您好,登录后才能下订单哦!
密码登录
登录注册
点击 登录注册 即表示同意《亿速云用户服务条款》
计划将公司的防火墙+交换机+服务器(centos7)+ Vmware+Windows server纳入到监控范围,所以开启了ELK监控之旅。
本文采用ELK架构栈进行组建,万丈高楼平地起,虽然开始比较简陋,后期会不断完善这个日志分析系统。
全文框架如下:
Hillstone: syslog→logstash→elasticsearch→kibana
H3C: syslog→logstash→elasticsearch→kibana
ESXI: syslog→logstash→elasticsearch→kibana
Vcenter: syslog→logstash→elasticsearch→kibana
Windows server: winlogbeat→logstash→elasticsearch→kibana
linux server: filebeate→lasticsearch→kibana
ELK说明:
ELK1: 192.168.20.18:9200
ELK2: 192.168.20.19:9200
规划:
Logstash: 192.168.20.18
不同服务根据端口不同进行标记,创建不同的索引。
本文通过web界面配置,当然也能进行命令行配置,具体配置请参考链接。
找到Stoneos-日志管理-log配置-日志管理器,配置服务器日志:
主机名: 192.168.20.18
绑定方式: 虚拟路由器 trust-vr
协议: UDP
端口: 514
//我使用的root运行,非root账号使用端口在1024以上。
elk收集数据中心网络设备日志
hillstone常见配置命令
cat > /data/config/test-hillstone.config << EOF
input{
udp {port => 518 type => "Hillstone"}
}
output {
stdout { codec=> rubydebug }
}
EOF
logstash -f test-hillstone.config<190>Nov 29 17:24:52 1404726150004842(root) 44243624 Traffic@FLOW: SESSION: 10.6.2.43:49608->192.168.20.160:11800(TCP), application TCP-ANY, interface tunnel6, vr trust-vr, policy 1, user -@-, host -, send packets 1,send bytes 74,receive packets 1,receive bytes 110,start time 2019-11-29 17:24:50,close time 2019-11-29 17:24:52,session end,TCP RST\n\u0000 可以通过grok debug网站进行自动匹配(https://grokdebug.herokuapp.com/discover?#),再根据分析出来的日志,进行二次调整。
同样晚上有很多案例进行参考,可以先去参考别人想法,再补充自己的想法。
关于grok部分详细讲解,请参考https://coding.imooc.com/class/181.html,老师讲的很棒,当然吾爱破解论坛和B站,有免费版。 只选取了会话+NAT部分
cat > /data/config/hillstone.config<< EOF
input{
udp {
port => 518
type => "hillstone"
}
}
filter {
grok {
##流量日志
#SESSION会话结束日志
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), application %{USER:app}\, interface %{DATA:interface}\, vr %{USER:vr}\, policy %{DATA:policy}\, user %{USERNAME:user}\@%{DATA:AAAserver}\, host %{USER:HOST}\, send packets %{BASE10NUM:sendPackets}\,send bytes %{BASE10NUM:sendBytes}\,receive packets %{BASE10NUM:receivePackets}\,receive bytes %{BASE10NUM:receiveBytes}\,start time %{TIMESTAMP_ISO8601:startTime}\,close time %{TIMESTAMP_ISO8601:closeTime}\,session %{WORD:state}\,%{GREEDYDATA:reason}"}
#SESSION会话开始日志
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), interface %{DATA:interface}\, vr %{DATA:vr}\, policy %{DATA:policy}\, user %{USERNAME:user}\@%{DATA:AAAserver}\, host %{USER:HOST}\, session %{WORD:state}%{GREEDYDATA:reason}"}
#SNAT日志
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), %{WORD:state} to %{IPV4:snatip}\:%{BASE10NUM:snatport}\, vr\ %{DATA:vr}\, user\ %{USERNAME:user}\@%{DATA:AAAserver}\, host\ %{DATA:HOST}\, rule\ %{BASE10NUM:rule}"}
#DNAT日志
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), %{WORD:state} to %{IPV4:dnatip}\:%{BASE10NUM:dnatport}\, vr\ %{DATA:vr}\, user\ %{USERNAME:user}\@%{DATA:AAAserver}\, host\ %{DATA:HOST}\, rule\ %{BASE10NUM:rule}"}
}
mutate {
lowercase => [ "module" ]
remove_field => ["host", "message", "ROOT", "HOST", "serial", "syslog_pri", "timestamp", "mac", "AAAserver", "user"]
}
}
output {
elasticsearch {
hosts => "192.168.20.18:9200" #elasticsearch服务地址
index => "logstash-hillstone-%{module}-%{state}-%{+YYYY.MM.dd}"
}
}
EOF
hillstone中logstash配置参考
elk收集数据中心网络设备日志
山石hillstone Logstash配置流程
ELK从入门到实践
本文通过命令行进行配置,具体配置请参考链接。
将交换机的时间设置正确
