随着机房内的服务器和网络设备增加,日志管理和查询就成了让系统管理员头疼的事。
1、日常维护过程中不可能登录到每一台服务器和设备上去查看日志;
2、网络设备上的存储空间有限,不可能存储日期太长的日志,而系统出现问题又有可能是很久以前发生的某些操作造成的;
3、在某些非法侵入的情况下,侵入者一般都会清除本地日志,清除侵入痕迹;
4、zabbix等监控系统无法代替日志管理,无法监控如系统登录、计划任务执行等项目。
基于上述原因,在当前的网络环境中搭建一台用于日志集中管理的Rsyslog日志服务器就显得十分有必要了。
Rsyslog服务器可以大多数的网络设备支持,在网络设备的系统设备选项中大多都有远程日志服务的配置选项。只需要填写上IP地址和端口(大多数设备已经默认是514了),然后确定就可以了;
Linux服务器只需要在本地的Rsyslog服务配置中加入简单的一行就可以将日志发送到日志服务器,布署和配置起来十分简单;
系统环境及软件版本:CentOS Linux release 7.5.1804 (Core)
Elasticserch-6.8.4
Kibana-6.8.4
Logstash-6.8.4
Filebeat-6.8.4
Rsyslog-8.24.0
将SELINUX设置为disabled
# setenforce 0
# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config
firewall-cmd --add-service=syslog --permanent
firewall-cmd --reload
[root@ZABBIX-Server ~]# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7.x86_64
编辑rsyslog配置文件
vim /etc/rsyslog.conf #按如下进行更改
[root@ZABBIX-Server mnt]# egrep -v "*#|^$" /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none;local4.none /var/log/messages
$template h3c,"/mnt/h3c/%FROMHOST-IP%.log"
local6.* ?h3c
$template huawei,"/mnt/huawei/%FROMHOST-IP%.log"
local5.* ?huawei
$template cisco,"/mnt/cisco/%FROMHOST-IP%.log"
local4.* ?cisco
$ModLoad imudp # immark是模块名,支持tcp协议
$ModLoad imudp # imupd是模块名,支持udp协议
$InputTCPServerRun 514
$UDPServerRun 514 #允许514端口接收使用UDP和TCP协议转发过来的日志
注意:
*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none;local4.none /var/log/messages
默认没有添加local6.none;local5.none;local4.none 命令,网络日志在写入对应的文件的同时会写入/var/log/messages 中
重启rsyslog服务
systemctl restart rsyslog.service
日志存放目录
网络设备将日志指向syslog服务器,注意不同厂商的设备对应的local不同,对应关系如下:
/mnt/huawei --- local6
/mnt/h3c --- local5
/mnt/cisco --- local4
网络设备配置
Huawei:info-center loghost source Vlanif99
info-center loghost 192.168.99.50 facility local5
H3C:
info-center loghost source Vlan-interface99
info-center loghost 192.168.99.50 facility local6
CISCO:
(config)#logging on
(config)#logging 192.168.99.50
(config)#logging facility local4
(config)#logging source-interface e0
Ruijie:logging buffered warnings
logging source interface VLAN 99
logging facility local6
logging server 192.168.99.50
注意:192.168.99.50为rsyslog服务器的IP
收集rsyslog下的日志文件到logstash
[root@ZABBIX-Server mnt]# egrep -v "^#|^$" /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /mnt/huawei/*
tags: ["huawei"]
include_lines: ['Failed','failed','error','ERROR','\bDOWN\b','\bdown\b','\bUP\b','\bup\b']
drop_fields:
fields: ["beat","input_type","source","offset","prospector"]
- type: log
paths:
- /mnt/h3c/*
tags: ["h3c"]
include_lines: ['Failed','failed','error','ERROR','\bDOWN\b','\bdown\b','\bUP\b','\bup\b']
drop_fields:
fields: ["beat","input_type","source","offset","prospector"]
setup.template.settings:
index.number_of_shards: 3
output.logstash:
hosts: ["192.168.99.185:5044"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
对filebeat传来的日志根据标签不同分别进行处理,将处理完成的日志数据传到es上存储,并在kibana上做进一步的可视化展示
[root@elk-node1 ~]# egrep -v "^#|^$" /etc/logstash/conf.d/networklog.conf
input {
beats {
port => 5044
}
}
filter {
if "huawei" in [tags] {
grok{
match => {"message" => "%{SYSLOGTIMESTAMP:time} %{DATA:hostname} %{GREEDYDATA:info}"}
}
}
else if "h3c" in [tags] {
grok{
match => {"message" => "%{SYSLOGTIMESTAMP:time} %{YEAR:year} %{DATA:hostname} %{GREEDYDATA:info}"}
}
}
mutate {
remove_field => ["message","time","year","offset","tags","path","host","@version","[log]","[prospector]","[beat]","[input][type]","[source]"]
}
}
output{
stdout {codec => rubydebug}
elasticsearch {
index => "networklogs-%{+YYYY.MM.dd}"
hosts => ["192.168.99.185:9200"]
sniffing => false
}
}
创建一个索引模式匹配存储的网络设备日志索引
kibana的数据表可以导出为CSV文件
