNAME:user}\@%{DATA:AAAserver}\, host\ %{DATA:HOST}\, rule\ %{BASE10NUM:rule}"}
#DNAT日志
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), %{WORD:state} to %{IPV4:dnatip}\:%{BASE10NUM:dnatport}\, vr\ %{DATA:vr}\, user\ %{USERNAME:user}\@%{DATA:AAAserver}\, host\ %{DATA:HOST}\, rule\ %{BASE10NUM:rule}"}
}
mutate {
lowercase => [ "module" ]
remove_field => ["host", "message", "ROOT", "HOST", "serial", "syslog_pri", "timestamp", "mac", "AAAserver", "user"]
}
}
output {
elasticsearch {
hosts => "192.168.20.18:9200" #elasticsearch服務地址
index => "logstash-hillstone-%{module}-%{state}-%{+YYYY.MM.dd}"
}
}
EOF
hillstone中logstash配置參考
elk收集數據中心網絡設備日志
山石hillstone Logstash配置流程
ELK從入門到實踐
? 本文通過命令行進行配置,具體配置請參考鏈接。
? 將交換機的時間設置正確
clock datetime hh:mm:ss year/month/day
save force設置交換機syslog轉發。
system-view
info-center enable // 開啟info-center
info-center loghost 192.168.20.18 port 516 facility local8 // 設置日志主機/端口/日志級別
info-center source default loghost level informational //設置日志級別
save force
? H3C設置時間
? H3C網絡日志轉發
? H3C配置日志主機
cat > /data/config/test-h4c.congfig << EOF
input{
udp {port => 516 type => "h4c"}
}
output {
stdout { codec=> rubydebug }
}
EOF<190>Nov 30 16:27:23 1404726150004842(root) 44243622 Traffic@FLOW: SESSION: 10.6.4.178:48150->192.168.20.161:11800(TCP), interface tunnel6, vr trust-vr, policy 1, user -@-, host -, session start\n\u0000? 參考鏈接: https://blog.csdn.net/qq_34624315/article/details/83013531
cat > H3C.conf <<EOF
###h4c 日志過濾
grok {
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{DATA:year} %{DATA:hostname} \%\%%{DATA:ddModuleName}\/%{POSINT:severity}\/%{DATA:brief}\: %{GREEDYDATA:reason}" }
add_field => {"severity_code" => "%{severity}"}
}
mutate {
gsub => [
"severity", "0", "Emergency",
"severity", "1", "Alert",
"severity", "2", "Critical",
"severity", "3", "Error",
"severity", "4", "Warning",
"severity", "5", "Notice",
"severity", "6", "Informational",
"severity", "7", "Debug"
]
remove_field => ["message", "syslog_pri"]
}
}
output {
stdout { codec=> rubydebug }
# elasticsearch {
# hosts => "192.168.20.18:9200" #elasticsearch服務地址
# index => "logstash-h4c-%{+YYYY.MM.dd}"
# }
}
EOF
交換路由等網絡設備logstash配置
logstash配置文件
? 主要是收集ESXI機器日志,方便進行安全日志分析;
? 主要通過syslog進行日志收集,再通過ELK棧提供的logstash進行分析
? ESXI-syslog--logstash--elasticsearch
? 本文通過客戶端配置,當然也能進行web配置,方法基本一致,具體配置請參考鏈接。
? 開啟syslog服務:
打開esxi客戶端-選擇主機-主機配置-高級設置-syslog-設置遠程syslog服務器為: udp://192.168.20.18:514
允許防火墻放行。
打開esxi客戶端-選擇主機-主機配置-安全配置文件-防火墻-編輯-勾選syslog服務器,點擊確定。
Vmware Esxi syslog配置
在Esxi上配置syslog
Monitoring VMWare ESXi with the ELK Stack
cat > /data/config/test-vmware.config << EOF
input{
udp {port => 514 type => "Hillstone"}
}
output {
stdout { codec=> rubydebug }
}
EOF
logstash -f test-vmware.config<167>2019-12-03T07:36:11.689Z localhost.localdomain Vpxa: verbose vpxa[644C8B70] [Originator@6876 sub=VpxaHalCnxHostagent opID=WFU-2d14bc3d] [WaitForUpdatesDone] Completed callback\ncat > vmware.conf <<EOF
input{
udp {
port => 514
type => "vmware"
}
}
filter {
if "vmware" in [type] {
grok {
break_on_match => true
match => [
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) \[%{DATA:message_service_info}]\ (?<syslog_message>(%{GREEDYDATA})))",
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) (?<syslog_message>(%{GREEDYDATA})))",
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: %{GREEDYDATA:syslog_message}"
]
}
date {