clock datetime hh:mm:ss year/month/day
save force设置交换机syslog转发。
system-view
info-center enable // 开启info-center
info-center loghost 192.168.20.18 port 516 facility local8 // 设置日志主机/端口/日志级别
info-center source default loghost level informational //设置日志级别
save force
H3C设置时间
H3C网络日志转发
H3C配置日志主机
cat > /data/config/test-h4c.congfig << EOF
input{
udp {port => 516 type => "h4c"}
}
output {
stdout { codec=> rubydebug }
}
EOF<190>Nov 30 16:27:23 1404726150004842(root) 44243622 Traffic@FLOW: SESSION: 10.6.4.178:48150->192.168.20.161:11800(TCP), interface tunnel6, vr trust-vr, policy 1, user -@-, host -, session start\n\u0000 参考链接: https://blog.csdn.net/qq_34624315/article/details/83013531
cat > H3C.conf <<EOF
###h4c 日志过滤
grok {
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{DATA:year} %{DATA:hostname} \%\%%{DATA:ddModuleName}\/%{POSINT:severity}\/%{DATA:brief}\: %{GREEDYDATA:reason}" }
add_field => {"severity_code" => "%{severity}"}
}
mutate {
gsub => [
"severity", "0", "Emergency",
"severity", "1", "Alert",
"severity", "2", "Critical",
"severity", "3", "Error",
"severity", "4", "Warning",
"severity", "5", "Notice",
"severity", "6", "Informational",
"severity", "7", "Debug"
]
remove_field => ["message", "syslog_pri"]
}
}
output {
stdout { codec=> rubydebug }
# elasticsearch {
# hosts => "192.168.20.18:9200" #elasticsearch服务地址
# index => "logstash-h4c-%{+YYYY.MM.dd}"
# }
}
EOF
交换路由等网络设备logstash配置
logstash配置文件
主要是收集ESXI机器日志,方便进行安全日志分析;
主要通过syslog进行日志收集,再通过ELK栈提供的logstash进行分析
ESXI-syslog--logstash--elasticsearch
本文通过客户端配置,当然也能进行web配置,方法基本一致,具体配置请参考链接。
开启syslog服务:
打开esxi客户端-选择主机-主机配置-高级设置-syslog-设置远程syslog服务器为: udp://192.168.20.18:514
允许防火墙放行。
打开esxi客户端-选择主机-主机配置-安全配置文件-防火墙-编辑-勾选syslog服务器,点击确定。
Vmware Esxi syslog配置
在Esxi上配置syslog
Monitoring VMWare ESXi with the ELK Stack
cat > /data/config/test-vmware.config << EOF
input{
udp {port => 514 type => "Hillstone"}
}
output {
stdout { codec=> rubydebug }
}
EOF
logstash -f test-vmware.config<167>2019-12-03T07:36:11.689Z localhost.localdomain Vpxa: verbose vpxa[644C8B70] [Originator@6876 sub=VpxaHalCnxHostagent opID=WFU-2d14bc3d] [WaitForUpdatesDone] Completed callback\ncat > vmware.conf <<EOF
input{
udp {
port => 514
type => "vmware"
}
}
filter {
if "vmware" in [type] {
grok {
break_on_match => true
match => [
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) \[%{DATA:message_service_info}]\ (?<syslog_message>(%{GREEDYDATA})))",
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) (?<syslog_message>(%{GREEDYDATA})))",
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: %{GREEDYDATA:syslog_message}"
]
}
date {
match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss", "ISO8601" ]
}
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
}
mutate {
replace => [ "@message", "%{syslog_message}" ]
}
mutate {
remove_field => ["@source_host","program","@timestamp","syslog_hostname","@message"]
}
if "Device naa" in [message] {
grok {
break_on_match => false
match => [
"message", "Device naa.%{WORD:device_naa} performance has %{WORD:device_status}%{GREEDYDATA} of %{INT:datastore_latency_from}%{GREEDYDATA} to %{INT:datastore_latency_to}",
"message", "Device naa.%{WORD:device_naa} performance has %{WORD:device_status}%{GREEDYDATA} from %{INT:datastore_latency_from}%{GREEDYDATA} to %{INT:datastore_latency_to}"
