centos7，客戶端使用rsyslog進行日誌傳輸，服務端使用logstash收集

客戶端配置rsyslog（centos自帶rsyslog，不需要另外下載）

vim /etc/rsyslog.conf

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
$ModLoad imfile #load the dimfile module
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

$OmitLocalLogging on

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.(內核)
kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!(記錄的內核消息、各種服務的公共消息，報錯信息等)
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.(包含驗證和授權方面信息)
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.(包含來着系統運行電子郵件服務器的日誌信息)
mail.*                                                  -/var/log/maillog


# Log cron stuff(每當cron進程開始一個工作時，就會將相關信息記錄在這個文件中)
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log(自定義的消息)
local7.*                                                /var/log/boot.log


# 監視指定路徑
$InputFileName    /usr/local/nginx/logs/access.log
# 設置唯一標籤（唯一，必須唯一）
$InputFileTag    req_access 
# 數據類型
$InputFileSeverity   info 
$InputFileStateFile    /etc/rsyslog.d/stat-access
# 設置設備名爲local5
$InputFileFacility    local5   
$InputFilePollInterval    1    
$InputFilePersistStateInterval 1 
$InputRunFileMonitor   
# 將此設備所有的數據全部發送到遠程服務器中   @：UDP協議，@@：TCP協議
local5.*  @@192.168.194.6:514



$InputFileName    /usr/local/nginx/logs/error.log
$InputFileTag    req_error
$InputFileSeverity   info 
$InputFileStateFile    /etc/rsyslog.d/stat-error
$InputFileFacility    local6  
$InputFilePollInterval    1  
$InputFilePersistStateInterval 1 
$InputRunFileMonitor   
local6.*  @@192.168.194.6:514

 

 

 

在配置服務端之前可以在服務端抓包，查看數據是否傳輸過來 

tcpdump -i ens33 port 514

顯示兩邊有數據往來後，再配置logstash

 

服務端配置logstash

vim /usr/local/logstash/config/logstash.conf 

input {
  tcp {
    type => "syslog"
    port => 514
    ssl_enable => false
    mode => "server"
  }
}

output {
  stdout {
    codec => rubydebug
   }

}

啓動logstash：

/usr/local/logstash/bin/logstash -f /usr/local/logstash/config/logstash.conf --config.reload.automatic

不出意外的話，就是醬紫：

出了意外的話…………

 

 

常見問題：

1、端口被佔用：

解決方案一：查看端口使用情況，關閉正在運行的rsyslog

netstat -an |grep 514

在服務端使用 systemctl stop rsyslog 命令關閉rsyslog後，就不會出現514端口被佔用，address already in used 的情況。

再次啓動logstash 收集日誌就OK啦

解決方案二：https://blog.csdn.net/msdnwolaile/article/details/50743254