客戶端配置rsyslog(centos自帶rsyslog,不需要另外下載)
vim /etc/rsyslog.conf
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
$ModLoad imfile #load the dimfile module
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.(內核)
kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!(記錄的內核消息、各種服務的公共消息,報錯信息等)
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.(包含驗證和授權方面信息)
authpriv.* /var/log/secure
# Log all the mail messages in one place.(包含來着系統運行電子郵件服務器的日誌信息)
mail.* -/var/log/maillog
# Log cron stuff(每當cron進程開始一個工作時,就會將相關信息記錄在這個文件中)
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log(自定義的消息)
local7.* /var/log/boot.log
# 監視指定路徑
$InputFileName /usr/local/nginx/logs/access.log
# 設置唯一標籤(唯一,必須唯一)
$InputFileTag req_access
# 數據類型
$InputFileSeverity info
$InputFileStateFile /etc/rsyslog.d/stat-access
# 設置設備名爲local5
$InputFileFacility local5
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
# 將此設備所有的數據全部發送到遠程服務器中 @:UDP協議,@@:TCP協議
local5.* @@192.168.194.6:514
$InputFileName /usr/local/nginx/logs/error.log
$InputFileTag req_error
$InputFileSeverity info
$InputFileStateFile /etc/rsyslog.d/stat-error
$InputFileFacility local6
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
local6.* @@192.168.194.6:514
在配置服務端之前可以在服務端抓包,查看數據是否傳輸過來
tcpdump -i ens33 port 514
顯示兩邊有數據往來後,再配置logstash
服務端配置logstash
vim /usr/local/logstash/config/logstash.conf
input {
tcp {
type => "syslog"
port => 514
ssl_enable => false
mode => "server"
}
}
output {
stdout {
codec => rubydebug
}
}
啓動logstash:
/usr/local/logstash/bin/logstash -f /usr/local/logstash/config/logstash.conf --config.reload.automatic
不出意外的話,就是醬紫:
出了意外的話…………
常見問題:
1、端口被佔用:
解決方案一:查看端口使用情況,關閉正在運行的rsyslog
netstat -an |grep 514
在服務端使用 systemctl stop rsyslog 命令關閉rsyslog後,就不會出現514端口被佔用,address already in used 的情況。
再次啓動logstash 收集日誌就OK啦
解決方案二:https://blog.csdn.net/msdnwolaile/article/details/50743254