]
}
}
if "connectivity issues" in [message] {
grok {
match => [
"message", "Hostd: %{GREEDYDATA} : %{DATA:device_access} to volume %{DATA:device_id} %{DATA:datastore} (following|due to)"
]
}
}
if "WARNING" in [message] {
grok {
match => [
"message", "WARNING: %{GREEDYDATA:vmware_warning_msg}"
]
}
}
}
}
output {
elasticsearch {
hosts => "192.168.20.18:9200" #elasticsearch服务地址
index => "logstash-vmware-%{+YYYY.MM.dd}"
}
# stdout { codec=> rubydebug }
}
EOF
mutate基本用法
基本logstash配置文件参考
vmware and syslog
logstash VCSA6.0
filter plugins
主要是收集vcsa机器日志,方便进行安全日志分析;
主要通过syslog进行日志收集,再通过ELK栈提供的logstash进行分析
VCSA-Syslog--Logstash--Elasticsearch
打开VCSA的管理后台URL: http://192.168.20.90:5480,输入账号和密码(开机root和密码)--点击syslog配置中心,输入syslog配置信息。
Vmware Esxi syslog配置
VCSA 6.5 forward to multiple syslog
VCSA syslog
input{
udp {
port => 1514
type => "vcenter"
}
}
output {
stdout { codec=> rubydebug }
}
<14>1 2019-12-05T02:44:17.640474+00:00 photon-machine vpxd 4035 - - Event [4184629] [1-1] [2019-12-05T02:44:00.017928Z] [vim.event.UserLoginSessionEvent] [info] [root] [Datacenter] [4184629] [User root@192.168.20.17 logged in as pyvmomi Python/3.6.8 (Linux; 3.10.0-957.el7.x86_64; x86_64)]\ncat > vcenter.conf <<EOF
input{
udp {
port => 1514
type => "vcenter"
}
}
filter {
if "vcenter" in [type] {
}
grok {
break_on_match => true
match => [
"message", "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:syslog_ver} +(?:%{TIMESTAMP_ISO8601:syslog_timestamp}|-) +(?:%{HOSTNAME:syslog_hostname}|-) +(-|%{SYSLOG5424PRINTASCII:syslog_program}) +(-|%{SYSLOG5424PRINTASCII:syslog_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog_msgid}) +(?:%{SYSLOG5424SD:syslog_sd}|-|) +%{GREEDYDATA:syslog_msg}"
]
}
date {
match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss,SSS", "YYYY-MM-dd HH:mm:ss,SSS", "ISO8601" ]
#timezone => "UTC" #For vCenter Appliance
#timezone => "Asia/Shanghai"
}
mutate {
remove_field => ["syslog_ver", "syslog_pri"]
}
}
output {
elasticsearch {
hosts => "192.168.20.18:9200" #elasticsearch服务地址
index => "logstash-vcenter-%{+YYYY.MM.dd}"
}
# stdout { codec=> rubydebug }
}
EOF
mutate基本用法
基本logstash配置文件参考
vmware and syslog
logstash VCSA6.0
主要是收集AD域日志,方便进行安全日志分析;
主要通过ELK栈提供的winlogbeat进行收集
winlogbeat--logstash--elasticsearch
下载连接地址:https://www.elastic.co/cn/downloads/beats/winlogbeat
将解压后的文件放到“C:\Program Files”,重命名为winlogbeat
命令安装
编辑winlogbeat.yml文件
winlogbeat.event_logs:
- name: Application
- name: Security
- name: System
output.logstash:
enbaled: true
hosts: ["192.168.20.18:5044"]
logging.to_files: true
logging.files:
path: D:\ProgramData\winlogbeat\Logs
logging.level: infoPS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -c .\winlogbeat.yml -e启动winlogbeat
powershell命令行启动:
PS C:\Program Files\Winlogbeat> Start-Service winlogbeatpowershell命令行关闭
PS C:\Program Files\Winlogbeat> Stop-Service winlogbeat导入winlogindex模板,因为我们使用的logstash,所以需要手动导入。
PS > .\winlogbeat.exe setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["192.168.20.18"]'导入kibana-dashboard,因为我们使用的logstash,所以需要手动导入。
PS > .\winlogbeat.exe setup -e -E output.logstash.enabled=false -E output.elasticsearch.hosts=['192.168.20.18:9200'] -E setup.kibana.host=192.168.20.18:5601 windows 上winlogbeat安装
官方手册分析
cat > /data/config/test-windows.config << EOF
