This post is sharing my task for sending logs from rsyslog client ( Swift SAIO in this case ) to rsyslog server ( elk5 : ElasticStack 5.0 ).
1. Enable Receiver ( rsyslog-server ) setup at elk5 container
a. Update elk5 ( receiver ) rsyslog.conf# sudo vi /etc/rsyslog.conf
b. Restart rsyslog service
Change
from
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
To
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
from
# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
To
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
b. Restart rsyslog service
# sudo systemctl restart rsyslog
2. Enable sending-end ( rsyslog-client ) setup at Swift node.
a. Add elk5 server ip in rsyslog-client ( swift node )
b. Restart the rsyslog client service
# cd /etc/rsyslog.d/
You should see there has 0-swift.conf already
# sudo vi 0-swift.conf and add this line @elk5_container_ip:514
PS: @ is UDP , @@ is TCP
# $ cat 0-swift.conf
# NOTE: we used to enable UDP logging here, but we switched
# back to just unix domain socket.
$imjournalRatelimitInterval 60
$imjournalRatelimitBurst 600000
*.* @192.168.81.104:514
# Log all Swift proxy-server access log lines (local2) to
# /var/log/swift/proxy_access.log
local2.* /var/log/swift/proxy_access.log;RSYSLOG_FileFormat
# Log all Swift lines to /var/log/swift/all.log
# AND PREVENT FURTHER LOGGING OF THEM (eg. to /var/log/syslog)
local0.*;local2.* /var/log/swift/all.log;RSYSLOG_TraditionalFileFormat
& ~
You should see there has 0-swift.conf already
# sudo vi 0-swift.conf and add this line @elk5_container_ip:514
PS: @ is UDP , @@ is TCP
# $ cat 0-swift.conf
# NOTE: we used to enable UDP logging here, but we switched
# back to just unix domain socket.
$imjournalRatelimitInterval 60
$imjournalRatelimitBurst 600000
*.* @192.168.81.104:514
# Log all Swift proxy-server access log lines (local2) to
# /var/log/swift/proxy_access.log
local2.* /var/log/swift/proxy_access.log;RSYSLOG_FileFormat
# Log all Swift lines to /var/log/swift/all.log
# AND PREVENT FURTHER LOGGING OF THEM (eg. to /var/log/syslog)
local0.*;local2.* /var/log/swift/all.log;RSYSLOG_TraditionalFileFormat
& ~
b. Restart the rsyslog client service
# sudo systemctl restart rsyslog.serviceOr # sudo service rsyslog restart
3. Formatting the Log Data to JSON at elk5 container.
Elasticsearch requires that all documents it receives be in JSON format.
a. Add json template
# sudo vi /etc/rsyslog.d/01-json-template.confOr# cat /etc/rsyslog.d/01-json-template.conftemplate(name="json-template" type="list") {
constant(value="{") constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339") constant(value="\",\"@version\":\"1") constant(value="\",\"message\":\"") property(name="msg" format="json") constant(value="\",\"sysloghost\":\"") property(name="hostname") constant(value="\",\"severity\":\"") property(name="syslogseverity-text") constant(value="\",\"facility\":\"") property(name="syslogfacility-text") constant(value="\",\"programname\":\"") property(name="programname") constant(value="\",\"procid\":\"") property(name="procid") constant(value="\"}\n")}
4. Configuring the Receiver ( Rsyslog-Server ) rsyslog output for logstash at elk5 container.
a. Configure template
# sudo vi /etc/rsyslog.d/60-output.conf
Or
# cat /etc/rsyslog.d/60-output.conf
# This line sends all lines to defined IP address at port 10514,
# using the "json-template" format template
*.* @localhost:10514;json-template
Or
# cat /etc/rsyslog.d/60-output.conf
# This line sends all lines to defined IP address at port 10514,
# using the "json-template" format template
*.* @localhost:10514;json-template
5. Configure Logstash to Receive JSON output at elk5 container
a. Isntall the security key for the logstash repository
# wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
b. Add repository definition to your /etc/apt/sources.list
d. Add new logstash.conf
e. Move previous 02/10/30*.conf to /tmp or some backup folder, because we don't need it.