match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss", "ISO8601" ]
}
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
}
mutate {
replace => [ "@message", "%{syslog_message}" ]
}
mutate {
remove_field => ["@source_host","program","@timestamp","syslog_hostname","@message"]
}
if "Device naa" in [message] {
grok {
break_on_match => false
match => [
"message", "Device naa.%{WORD:device_naa} performance has %{WORD:device_status}%{GREEDYDATA} of %{INT:datastore_latency_from}%{GREEDYDATA} to %{INT:datastore_latency_to}",
"message", "Device naa.%{WORD:device_naa} performance has %{WORD:device_status}%{GREEDYDATA} from %{INT:datastore_latency_from}%{GREEDYDATA} to %{INT:datastore_latency_to}"
]
}
}
if "connectivity issues" in [message] {
grok {
match => [
"message", "Hostd: %{GREEDYDATA} : %{DATA:device_access} to volume %{DATA:device_id} %{DATA:datastore} (following|due to)"
]
}
}
if "WARNING" in [message] {
grok {
match => [
"message", "WARNING: %{GREEDYDATA:vmware_warning_msg}"
]
}
}
}
}
output {
elasticsearch {
hosts => "192.168.20.18:9200" #elasticsearch服務地址
index => "logstash-vmware-%{+YYYY.MM.dd}"
}
# stdout { codec=> rubydebug }
}
EOF
mutate基本用法
基本logstash配置文件參考
vmware and syslog
logstash VCSA6.0
filter plugins
? 主要是收集vcsa機器日志,方便進行安全日志分析;
? 主要通過syslog進行日志收集,再通過ELK棧提供的logstash進行分析
? VCSA-Syslog--Logstash--Elasticsearch
? 打開VCSA的管理后臺URL: http://192.168.20.90:5480,輸入賬號和密碼(開機root和密碼)--點擊syslog配置中心,輸入syslog配置信息。
Vmware Esxi syslog配置
VCSA 6.5 forward to multiple syslog
VCSA syslog
input{
udp {
port => 1514
type => "vcenter"
}
}
output {
stdout { codec=> rubydebug }
}
<14>1 2019-12-05T02:44:17.640474+00:00 photon-machine vpxd 4035 - - Event [4184629] [1-1] [2019-12-05T02:44:00.017928Z] [vim.event.UserLoginSessionEvent] [info] [root] [Datacenter] [4184629] [User root@192.168.20.17 logged in as pyvmomi Python/3.6.8 (Linux; 3.10.0-957.el7.x86_64; x86_64)]\ncat > vcenter.conf <<EOF
input{
udp {
port => 1514
type => "vcenter"
}
}
filter {
if "vcenter" in [type] {
}
grok {
break_on_match => true
match => [
"message", "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:syslog_ver} +(?:%{TIMESTAMP_ISO8601:syslog_timestamp}|-) +(?:%{HOSTNAME:syslog_hostname}|-) +(-|%{SYSLOG5424PRINTASCII:syslog_program}) +(-|%{SYSLOG5424PRINTASCII:syslog_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog_msgid}) +(?:%{SYSLOG5424SD:syslog_sd}|-|) +%{GREEDYDATA:syslog_msg}"
]
}
date {
match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss,SSS", "YYYY-MM-dd HH:mm:ss,SSS", "ISO8601" ]
#timezone => "UTC" #For vCenter Appliance
#timezone => "Asia/Shanghai"
}
mutate {
remove_field => ["syslog_ver", "syslog_pri"]
}
}
output {
elasticsearch {
hosts => "192.168.20.18:9200" #elasticsearch服務地址
index => "logstash-vcenter-%{+YYYY.MM.dd}"
}
# stdout { codec=> rubydebug }
}
EOF
mutate基本用法
基本logstash配置文件參考
vmware and syslog
logstash VCSA6.0
? 主要是收集AD域日志,方便進行安全日志分析;
? 主要通過ELK棧提供的winlogbeat進行收集
? winlogbeat--logstash--elasticsearch
下載連接地址:https://www.elastic.co/cn/downloads/beats/winlogbeat
將解壓后的文件放到“C:\Program Files”,重命名為winlogbeat
命令安裝
編輯winlogbeat.yml文件
winlogbeat.event_logs:
- name: Application
- name: Security
- name: System
output.logstash:
enbaled: true
hosts: ["192.168.20.18:5044"]
logging.to_files: true
logging.files:
path: D:\ProgramData\winlogbeat\Logs
logging.level: infoPS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e啟動winlogbeat
