[client]
vi /etc/rsyslog.conf <code># rsyslog configuration file manager by ansble#### MODULES ####$ModLoad imuxsock$ModLoad imjournal$ModLoad imklog#### GLOBAL DIRECTIVES ####$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Use default timestamp format$WorkDirectory /var/lib/rsyslog # Where to place auxiliary files$IncludeConfig /etc/rsyslog.d/*.conf # Include all config files in /etc/rsyslog.d/$MaxMessageSize 128k$OmitLocalLogging on$IMJournalStateFile imjournal.state#### RULES ##### ### begin forwarding rule ###$ActionQueueFileName fwdRule1 # unique name prefix for spool files$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)$ActionQueueSaveOnShutdown on # save messages to disk on shutdown$ActionQueueType LinkedList # run asynchronously$ActionResumeRetryCount -1 # infinite retries if host is down*.* @@10.1.100.12:514# ### end of the forwarding rule ###</code>systemctl restart rsyslogsystemctl status rsyslog[server]==rsyslog==mkdir -p /var/log/LOGSfirewall-cmd --add-rich-rule='rule family="ipv4" source address="10.1.0.0/16" port port="514" protocol="tcp" accept' --permanentvi /etc/rsyslog.conf<code>$MaxMessageSize 128k$ModLoad imuxsock.so$ModLoad imklog.so$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat$SystemLogRateLimitInterval 0$SystemLogRateLimitBurst 0$ModLoad imtcp$InputTCPServerRun 514:msg,contains,"GET /daemon.php?tableid" ~:rawmsg,contains,"ASKMQ-WORKER 29" ~# Standard System Services$template DYNmessages,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/messages"$template DYNsecure,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/secure"$template DYNmaillog,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/maillog"$template DYNcron,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/cron"$template DYNspooler,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/spooler"$template DYNboot,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/boot.log"$template DYNiptables,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/iptables.log"$template DYNaudit,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/audit.log"$template DYNapache-access,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-access.log"$template DYNapache-error,"/var/log/LOGS/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%/apache-error.log"if $programname == 'apache-access' then ?DYNapache-access&~if $programname == 'apache-error' then ?DYNapache-error&~if $programname == 'audispd' then ?DYNaudit&~if $msg contains 'iptables:' then ?DYNiptables&~if $syslogseverity <= '6' and ( $syslogfacility-text != 'mail' and $syslogfacility-text != 'authpriv' and $syslogfacility-text != 'cron') then ?DYNmessagesif $syslogfacility-text == 'authpriv' then ?DYNsecureif $syslogfacility-text == 'mail' then -?DYNmaillogif $syslogfacility-text == 'cron' then ?DYNcronif ( $syslogfacility-text == 'uucp' or $syslogfacility-text == 'news' ) and $syslogseverity-text == 'crit' then ?DYNspoolerif $syslogfacility-text == 'local7' then ?DYNboot</code>systemctl restart rsyslogsystemctl status rsyslogll /var/log/LOGS==logstash==参考文档https://www.elastic.co/cn/downloads/logstashrpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearchvi /etc/yum.repos.d/logstash.repo<code>[logstash-7.x]name=Elastic repository for 7.x packagesbaseurl=https://artifacts.elastic.co/packages/7.x/yumgpgcheck=1gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearchenabled=1autorefresh=1type=rpm-md</code>yum install logstashvi /etc/systemd/system/logstash.service<code>#User=logstash#Group=logstashUser=rootGroup=root</code>vi /etc/logstash/jvm.options<code># Xms represents the initial size of total heap space# Xmx represents the maximum size of total heap space-Xms8g-Xmx24g</code>systemctl start logstashsystemctl status logstashvi /etc/logstash/conf.d/apache.conf <code>input { file { type => "syslog" path => [ "/var/log/LOGS/**/cron", "/var/log/LOGS/**/messages", "/var/log/LOGS/**/secure" ] start_position => "beginning" exclude => ["*.gz"] } file { type => "apache-access" path => [ "/var/log/LOGS/**/apache-access.log" ] start_position => "beginning" exclude => ["*.gz"] } file { type => "apache-error" path => [ "/var/log/LOGS/**/apache-error.log" ] start_position => "beginning" exclude => ["*.gz"] }}filter { if [type] == "apache-access" { grok { match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST:webserver} %{SYSLOGPROG}: %{HOSTNAME:host} \"%{GREEDYDATA:X-Forwarded-For}\" %{IPORHOST:HA_IP} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response:int} (?:%{NUMBER:bytes:int}|-) \"%{GREEDYDATA:referrer}\" \"%{GREEDYDATA:agent}\""} } if [X-Forwarded-For] == "-" { drop {} } mutate { remove_field => [ "message"] split => { "X-Forwarded-For" => ", " } } geoip { source => "X-Forwarded-For" } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] remove_field => ["timestamp"] } } if [type] == "apache-error" { grok { match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST:hostname} %{DATA}: \[%{HTTPDERROR_DATE:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:error_message}" } } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] } mutate { rename => ["hostname", "host"] } }}</code>vi /etc/logstash/conf.d/output.conf<code>output { elasticsearch { hosts => ["127.0.0.1:9200"] index => "logstash-%{type}-%{+YYYY.MM.dd}" template_overwrite => true }}</code>===elasticsearch===参考: https://www.elastic.co/cn/downloads/elasticsearchrpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearchvi /etc/yum.repos.d/elasticsearch.repo <code>[elasticsearch]name=Elasticsearch repository for 7.x packagesbaseurl=https://artifacts.elastic.co/packages/7.x/yumgpgcheck=1gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearchenabled=0autorefresh=1type=rpm-md</code>yum install --enablerepo=elasticsearch elasticsearchvi /etc/elasticsearch/elasticsearch.yml<code>cluster.name: gwj-elknode.name: gwj-logpath.data: /var/lib/elasticsearchpath.logs: /var/log/elasticsearchbootstrap.memory_lock: truenetwork.host: 0.0.0.0http.port: 9200cluster.initial_master_nodes: ["gwj-log"]</code>vi /etc/elasticsearch/jvm.options<code># Xms represents the initial size of total heap space# Xmx represents the maximum size of total heap space-Xms4g-Xmx4g</code>vi /etc/security/limits.conf<code>elasticsearch soft memlock unlimitedelasticsearch hard memlock unlimited</code>systemctl edit elasticsearch<code>[Service]LimitMEMLOCK=infinity</code>systemctl restart elasticsearchsystemctl status elasticsearchnetstat -tlncurl http://localhost:9200<code>{ "name" : "gwj-log", "cluster_name" : "gwj-elk", "cluster_uuid" : "8KPET2yDSCaQwfwncWSTQQ", "version" : { "number" : "7.10.0", "build_flavor" : "default", "build_type" : "rpm", "build_hash" : "51e9d6f22758d0374a0f3f5c6e8f3a7997850f96", "build_date" : "2020-11-09T21:30:33.964949Z", "build_snapshot" : false, "lucene_version" : "8.7.0", "minimum_wire_compatibility_version" : "6.8.0", "minimum_index_compatibility_version" : "6.0.0-beta1" }, "tagline" : "You Know, for Search"}</code>查看是否生成索引ls -lh /var/lib/elasticsearch/nodes/0/indices/http://10.1.100.12:9200/_cat/indices?v===kibana===参考: https://www.elastic.co/guide/en/kibana/current/install.htmlrpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearchvi /etc/systemd/system/kibana.service<code>[Unit]Description=Kibana[Service]Type=simpleUser=kibanaGroup=kibana# Load env vars from /etc/default/ and /etc/sysconfig/ if they exist.# Prefixing the path with '-' makes it try to load, but if the file doesn't# exist, it continues onward.EnvironmentFile=-/etc/default/kibanaEnvironmentFile=-/etc/sysconfig/kibanaExecStart=/usr/share/kibana/bin/kibanaRestart=on-failureRestartSec=3StartLimitBurst=3StartLimitInterval=60WorkingDirectory=/[Install]WantedBy=multi-user.target</code>yum install kibanasystemctl restart kibanasystemctl status kibanakibana - management - stack managementkibana - Index Patterns - create index pattern http://10.1.100.12:9200/_cat/indices?v