input {
beats {
port => 5044
}
}
output {
stdout { codec=> rubydebug }
}
EOF
logstash -f test-windows.config创建正式配置文件,查看内容(因为已有模板,所以不错其他修改处理)
cat > /data/config/windows.config << EOF
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["http:192.168.20.18:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
}
}
EOF
logstash -f windows.config
beats input plugin
因为已经winlogbeat是elk栈的标准模块,已经被定义,所以我们不再自行定义。
直接打开搜索winlogbaet*的index。
因为已经winlogbeat是elk栈的标准模块,已经被定义,所以我们不再自行定义。
直接打开搜索winlogbaet*的dashboard
主要是收集linux上的开关机日志,安全日志;
主要通过ELK栈提供的filebeat进行收集
filebeat-filebeat-module--elasticsearch
官网下载,连接地址:https://www.elastic.co/cn/downloads/beats/filebeat
命令行安装
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.5.0-linux-x86_64.tar.gz
tar xzvf filebeat-7.5.0-linux-x86_64.tar.gz查看filebeat目录布局
编辑filebeat.yml文件
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
output.elasticsearch:
hosts: ["192.168.20.18:9200"]
setup.kibana:
host: "192.168.20.18:5601"
运行filebeat文件
filebeat -c filebeat.yml -ewindows 上winlogbeat安装
官方手册分析
关闭ilm声明周期管理
setup.ilm.enabled: false更改索引名称
setup.template.overwrite: true
output.elasticsearch.index: "systemlog-7.3.0-%{+yyyy.MM.dd}"
setup.template.name: "systemlog"
setup.template.pattern: "systemlog-*"修改预先构建的kibana仪表盘
setup.dashboards.index: "systemlog-*"./filebeat modules enable system
./filebeat modules list./filebeat setup --template -e -c filebeat.ymlfilebeat.modules:
- module: system
syslog:
enabled: true
#默认位置/var/log/messages* /var/log/syslog*
auth:
enabled: true
#默认位置/var/log/auth.log* /var/log/secure*
output.elasticsearch:
hosts: ["192.168.20.18:9200"]
setup.kibana:
host: "192.168.20.18:5601"./filebeat setup -e -c filebeat.ymlbeats input plugin
filebeat模块与配置
system module
input{
udp {
port => 516
type => "h4c"
}
}
input{
udp {
port => 518
type => "hillstone"
}
}
input{
udp {
port => 514
type => "vmware"
}
}
input{
udp {
port => 1514
type => "vcenter"
}
}
input {
beats {
port => 5044
type => "windows"
}
}
filter {
if [type] == "hillstone" {
grok {
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), application %{USER:app}\, interface %{DATA:interface}\, vr %{USER:vr}\, policy %{DATA:policy}\, user %{USERNAME:user}\@%{DATA:AAAserver}\, host %{USER:HOST}\, send packets %{BASE10NUM:sendPackets}\,send bytes %{BASE10NUM:sendBytes}\,receive packets %{BASE10NUM:receivePackets}\,receive bytes %{BASE10NUM:receiveBytes}\,start time %{TIMESTAMP_ISO8601:startTime}\,close time %{TIMESTAMP_ISO8601:closeTime}\,session %{WORD:state}\,%{GREEDYDATA:reason}"}
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), interface %{DATA:interface}\, vr %{DATA:vr}\, policy %{DATA:policy}\, user %{USERNAME:user}\@%{DATA:AAAserver}\, host %{USER:HOST}\, session %{WORD:state}%{GREEDYDATA:reason}"}
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), %{WORD:state} to %{IPV4:snatip}\:%{BASE10NUM:snatport}\, vr\ %{DATA:vr}\, user\ %{USERNAME:user}\@%{DATA:AAAserver}\, host\ %{DATA:HOST}\, rule\ %{BASE10NUM:rule}"} match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{BASE10NUM:serial}\(%{WORD:ROOT}\) %{DATA:logid}\ %{DATA:Sort}@%{DATA:Class}\: %{DATA:module}\: %{IPV4:srcip}\:%{BASE10NUM:srcport}->%{IPV4:dstip}:%{WORD:dstport}\(%{DATA:protocol}\), %{WORD:state} to %{IPV4:dnatip}\:%{BASE10NUM:dnatport}\, vr\ %{DATA:vr}\, user\ %{USERNAME:user}\@%{DATA:AAAserver}\, host\ %{DATA:HOST}\, rule\ %{BASE10NUM:rule}"}
