[client]
vi /etc/rsyslog.conf
<code>
# rsyslog configuration file manager by ansble
#### MODULES ####
$ModLoad imuxsock
$ModLoad imjournal
$ModLoad imklog
#### GLOBAL DIRECTIVES ####
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Use default timestamp format
$WorkDirectory /var/lib/rsyslog # Where to place auxiliary files
$IncludeConfig /etc/rsyslog.d/*.conf # Include all config files in /etc/rsyslog.d/
$MaxMessageSize 128k
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
#### RULES ####
# ### begin forwarding rule ###
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
*.* @@10.1.100.12:514
# ### end of the forwarding rule ###
</code>
systemctl restart rsyslog
systemctl status rsyslog
[server]
==rsyslog==
mkdir -p /var/log/LOGS
firewall-cmd --add-rich-rule='rule family="ipv4"source address="10.1.0.0/16"port port="514"protocol="tcp"accept' --permanent
vi /etc/rsyslog.conf
<code>
$MaxMessageSize 128k
$ModLoad imuxsock.so
$ModLoad imklog.so
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
$ModLoad imtcp
$InputTCPServerRun 514
:msg,contains,"GET /daemon.php?tableid" ~
:rawmsg,contains,"ASKMQ-WORKER 29" ~
# Standard System Services
$template DYNmessages,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"
$template DYNsecure,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure"
$template DYNmaillog,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/maillog"
$template DYNcron,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron"
$template DYNspooler,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/spooler"
$template DYNboot,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/boot.log"
$template DYNiptables,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/iptables.log"
$template DYNaudit,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/audit.log"
$template DYNapache-access,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-access.log"
$template DYNapache-error,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-error.log"
if $programname == 'apache-access' then ?DYNapache-access
&~
if $programname == 'apache-error' then ?DYNapache-error
&~
if $programname == 'audispd' then ?DYNaudit
&~
if $msg contains 'iptables:' then ?DYNiptables
&~
if $syslogseverity <= '6' and ($syslogfacility-text != 'mail' and $syslogfacility-text != 'authpriv' and $syslogfacility-text != 'cron') then ?DYNmessages
if $syslogfacility-text == 'authpriv' then ?DYNsecure
if $syslogfacility-text == 'mail' then -?DYNmaillog
if $syslogfacility-text == 'cron' then ?DYNcron
if ($syslogfacility-text == 'uucp' or $syslogfacility-text == 'news') and $syslogseverity-text == 'crit' then ?DYNspooler
if $syslogfacility-text == 'local7' then ?DYNboot
</code>
systemctl restart rsyslog
systemctl status rsyslog
ll /var/log/LOGS
==logstash==
参考文档
https://www.elastic.co/cn/downloads/logstash
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/logstash.repo
<code>
[logstash-7.x]
name=Elastic repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
</code>
yum install logstash
vi /etc/systemd/system/logstash.service
<code>
#User=logstash
#Group=logstash
User=root
Group=root
</code>
vi /etc/logstash/jvm.options
<code>
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms8g
-Xmx24g
</code>
systemctl start logstash
systemctl status logstash
vi /etc/logstash/conf.d/apache.conf
<code>
input {
file {
type => "syslog"
path => [
"/var/log/LOGS/**/cron",
"/var/log/LOGS/**/messages",
"/var/log/LOGS/**/secure"
]
start_position => "beginning"
exclude => ["*.gz"]
}
file {
type => "apache-access"
path => ["/var/log/LOGS/**/apache-access.log"]
start_position => "beginning"
exclude => ["*.gz"]
}
file {
type => "apache-error"
path => ["/var/log/LOGS/**/apache-error.log"]
start_position => "beginning"
exclude => ["*.gz"]
}
}
filter {if [type] == "apache-access" {
grok {match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST:webserver} %{SYSLOGPROG}: %{HOSTNAME:host} \"%{GREEDYDATA:X-Forwarded-For}\"%{IPORHOST:HA_IP} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\"%{NUMBER:response:int} (?:%{NUMBER:bytes:int}|-) \"%{GREEDYDATA:referrer}\"\"%{GREEDYDATA:agent}\""}
}
if [X-Forwarded-For] == "-" {drop {}
}
mutate {remove_field => [ "message"]
split => {"X-Forwarded-For" => ","}
}
geoip {source => "X-Forwarded-For"}
date {match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
remove_field => ["timestamp"]
}
}
if [type] == "apache-error" {
grok {match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST:hostname} %{DATA}: \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:error_message}"
}
}
date {match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
}
mutate {rename => ["hostname", "host"]
}
}
}
</code>
vi /etc/logstash/conf.d/output.conf
<code>
output {
elasticsearch {hosts => ["127.0.0.1:9200"]
index => "logstash-%{type}-%{+YYYY.MM.dd}"
template_overwrite => true
}
}
</code>
===elasticsearch===
参考:https://www.elastic.co/cn/downloads/elasticsearch
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/elasticsearch.repo
<code>
[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=0
autorefresh=1
type=rpm-md
</code>
yum install --enablerepo=elasticsearch elasticsearch
vi /etc/elasticsearch/elasticsearch.yml
<code>
cluster.name: gwj-elk
node.name: gwj-log
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
bootstrap.memory_lock: true
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: ["gwj-log"]
</code>
vi /etc/elasticsearch/jvm.options
<code>
# Xms represents the initial size of total heap space
# Xmx represents the maximum size of total heap space
-Xms4g
-Xmx4g
</code>
vi /etc/security/limits.conf
<code>
elasticsearch soft memlock unlimited
elasticsearch hard memlock unlimited
</code>
systemctl edit elasticsearch
<code>
[Service]
LimitMEMLOCK=infinity
</code>
systemctl restart elasticsearch
systemctl status elasticsearch
netstat -tln
curl http://localhost:9200
<code>
{
"name" : "gwj-log",
"cluster_name" : "gwj-elk",
"cluster_uuid" : "8KPET2yDSCaQwfwncWSTQQ",
"version" : {
"number" : "7.10.0",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96",
"build_date" : "2020-11-09T21:30:33.964949Z",
"build_snapshot" : false,
"lucene_version" : "8.7.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
</code>
查看是否生成索引
ls -lh /var/lib/elasticsearch/nodes/0/indices/
http://10.1.100.12:9200/_cat/indices?v
===kibana===
参考:https://www.elastic.co/guide/en/kibana/current/install.html
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch
vi /etc/systemd/system/kibana.service
<code>
[Unit]
Description=Kibana
[Service]
Type=simple
User=kibana
Group=kibana
# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.
# Prefixing the path with '-' makes it try to load, but if the file doesn't
# exist, it continues onward.
EnvironmentFile=-/etc/default/kibana
EnvironmentFile=-/etc/sysconfig/kibana
ExecStart=/usr/share/kibana/bin/kibana
Restart=on-failure
RestartSec=3
StartLimitBurst=3
StartLimitInterval=60
WorkingDirectory=/
[Install]
WantedBy=multi-user.target
</code>
yum install kibana
systemctl restart kibana
systemctl status kibana
kibana - management - stack management
kibana - Index Patterns - create index pattern
http://10.1.100.12:9200/_cat/indices?v