十三、系统日模块插件（二）

13.1 syslog日志模块
syslog{
   host => "0.0.0.0"
   port => 514
   type => "syslog"
}
–rsyslog.conf配置向进程发送数据
local0.info@@192.168.4.10:514
–写syslog，查看状态
logger -p local0.info -t test_logstash'test message'
练习
更改配置文件
[root@logstash logstash]# vim /etc/logstash/logstash.conf

。。。。。。
syslog {
   host => "0.0.0.0"
   port => 514
   type => "syslog"
}
}
filter{ }
output{
stdout{ codec => "rubydebug" }
}

更改完成后启动logstash
[root@logstash logstash]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
Settings: Default pipeline workers: 2
Pipeline main started
查看是否启动成功
[root@logstash ~]# netstat -utnlp | grep java
tcp6 0 0 :::8888 :::* LISTEN 2116/java
tcp6 0 0 :::514 :::* LISTEN 2116/java
udp6 0 0 :::514 :::* 2116/java
udp6 0 0 192.168.0.18:9999 :::* 2116/java
[root@logstash ~]# ssh 192.168.0.16
把kabana的系统日志写过去查看
①定义日志
[root@kibana ~]# vim /etc/rsyslog.conf
local0.info /var/log/info.log #追加写入
[root@kibana ~]# systemctl restart rsyslog.service
[root@kibana ~]# cd /var/log
发现info.log文件不存在
为保证写入的日志在info.log文件里我们要使用loggger,具体使用方法可以man
[root@kibana log]# logger -p local0.info -t "testlog" "a b c d"
[root@kibana log]# cat /var/log/info.log #现在发现写入成功
Aug 19 23:26:13 kibana testlog: a b c d
继续修改配置文件，把local0.info写入远程主机如下
[root@kibana ~]# vim /etc/rsyslog.conf
local0.info @@192.168.0.18:514
local0.info @192.168.0.18:514
注：两个@和一个@都可以远程写入，@：udp写；@@tcp写
[root@kibana log]# systemctl restart rsyslog.service
[root@kibana log]# logger -p local0.info -t "testlog" "hello world"
查看本地文件
[root@kibana log]# cat /var/log/info.log
Aug 19 23:26:13 kibana testlog: a b c d
Aug 19 23:32:02 kibana testlog: hello world
查看远程主机
[root@logstash logstash]# /opt/logstash/bin/logstash -f /etc/logstash/logstash.conf
Settings: Default pipeline workers: 2
Pipeline main started
{
"message" => "hello world\n",
"@version" => "1",
"@timestamp" => "2021-08-19T15:32:02.000Z",
"type" => "syslog",
"host" => "192.168.0.16",
"priority" => 134,
"timestamp" => "Aug 19 23:32:02",
"logsource" => "kibana",
"program" => "testlog",
"severity" => 6,
"facility" => 16,
"facility_label" => "local0",
"severity_label" => "Informational"
}