powershell命令行啟動:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeatpowershell命令行關閉
PS C:\Program Files\Winlogbeat> Stop-Service winlogbeat導入winlogindex模板,因為我們使用的logstash,所以需要手動導入。
PS > .\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["192.168.20.18"]'導入kibana-dashboard,因為我們使用的logstash,所以需要手動導入。
PS > .\winlogbeat.exe setup -e -E output.logstash.enabled=false -E output.elasticsearch.hosts=['192.168.20.18:9200'] -E setup.kibana.host=192.168.20.18:5601? windows 上winlogbeat安裝
? 官方手冊分析
cat > /data/config/test-windows.config << EOF
input {
beats {
port => 5044
}
}
output {
stdout { codec=> rubydebug }
}
EOF
logstash -f test-windows.config創建正式配置文件,查看內容(因為已有模板,所以不錯其他修改處理)
cat > /data/config/windows.config << EOF
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["http:192.168.20.18:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
}
}
EOF
logstash -f windows.config
beats input plugin
? 因為已經winlogbeat是elk棧的標準模塊,已經被定義,所以我們不再自行定義。
? 直接打開搜索winlogbaet*的index。
? 因為已經winlogbeat是elk棧的標準模塊,已經被定義,所以我們不再自行定義。
? 直接打開搜索winlogbaet*的dashboard
? 主要是收集linux上的開關機日志,安全日志;
? 主要通過ELK棧提供的filebeat進行收集
? filebeat-filebeat-module--elasticsearch
? 
官網下載,連接地址:https://www.elastic.co/cn/downloads/beats/filebeat
命令行安裝
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.5.0-linux-x86_64.tar.gz
tar xzvf filebeat-7.5.0-linux-x86_64.tar.gz查看filebeat目錄布局
編輯filebeat.yml文件
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
output.elasticsearch:
hosts: ["192.168.20.18:9200"]
setup.kibana:
host: "192.168.20.18:5601"
運行filebeat文件
filebeat -c filebeat.yml -ewindows 上winlogbeat安裝
官方手冊分析
關閉ilm聲明周期管理
setup.ilm.enabled: false更改索引名稱
setup.template.overwrite: true
output.elasticsearch.index: "systemlog-7.3.0-%{+yyyy.MM.dd}"
setup.template.name: "systemlog"
setup.template.pattern: "systemlog-*"修改預先構建的kibana儀表盤
setup.dashboards.index: "systemlog-*"./filebeat modules enable system
./filebeat modules list./filebeat setup --template -e -c filebeat.ymlfilebeat.modules:
- module: system
syslog:
enabled: true
#默認位置/var/log/messages* /var/log/syslog*
auth:
enabled: true
#默認位置/var/log/auth.log* /var/log/secure*
output.elasticsearch:
hosts: ["192.168.20.18:9200"]
setup.kibana:
host: "192.168.20.18:5601"./filebeat setup -e -c filebeat.ymlbeats input plugin
filebeat模塊與配置
system module
input{
udp {
port => 516
type => "h4c"
}
}
input{
udp {
port => 518
type => "hillstone"
}
}
input{
udp {
port => 514
type => "vmware"
}
}
input{
udp {
port => 1514
type => "vcenter"
}
}
input {
beats {
port => 5044
type => "windows"
}
}
filter {
if [type] == "hillstone" {
grok {
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), application %{USER:app}\, interface %{DATA:interface}\, vr %{USER:vr}\, policy %{DATA:policy}\, user %{USERNAME:user}\@%{DATA:AAAserver}\, host %{USER:HOST}\, send packets %{BASE10NUM:sendPackets}\,send bytes %{BASE10NUM:sendBytes}\,receive packets %{BASE10NUM:receivePackets}\,receive bytes %{BASE10NUM:receiveBytes}\,start time %{TIMESTAMP_ISO8601:startTime}\,close time %{TIMESTAMP_ISO8601:closeTime}\,session %{WORD:state}\,%{GREEDYDATA:reason}"}
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), interface %{DATA:interface}\, vr %{DATA:vr}\, policy %{DATA:policy}\, user %{USERNAME:user}\@%{DATA:AAAserver}\, host %{USER:HOST}\, session %{WORD:state}%{GREEDYDATA:reason}"}
