标签:ELK severity root logstash 交换机 node1 日志 DATA message
1、交换机配置
#华三的命令举例
info-center loghost 10.88.35.21 port 5003 #elk的IP根据环境调整
2、logstash配置
2.1 关闭服务和修改用户权限
# 关闭rsyslog服务,因为这个会占用514端口,而华为似乎只能514端口
[root@node1 ~]# systemctl stop rsyslog
[root@node1 ~]# systemctl status rsyslog
# 修改用户权限
[root@node1 ~]# vim /etc/systemd/system/logstash.service
2.2 配置存储文件和配置信息
#新建switch.conf配置文件,用端口区分不同品牌交换机
[root@node1 ~]# vim /etc/logstash/conf.d/switch.conf
input{
tcp { port => 5002
type => "Cisco"}
udp { port => 514
type => "HUAWEI"}
udp { port => 5002
type => "Cisco"}
udp { port => 5003
type => "H3C"}
}
filter {
if [type] == "Cisco" {
grok {
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{NUMBER:log_sequence}: .%{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:severity}-%{CISCO_REASON:mnemonic}: %{GREEDYDATA:message}" }
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{NUMBER:log_sequence}: %{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:severity}-%{CISCO_REASON:mnemonic}: %{GREEDYDATA:message}" }
add_field => {"severity_code" => "%{severity}"}
overwrite => ["message"]
}
}
elseif [type] == "H3C" {
grok {
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{YEAR:year} %{DATA:hostname} %%%{DATA:vvmodule}/%{POSINT:severity}/%{DATA:digest}: %{GREEDYDATA:message}" }
remove_field => [ "year" ]
add_field => {"severity_code" => "%{severity}"}
overwrite => ["message"]
}
}
elseif [type] == "HUAWEI" {
grok {
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{DATA:hostname} %%%{DATA:ddModuleName}/%{POSINT:severity}/%{DATA:Brief}:%{GREEDYDATA:message}"}
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{DATA:hostname} %{DATA:ddModuleName}/%{POSINT:severity}/%{DATA:Brief}:%{GREEDYDATA:message}"}
remove_field => [ "timestamp" ]
add_field => {"severity_code" => "%{severity}"}
overwrite => ["message"]
}
}
#mutate {
# gsub => [
# "severity", "0", "Emergency",
# "severity", "1", "Alert",
# "severity", "2", "Critical",
# "severity", "3", "Error",
# "severity", "4", "Warning",
# "severity", "5", "Notice",
# "severity", "6", "Informational",
# "severity", "7", "Debug"
# ]
# }
}
output{
stdout {
#将日志输出到当前终端上显示
codec => rubydebug
}
#同时也发送到elasticsearch
elasticsearch {
index =>
"syslog-%{+YYYY.MM.dd}"
hosts => ["192.168.2.10:9200"]
}
}
#校验日志情况
[root@node1 ~]#cd /usr/share/logstash/bin/
[root@node1 bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/switch.conf --config.test_and_exit
[root@node1 bin]# ./logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/switch.conf
#启动服务
[root@node1 bin]#systemctl start logstash
[root@node1 bin]#curl '192.168.2.10:9200/_cat/indices?v'
3、kibana查看交换机日志
标签:ELK,
severity,
root,
logstash,
交换机,
node1,
日志,
DATA,
message
From: https://blog.51cto.com/linweiwei/5724018