Logstash深入通过syslog收集日志

Logstash深入通过syslog收集日志

rsyslog介绍及安装配置

安装配置rsyslog

[root@elkstack03 conf.d]# yum install -y rsyslog

## 修改rsyslog配置文件
[root@elkstack03 conf.d]# vim /etc/rsyslog.conf 
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
local7.*     @@10.0.0.83:2244

## 启动rsyslog
[root@elkstack03 ~]# systemctl start rsyslog

安装配置haproxy

[root@elkstack03 ~]# yum install -y haproxy
## 修改配置文件
[root@elkstack03 conf.d]# cat /etc/haproxy/haproxy.cfg
global
maxconn 100000
chroot /var/lib/haproxy
uid 99
gid 99
daemon
nbproc 1
pidfile /var/run/haproxy.pid
log 127.0.0.1 local7 info

defaults
option http-keep-alive
option  forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client  300000ms
timeout server  300000ms

listen stats
 mode http
 bind 0.0.0.0:9999
 stats enable
 log global
 stats uri     /ha-status
 stats auth    haadmin:123456

#frontend web_port
frontend web_port
        bind 0.0.0.0:80
        mode http
        option httplog
        log global
        option  forwardfor
###################ACL Setting##########################
        acl www         hdr_dom(host) -i www.zls.com
        acl blog        hdr_dom(host) -i blog.zls.com
###################USE ACL##############################
        use_backend     www_host        if  www
        use_backend     blog_host       if  blog
########################################################

backend www_host
        mode    http
        option  httplog
        balance static-rr
        server www_10.0.0.83  10.0.0.83:8090 check inter 2000 rise 3 fall 2 weight 1
        server www_10.0.0.52  10.0.0.52:8090 check inter 2000 rise 3 fall 2 weight 1

backend blog_host
        mode    http
        option  httplog
        balance static-rr
        server blog_10.0.0.83  10.0.0.83:8091 check inter 2000 rise 3 fall 2 weight 1
        server blog_10.0.0.52  10.0.0.52:8091 check inter 2000 rise 3 fall 2 weight 1

打开浏览器访问haproxy健康检查状态页面：http://10.0.0.83:9999/ha-status

stats auth    haadmin:123456
 
用户名：haadmin
密码：123456

使用Logstash通过rsyslog收集haproxy日志

[root@elkstack03 conf.d]# vim /etc/logstash/conf.d/haproxy.conf
input{
        syslog {
                type => "rsyslog_haproxy"
                port => "2244"
        }
}

output{
        stdout{
                codec => rubydebug
        }
        elasticsearch{
                hosts => ["10.0.0.81:9200"]
                index => "%{type}-%{+yyyy.MM.dd}"
        }
}
[root@elkstack03 conf.d]# /usr/share/logstash/bin/logstash --path.data=/var/lib/logstash/haproxy -f /etc/logstash/conf.d/haproxy.conf &