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), %{WORD:state} to %{IPV4:snatip}\:%{BASE10NUM:snatport}\, vr\ %{DATA:vr}\, user\ %{USERNAME:user}\@%{DATA:AAAserver}\, host\ %{DATA:HOST}\, rule\ %{BASE10NUM:rule}"} match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), %{WORD:state} to %{IPV4:dnatip}\:%{BASE10NUM:dnatport}\, vr\ %{DATA:vr}\, user\ %{USERNAME:user}\@%{DATA:AAAserver}\, host\ %{DATA:HOST}\, rule\ %{BASE10NUM:rule}"}
}
mutate {
lowercase => [ "module" ]
remove_field => ["host", "message", "ROOT", "HOST", "serial", "syslog_pri", "timestamp", "mac", "AAAserver", "user"]
}
}
if [type] == "h4c" {
grok {
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{DATA:year} %{DATA:hostname} \%\%%{DATA:ddModuleName}\/%{POSINT:severity}\/%{DATA:brief}\: %{GREEDYDATA:reason}" }
add_field => {"severity_code" => "%{severity}"}
}
mutate {
gsub => [
"severity", "0", "Emergency",
"severity", "1", "Alert",
"severity", "2", "Critical",
"severity", "3", "Error",
"severity", "4", "Warning",
"severity", "5", "Notice",
"severity", "6", "Informational",
"severity", "7", "Debug"
]
remove_field => ["message", "syslog_pri"]
}
}
if [type] == "vmware" {
grok {
break_on_match => true
match => [
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) \[%{DATA:message_service_info}]\ (?<syslog_message>(%{GREEDYDATA})))",
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) (?<syslog_message>(%{GREEDYDATA})))",
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: %{GREEDYDATA:syslog_message}"
]
}
date {
match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss", "ISO8601" ]
}
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
}
mutate {
replace => [ "@message", "%{syslog_message}" ]
}
mutate {
remove_field => ["@source_host","program","syslog_hostname","@message"]
}
}
if [type] == "vcenter" {
grok {
break_on_match => true
match => [
"message", "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:syslog_ver} +(?:%{TIMESTAMP_ISO8601:syslog_timestamp}|-) +(?:%{HOSTNAME:syslog_hostname}|-) +(-|%{SYSLOG5424PRINTASCII:syslog_program}) +(-|%{SYSLOG5424PRINTASCII:syslog_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog_msgid}) +(?:%{SYSLOG5424SD:syslog_sd}|-|) +%{GREEDYDATA:syslog_msg}"
]
}
date {
match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss,SSS", "YYYY-MM-dd HH:mm:ss,SSS", "ISO8601" ]
}
mutate {
remove_field => ["syslog_ver", "syslog_pri"]
}
}
}
output {
if [type] == "hillstone" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "hillstone-%{module}-%{+YYYY.MM.dd}"
}
}
if [type] == "h4c" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "h4c-%{+YYYY.MM.dd}"
}
}
if [type] == "vmware" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "vmware-%{+YYYY.MM.dd}"
}
}
if [type] == "vcenter" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "vcenter-%{+YYYY.MM.dd}"
}
}
if [type] == "windows" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
}
}
}
啟動logstash服務,并把mix.config 更改為logstash.conf ,放到/etc/logstash 目錄下。
systemctl enable logstash
systemc start logstash找到一篇英文站點,將鼠標移動到url開始,添加icopy.site/回車。
? "icopy.site/"+"https://www.elastic.co"
例如 : 源網址:https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
? 轉譯后網址:https://s0www0elastic0co.icopy.site/guide/en/logstash/current/plugins-filters-grok.html
推薦理由:
? 1.比谷歌全文翻譯更準確,而且關鍵代碼不翻譯。
? 2.如果你英文不好,或者看英文文檔太累,可以試下哦。
? 推薦學習視頻:
? ELK入門到實踐
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
