Logstash + Elasticsearch + Kibana

Logstash  + Elasticsearch + Kibana
類似 Splunk 的功能 OpenSource

Logstash 的使用結合  Elasticsearch  與  Kibana

Logstash + Elasticsearch + Kibana

角色說明:

(0) rsyslog [Remote linux server ]
(1) syslog collector [ Logstash ]
(2) search server [Elasticsearch ]
(3) web ui [ Kibana ]

官方實用說明
http://www.logstash.net/docs/1.4.2/tutorials/10-minute-walkthrough/
http://logstash.net/docs/1.4.2/tutorials/getting-started-with-logstash


分別使用 rpm & yum 安裝必要的軟體

(Logstash)

官網上下載該 rpm 安裝即可
 (  http://www.elasticsearch.org/overview/elkdownloads/  )
[root@Test-Logstash syslog]# rpm -qa | grep logstash
logstash-contrib-1.4.2-1_efd53ef.noarch
logstash-1.4.2-1_2c0f5a1.noarch

(Java)

yum 安裝即可
[root@Test-Logstash syslog]# rpm -qa | grep java
tzdata-java-2014e-1.el6.noarch
java-1.7.0-openjdk-1.7.0.65-2.5.1.2.el6_5.x86_64

(Elasticsearch)

官網上下載該 rpm 安裝即可
 ( http://www.elasticsearch.org/overview/elkdownloads/ )
[root@Test-Logstash src]# rpm -qa | grep elasticsearch
elasticsearch-1.3.2-1.noarch

(Kinaba)

kibana 官網上下載該檔案即可
 ( http://www.elasticsearch.org/overview/elkdownloads/ )
kibana-3.1.0.tar.gz 並解壓縮後放置於 /var/www/html 內即可,目錄名稱可自行命名之

(Remote Syslog Client)

修改 rsyslog.conf 並重啟該服務即可
最簡單的設定方式

在最下方加入
*.* @xxx.xxx.xxx
or
*.* @@xxx.xxx.xxx




設定 logstash 的 conf

[root@Test-Logstash conf.d]# pwd
/etc/logstash/conf.d
[root@Test-Logstash conf.d]# cat syslog.conf 
input {
  tcp {
    type => "syslog"
    port => 514
  }
  udp {
    type => "syslog"
    port => 514
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}


output {
  elasticsearch {
    embedded => true
  }
}

[root@Test-Logstash conf.d]#


將 logstash 服務改由 root 身份啟動

[root@Test-Logstash init.d]# pwd
/etc/init.d
[root@Test-Logstash init.d]# cat logstash
#!/bin/sh
# Init script for logstash
# Maintained by Elasticsearch
# Generated by pleaserun.
# Implemented based on LSB Core 3.1:
#   * Sections: 20.2, 20.3
#
### BEGIN INIT INFO
# Provides:          logstash
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description:
# Description:        Starts Logstash as a daemon.
### END INIT INFO

PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH

if [ `id -u` -ne 0 ]; then
   echo "You need root privileges to run this script"
   exit 1
fi

name=root
pidfile="/var/run/$name.pid"

LS_USER=root
LS_GROUP=root


設定 Kibana config  內的 elasticsearch 的 url

[root@Test-Logstash syslog]# pwd
/var/www/html/syslog
[root@Test-Logstash syslog]# cat config.js
/** @scratch /configuration/config.js/1
 *
 * == Configuration
 * config.js is where you will find the core Kibana configuration. This file contains parameter that
 * must be set before kibana is run for the first time.
 */
define(['settings'],
function (Settings) {


  /** @scratch /configuration/config.js/2
   *
   * === Parameters
   */
  return new Settings({

    /** @scratch /configuration/config.js/5
     *
     * ==== elasticsearch
     *
     * The URL to your elasticsearch server. You almost certainly don't
     * want +http://localhost:9200+ here. Even if Kibana and Elasticsearch are on
     * the same host. By default this will attempt to reach ES at the same host you have
     * kibana installed on. You probably want to set it to the FQDN of your
     * elasticsearch host
     *
     * Note: this can also be an object if you want to pass options to the http client. For example:
     *
     *  +elasticsearch: {server: "http://localhost:9200", withCredentials: true}+
     *
     */
    elasticsearch: "http://192.168.111.145:9200",


Demo

elasticsearch test 

Kibana

Rsyslog + Elasticsearch + Kibana

類似 Splunk 的功能 OpenSource

rsyslog 的進階使用結合  Elasticsearch  與  Kibana

Rsyslog + Elasticsearch + Kibana

角色說明:
(0) rsyslog [Remote linux server ]
(1) rsyslog collector [ Rsyslog ]
(2) search server [Elasticsearch ]
(3) web ui [ Kibana ]