}
mutate {
lowercase => [ "module" ]
remove_field => ["host", "message", "ROOT", "HOST", "serial", "syslog_pri", "timestamp", "mac", "AAAserver", "user"]
}
}
if [type] == "h4c" {
grok {
match => { "message" => "\<%{BASE10NUM:syslog_pri}\>%{SYSLOGTIMESTAMP:timestamp}\ %{DATA:year} %{DATA:hostname} \%\%%{DATA:ddModuleName}\/%{POSINT:severity}\/%{DATA:brief}\: %{GREEDYDATA:reason}" }
add_field => {"severity_code" => "%{severity}"}
}
mutate {
gsub => [
"severity", "0", "Emergency",
"severity", "1", "Alert",
"severity", "2", "Critical",
"severity", "3", "Error",
"severity", "4", "Warning",
"severity", "5", "Notice",
"severity", "6", "Informational",
"severity", "7", "Debug"
]
remove_field => ["message", "syslog_pri"]
}
}
if [type] == "vmware" {
grok {
break_on_match => true
match => [
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) \[%{DATA:message_service_info}]\ (?<syslog_message>(%{GREEDYDATA})))",
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: (?<message-body>(?<message_system_info>(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) (?<syslog_message>(%{GREEDYDATA})))",
"message", "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}: %{GREEDYDATA:syslog_message}"
]
}
date {
match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss", "ISO8601" ]
}
mutate {
replace => [ "@source_host", "%{syslog_hostname}" ]
}
mutate {
replace => [ "@message", "%{syslog_message}" ]
}
mutate {
remove_field => ["@source_host","program","syslog_hostname","@message"]
}
}
if [type] == "vcenter" {
grok {
break_on_match => true
match => [
"message", "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:syslog_ver} +(?:%{TIMESTAMP_ISO8601:syslog_timestamp}|-) +(?:%{HOSTNAME:syslog_hostname}|-) +(-|%{SYSLOG5424PRINTASCII:syslog_program}) +(-|%{SYSLOG5424PRINTASCII:syslog_proc}) +(-|%{SYSLOG5424PRINTASCII:syslog_msgid}) +(?:%{SYSLOG5424SD:syslog_sd}|-|) +%{GREEDYDATA:syslog_msg}"
]
}
date {
match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss,SSS", "YYYY-MM-dd HH:mm:ss,SSS", "ISO8601" ]
}
mutate {
remove_field => ["syslog_ver", "syslog_pri"]
}
}
}
output {
if [type] == "hillstone" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "hillstone-%{module}-%{+YYYY.MM.dd}"
}
}
if [type] == "h4c" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "h4c-%{+YYYY.MM.dd}"
}
}
if [type] == "vmware" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "vmware-%{+YYYY.MM.dd}"
}
}
if [type] == "vcenter" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "vcenter-%{+YYYY.MM.dd}"
}
}
if [type] == "windows" {
elasticsearch {
hosts => "192.168.20.18:9200"
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
}
}
}
启动logstash服务,并把mix.config 更改为logstash.conf ,放到/etc/logstash 目录下。
systemctl enable logstash
systemc start logstash找到一篇英文站点,将鼠标移动到url开始,添加icopy.site/回车。
"icopy.site/"+"https://www.elastic.co"
例如 : 源网址:https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html
转译后网址:https://s0www0elastic0co.icopy.site/guide/en/logstash/current/plugins-filters-grok.html
推荐理由:
1.比谷歌全文翻译更准确,而且关键代码不翻译。
2.如果你英文不好,或者看英文文档太累,可以试下哦。
推荐学习视频:
ELK入门到实践
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。