一、TCP收集日志使用场景
tcp模块的使用场景如下: 有一台服务器A只需要收集一个日志,那么我们就可以不需要在这服务器上安装logstash,我们通过在其他logstash上启用tcp模块,监听某个端口,然后我们在这个服务器A把日志通过nc发送到logstash上即可。
二、标准输出测试TCP模块
[root@linux-node2 ~]# cat /etc/logstash/conf.d/tcp.conf
input {
tcp{
port => "5600" #监听5600端口
mode => "server" #模式为server
type => "tcplog" #类型为tcplog
}
}
output {
stdout {
codec => rubydebug
}
}
#检测配置文件语法:
[root@linux-node2 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp.conf -t
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
Configuration OK
#node1节点上安装nc命令,并发送日志到node2。Netcat简称nc,在网络工具中具有“瑞士×××”美誉,其功能实用,是一个简单,可靠的网络工具,可通过TCP或UDP协议传输读写数据,另外还具有很多其他功能。
[root@linux-node1 ~]# yum install -y nc
#通过nc来发送日志
[root@linux-node1 ~]# echo "hello world" | nc 192.168.56.12 5600
#linux-node2终端上查看日志输出信息:
[root@linux-node2 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp.conf
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
{
"@timestamp" => 2018-01-02T00:59:49.356Z,
"port" => 57902,
"@version" => "1",
"host" => "linux-node1",
"@metdata" => {
"ip_address" => "192.168.56.11"
},
"message" => "hello world",
"type" => "tcplog"
}
#可以看到linux-node2上有监听5600端口
[root@linux-node2 ~]# netstat -tunlp |grep 5600
tcp6 0 0 :::5600 :::* LISTEN 2301/java
#还可以将某个文件发送到nc
[root@linux-node1 ~]# nc 192.168.56.12 5600 < /etc/passwd
[root@linux-node2 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp.conf
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
"@timestamp" => 2018-01-02T01:00:54.530Z,
"port" => 58134,
"@version" => "1",
"host" => "linux-node1",
"@metdata" => {
"ip_address" => "192.168.56.11"
},
"message" => "root:x:0:0:root:/root:/bin/bash",
"type" => "tcplog"
}
{
"@timestamp" => 2018-01-02T01:00:54.531Z,
"port" => 58134,
"@version" => "1",
"host" => "linux-node1",
"@metdata" => {
"ip_address" => "192.168.56.11"
},
"message" => "bin:x:1:1:bin:/bin:/sbin/nologin",
"type" => "tcplog"
}
......
#也可以通过这种方式伪设备的方式发送日志:(在类unix操作系统中,设备节点并一定要对应物理设备。没有这种对应关系的设备是伪设备。操作系统运用了它们提供的多种功能,tcp只是dev下面众多伪设备当中的一种设备。)
[root@linux-node1 ~]# echo "222" > /dev/tcp/192.168.56.12/5600
[root@linux-node2 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp.conf
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
{
"@timestamp" => 2018-01-02T01:26:55.922Z,
"port" => 35576,
"@version" => "1",
"host" => "linux-node1",
"@metdata" => {
"ip_address" => "192.168.56.11"
},
"message" => "222",
"type" => "tcplog"
}三、配置logstash通过TCP收集输出到elasticsearch
[root@linux-node2 conf.d]# vim tcp.conf
input {
tcp{
port => "5600"
mode => "server"
type => "tcplog"
}
}
output {
elasticsearch {
hosts => ["192.168.56.11:9200"]
index => "tcp-test5612-%{+YYYY.MM.dd}"
}
file {
path => "/tmp/tcp-test5612-%{+YYYY.MM.dd}"
}
}
[root@linux-node2 conf.d]# /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/tcp.conf -t
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
Configuration OK
[root@linux-node2 conf.d]# systemctl restart logstash
[root@linux-node1 elasticsearch-head]# echo "hello worl" |nc 192.168.56.12 5600
[root@linux-node1 elasticsearch-head]# nc 192.168.56.12 5600 < /etc/passwd
HEAD插件查看:
Kibana添加索引查看:
版权声明:原创作品,谢绝转载。否则将追究法律责任
本文转自 IT_外卖小哥 51CTO博客,原文链接:http://blog.51cto.com/jinlong/2056521