ELK(9):ELK-logstash收集TCP日志
ELK(9):ELK-logstash收集TCP日志
通过logstash的tcp/udp插件收集日志,通常用于在向elasticsearch日志补录丢失的部分日志,可以将丢失的日志通过一个TCP端口直接写入到elasticsearch服务器。
或者监控某个端口,因为logstash是普通用户启动,这个端口不能低于1024。
输出配置文件
#sudo vim /etc/logstash/conf.d/tcp.conf input{ tcp{ port => "8888" type=> "tcplog" } } output{ stdout{ codec => "rubydebug" } }
测试文件
sudo /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp.conf -t
启动监听
sudo /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp.conf
[admin@pe-jira ~]$ sudo netstat -lntp|grep 8888 tcp6 0 0 :::8888 :::* LISTEN 16028/java [admin@pe-jira ~]$
另一台机器nc传输
[admin@pe-db ~]$ echo "hahahahah" | nc 10.6.76.27 8888
[admin@pe-db ~]$ echo "tcp测试" | nc 10.6.76.27 8888
[admin@pe-db ~]$
收到测试数据
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated { "message" => "hahahahah", "host" => "pe-db", "@version" => "1", "@timestamp" => 2019-07-16T02:10:33.138Z, "type" => "tcplog", "port" => 48650 } { "message" => "tcp测试", "host" => "pe-db", "@version" => "1", "@timestamp" => 2019-07-16T02:10:54.249Z, "type" => "tcplog", "port" => 48651 }
伪设备传输
在类Unix操作系统中,设备节点并不一定要对应物理设备。没有这种对应关系的设备是伪设备。操作系统运用了它们提供的多种功能。部份经常使用到的伪设备包括: null,zero,full,loop,random,urandom
tcp通信只是dev下面众多伪设备的一种
echo "伪设备3" > /dev/tcp/10.6.76.27/8888
写入elasticsearch
input{ tcp{ port => "8888" type=> "tcplog" } } output{ if [type] == "tcplog"{ elasticsearch { hosts => ["10.6.76.27:9200"] index => "tcp-log-%{+YYYY.MM.dd}" } } }
测试
#[admin@pe-db ~]$ echo "现在时间是--`date +%F-%H-%M-%S`" | nc 10.6.76.27 8888
加入kibana