f. Restart logstash
g. Restart rsyslog
h. Double check the ports
# echo "deb http://packages.elastic.co/logstash/2.3/debian stable main" | sudo tee -a /etc/apt/sources.listc. Do apt update
# apt-get updatePS: I'm not sure 5.a, 5.b and 5.c doesn't matter, I suspect whether we need it or not.
d. Add new logstash.conf
# vi /etc/logstash/conf.d/logstash.conf
Or
# cat /etc/logstash/conf.d/logstash.conf
# This input block will listen on port 10514 for logs to come in.
# host should be an IP on the Logstash server.
# codec => "json" indicates that we expect the lines we're receiving to be in JSON format
# type => "rsyslog" is an optional identifier to help identify messaging streams in the pipeline.
input {
udp {
host => "localhost"
port => 10514
codec => "json"
type => "rsyslog"
}
}
# This is an empty filter block. You can later add other filters here to further process
# your log lines
filter { }
# This output block will send all events of type "rsyslog" to elasticsearch at the configured
# host and port into daily indices of the pattern, "rsyslog-YYYY.MM.DD"
output {
if [type] == "rsyslog" {
elasticsearch {
hosts => [ "localhost:9200" ]
}
}
}
# cat /etc/logstash/conf.d/logstash.conf
# This input block will listen on port 10514 for logs to come in.
# host should be an IP on the Logstash server.
# codec => "json" indicates that we expect the lines we're receiving to be in JSON format
# type => "rsyslog" is an optional identifier to help identify messaging streams in the pipeline.
input {
udp {
host => "localhost"
port => 10514
codec => "json"
type => "rsyslog"
}
}
# This is an empty filter block. You can later add other filters here to further process
# your log lines
filter { }
# This output block will send all events of type "rsyslog" to elasticsearch at the configured
# host and port into daily indices of the pattern, "rsyslog-YYYY.MM.DD"
output {
if [type] == "rsyslog" {
elasticsearch {
hosts => [ "localhost:9200" ]
}
}
}
e. Move previous 02/10/30*.conf to /tmp or some backup folder, because we don't need it.
#root@elk5-u1604:/tmp/logstash_conf_backup# ll
total 6
drwxr-xr-x 2 root root 5 Nov 4 23:36 ./
drwxrwxrwx 6 root root 6 Nov 5 00:17 ../
-rw-r--r-- 1 root root 41 Nov 4 21:35 02-beats-input.conf
-rw-r--r-- 1 root root 456 Nov 4 21:35 10-syslog-filter.conf
-rw-r--r-- 1 root root 210 Nov 4 21:35 30-elasticsearch-output.conf
total 6
drwxr-xr-x 2 root root 5 Nov 4 23:36 ./
drwxrwxrwx 6 root root 6 Nov 5 00:17 ../
-rw-r--r-- 1 root root 41 Nov 4 21:35 02-beats-input.conf
-rw-r--r-- 1 root root 456 Nov 4 21:35 10-syslog-filter.conf
-rw-r--r-- 1 root root 210 Nov 4 21:35 30-elasticsearch-output.conf
f. Restart logstash
# sudo systemctl restart logstashor# sudo service logstash restart
g. Restart rsyslog
# sudo systemctl restart rsyslogor# sudo service rsyslog restart
h. Double check the ports
root@elk5-u1604:/tmp/logstash_conf_backup# netstat -na | grep 10514
udp6 0 0 127.0.0.1:10514 :::*
root@elk5-u1604:/tmp/logstash_conf_backup# netstat -ntlp | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:5601 0.0.0.0:* LISTEN 5601/node
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5429/nginx -g daemo
tcp6 0 0 127.0.0.1:9600 :::* LISTEN 8628/java
tcp6 0 0 :::514 :::* LISTEN -
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 8459/java
tcp6 0 0 ::1:9200 :::* LISTEN 8459/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 8459/java
tcp6 0 0 ::1:9300 :::* LISTEN 8459/java
root@elk5-u1604:/tmp/logstash_conf_backup# netstat -ntlp | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:5601 0.0.0.0:* LISTEN 5601/node
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5429/nginx -g daemo
tcp6 0 0 127.0.0.1:9600 :::* LISTEN 8628/java
tcp6 0 0 :::514 :::* LISTEN -
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 8459/java
tcp6 0 0 ::1:9200 :::* LISTEN 8459/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 8459/java
tcp6 0 0 ::1:9300 :::* LISTEN 8459/java
No comments:
Post a Comment