(1)升級並安裝 rsyslog 8.x等必要套件

[root@Rsyslog yum.repos.d]# pwd
/etc/yum.repos.d
[root@Rsyslog yum.repos.d]# cat rsyslog.repo
[rsyslog_v8]
name=Adiscon CentOS-$releasever - local packages for $basearch
baseurl=http://rpms.adiscon.com/v8-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
protect=1
[root@Rsyslog yum.repos.d]#

yum update rsyslog
yum install rsyslog-debuginfo rsyslog-libdbi rsyslog-mysql rsyslog-relp rsyslog-snmp rsyslog-elasticsearch rsyslog-mmanon rsyslog-mmfields rsyslog-mmjsonparse rsyslog-mmnormalize rsyslog-mmutf8fix rsyslog-ommail

[root@Rsyslog rsyslog.d]# rpm -qa | grep rsyslog
rsyslog-8.2.2-1.el6.x86_64
rsyslog-mmfields-8.2.2-1.el6.x86_64
rsyslog-relp-8.2.2-1.el6.x86_64
rsyslog-snmp-8.2.2-1.el6.x86_64
rsyslog-ommail-8.2.2-1.el6.x86_64
rsyslog-mmjsonparse-8.2.2-1.el6.x86_64
rsyslog-mysql-8.2.2-1.el6.x86_64
rsyslog-debuginfo-8.2.2-1.el6.x86_64
rsyslog-mmutf8fix-8.2.2-1.el6.x86_64
rsyslog-mmnormalize-8.2.2-1.el6.x86_64
rsyslog-mmanon-8.2.2-1.el6.x86_64
rsyslog-elasticsearch-8.2.2-1.el6.x86_64
rsyslog-libdbi-8.2.2-1.el6.x86_64
[root@Rsyslog rsyslog.d]#

(2)安裝 java & Elasticsearch

http://www.elasticsearch.org/overview/elkdownloads/

wget https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.3.2.noarch.rpm

rpm 安裝即可

(3)安裝 Kibana ( search web api )
wget https://download.elasticsearch.org/kibana/kibana/kibana-3.1.0.tar.gz
放在 web -root 即可

其它重要設定

vi /etc/rsyslog.conf

新增 rsyslog  listen port

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


新增與 Elasticsearch 介接設定 syslog.conf

[root@Rsyslog rsyslog.d]# pwd
/etc/rsyslog.d
[root@Rsyslog rsyslog.d]# cat syslog.conf
module(load="omelasticsearch") # for outputting to Elasticsearch

# this is for index names to be like: logstash-YYYY.MM.DD
template(name="logstash-index" type="list") {
 constant(value="logstash-")
 property(name="timereported" dateFormat="rfc3339" position.from="1" position.to="4")
 constant(value=".")
 property(name="timereported" dateFormat="rfc3339" position.from="6" position.to="7")
 constant(value=".")
 property(name="timereported" dateFormat="rfc3339" position.from="9" position.to="10")
}

# this is for formatting our syslog in JSON with @timestamp
 template(name="plain-syslog" type="list") {
 constant(value="{")
 constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
 constant(value="\",\"@host\":\"")       property(name="hostname")
 constant(value="\",\"@severity\":\"")   property(name="syslogseverity-text")
 constant(value="\",\"@facility\":\"")   property(name="syslogfacility-text")
 constant(value="\",\"@syslogtag\":\"")  property(name="syslogtag" format="json")
 constant(value="\",\"@message\":\"")    property(name="msg" format="json")
 constant(value="\"}")
 }
# this is where we actually send the logs to Elasticsearch (localhost:9200 by default)
action(type="omelasticsearch" template="plain-syslog" searchIndex="logstash-index" dynSearchIndex="on")

參考 url http://blog.sematext.com/2013/07/01/recipe-rsyslog-elasticsearch-kibana/

demo

rsyslog 的進階使用,將一般文字檔重導到 log server 內. ( InputFileName )

rsyslog 的進階使用,將一般文字檔重導到 log server 內.

使用環境 CentOS 6.5  rsyslog-5.8.10-8.el6.x86_64

[root@CentOS6 rsyslog.d]# pwd
/etc/rsyslog.d
[root@CentOS6 rsyslog.d]# cat messagesystem.conf

$ModLoad imfile
$WorkDirectory /var/spool/rsyslog


#Add a tag for tomcat events
$template LogglyFormatTomcat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [ MessageSystme tag=\"tomcat\"] %msg%\n"

# MessageSystem Log

$InputFileName /syslog/tomcat/MessageSystem.log
$InputFileTag messagesystem-log
$InputFileStateFile messagesystem-log
$InputFileSeverity info
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
if $programname == 'messagesystem-log' then @192.168.1.1:514;LogglyFormatTomcat
if $programname == 'messagesystem-log' then ~

其它參考設定可自行參閱 https://www.loggly.com/docs/sending-apache-logs/
或使用參數 http://www.rsyslog.com/doc/property_replacer.html