Lostash深入收集TCP/UDP日志

Lostash深入收集TCP/UDP日志

收集TCP/UDP日志

通过logstash的tcp/udp插件收集日志，通常用于在向elasticsearch日志补录丢失的部分日志，可以将丢失的日志通过一个TCP端口直接写入到elasticsearch服务器。

[root@elkstack03 conf.d]# vim /etc/logstash/conf.d/tcp.conf
input{
        tcp{
                port => "1234"
                type => "tcp_log"
                mode => "server"
        }
}

output{
        stdout{
                codec => "rubydebug"
        }
}
[root@elkstack03 conf.d]# /usr/share/logstash/bin/logstash --path.data=/var/lib/logstash/tcp -f /etc/logstash/conf.d/tcp.conf &

使用nc传输日志

## nc发送一条日志
[root@elkstack02 ~]# echo '10.0.0.1 - - [07/Sep/2022:11:29:00 +0800] "GET /favicon.ico HTTP/1.1" 404 555 "http://10.0.0.83/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" "-"' |nc 10.0.0.83 1234

## nc发送一个文件
[root@elkstack02 ~]# nc 10.0.0.83 1234 < /etc/passwd

## telnet传输日志
[root@elkstack02 ~]# telnet 10.0.0.83 1234
Trying 10.0.0.83...
Connected to 10.0.0.83.
Escape character is '^]'.

10.0.0.1 - - [07/Sep/2022:11:29:19 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" "-"

通过伪设备传输日志

[root@elkstack02 ~]# echo '测试伪设备' > /dev/tcp/10.0.0.83/1234

## 将tcp日志输出到ES中
vim /etc/logstash/conf.d/tcp.conf
input{
        tcp{
                port => "1234"
                type => "tcp_log"
                mode => "server"
        }
}

output{ 
        elasticsearch{
                hosts => ["10.0.0.81:9200"]
                index => "%{type}-%yyyy.MM.dd}"
        }
}