首先创建logstash配置文件(命名为syslog.conf),专门用于解析syslog日志,如下:
# 监听514端口 input { syslog { port => "514" } } # 输出到控制台 output { stdout { codec => rubydebug } }第二步,停止本机的rsyslog(syslog)服务,以避免514端口冲突:
# 停止接收服务器的日志服务 systemctl stop rsyslog第三步,利用第一步创建的配置文件启动logstash:
# 进入logstash目录 ./bin/logstash -f syslog.conf第四步,在本机上测试是否能接收到rsyslog日志:
# 利用Linux自带的logger程序 # T采用TCP协议, P为端口号,n为主机地址 logger -T -P 514 -n 127.0.0.1 'Hello,World!'如果在控制台输出如下内容,则表示syslog服务运行正常:
{ "severity" => 0, "@timestamp" => 2017-08-04T06:29:34.512Z, "@version" => "1", "host" => "127.0.0.1", "message" => "<5>Aug 4 02:29:34 root: Hello,World!\u0000", "priority" => 0, "facility" => 0, "severity_label" => "Emergency", "tags" => [ [0] "_grokparsefailure_sysloginput" ], "facility_label" => "kernel" }到目前为止,日志接收服务器已配置成功,对于要发送的机器,还需要继续配置,找到/etc/rsyslog.conf文件,添加如下内容:
# 指向日志服务器,假定为192.168.1.204 *.* @@192.168.1.204:514然后在需要转发日志的机器上启动rsyslog服务:
systemctl restart rsyslog # 检查rsyslog服务是否已启动,如果有输出,则工作正常 netstat -aulntp | grep rsyslog如果长时间没有日志输出,我们还可以用logger继续模拟,如下:
logger -T -P 514 -n 192.168.1.204 'Hello,World!'最后,logstash日志服务器可远远不断地接收到日志信息:
{ "severity" => 6, "@timestamp" => 2017-08-04T06:30:01.000Z, "@version" => "1", "host" => "192.168.101.203", "program" => "systemd", "message" => "Started Session 28 of user root.\n", "priority" => 30, "logsource" => "localhost", "facility" => 3, "severity_label" => "Informational", "timestamp" => "Aug 4 02:30:01", "facility_label" => "system" }