Information : 玩ELK也挺久了,有時間把遇到的坑都寫出來
1. 測試環境
CentOS7 操作系統 , rsyslog , logstash6.2.4(二進制方式安裝)
2. 問題
在設置以logstash用戶去啓動服務的時候會發生如下報錯
Jul 27 17:39:02 zabbix-server logstash: [2019-07-27T17:39:02,995][INFO ][logstash.inputs.syslog ] Starting syslog udp listener {:address=>"0.0.0.0:514"}
Jul 27 17:39:03 zabbix-server logstash: [2019-07-27T17:39:02,997][WARN ][logstash.inputs.syslog ] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514",
:exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:197:in `bind'",
"/usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:149:in `udp_listener'",
"/usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:130:in `server'",
"/usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:110:in `block in run'"]}原因啓動端口的時候沒有權限,是因爲Linux系統的安全設置,1024以下端口的應用程序啓動必須以root 用戶去啓動,不能以普通用戶去啓動
3. 解決方法
(1)以root去啓動logstash服務
logstash.service
[Unit] Description=logstash [Service] Type=simple User=root Group=root Environment=JAVA_HOME=/usr/local/jdk Environment=LS_HOME=/usr/local/logstash Environment=LS_SETTINGS_DIR=/usr/local/logstash/config/ Environment=LS_PIDFILE=/usr/local/logstash/logstash.pid Environment=LS_USER=root Environment=LS_GROUP=root Environment=LS_GC_LOG_FILE=/usr/local/logstash/logs/gc.log Environment=LS_OPEN_FILES=16384 Environment=LS_NICE=19 Environment=SERVICE_NAME=logstash Environment=SERVICE_DESCRIPTION=logstash ExecStart=/usr/local/logstash/bin/logstash "--path.settings" "/usr/local/logstash/config/" Restart=always WorkingDirectory=/usr/local/logstash Nice=19 LimitNOFILE=16384 [Install] WantedBy=multi-user.target
logstash配置
input {
syslog {
port => "514"
}
}
filter {
}
output {
stdout { codec => rubydebug }
}測試結果:
(2)以logstash普通用戶去啓動Logstash服務,設置firewalld防火牆把514端口流量轉發到1300端口,logstash中syslog設置以1300端口去接口日誌信息
logstash.service如下:
[Unit] Description=logstash [Service] Type=simple User=logstash Group=logstash Environment=JAVA_HOME=/usr/local/jdk Environment=LS_HOME=/usr/local/logstash Environment=LS_SETTINGS_DIR=/usr/local/logstash/config/ Environment=LS_PIDFILE=/usr/local/logstash/logstash.pid Environment=LS_USER=logstash Environment=LS_GROUP=logstash Environment=LS_GC_LOG_FILE=/usr/local/logstash/logs/gc.log Environment=LS_OPEN_FILES=16384 Environment=LS_NICE=19 Environment=SERVICE_NAME=logstash Environment=SERVICE_DESCRIPTION=logstash ExecStart=/usr/local/logstash/bin/logstash "--path.settings" "/usr/local/logstash/config/" Restart=always WorkingDirectory=/usr/local/logstash Nice=19 LimitNOFILE=16384 [Install] WantedBy=multi-user.target
logstash的conf測試配置
input {
syslog {
port => "1300"
}
}
filter {
}
output {
stdout { codec => rubydebug }
}設置firewalld防火牆端口轉發,514端口流量轉發至 1300端口
firewall-cmd --permanent --zone=public --add-port=514/tcp firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=tcp:toport=1300 firewall-cmd --reload firewall-cmd --list-ports firewall-cmd --list-forward-ports
測試結果如下:
歡迎關注公衆號,蟹蟹
