ELK logstash-7.5收集交换机日志

ELK logstash-7.5收集交换机日志

一、交换机配置
添加：info-center loghost 192.168.14.210，IP地址是logstash服务器，华为交换机默认是UDP514端⼝发送数据
1、查看交换机版本
[SW30]display  version

1. Huawei Versatile Routing Platform Software
   
2. VRP (R) software, Version 5.70 (S2700 V100R006C05)
   
3. Copyright (C) 2003-2013 HUAWEI TECH CO., LTD
   
4. Quidway S2700-9TP-SI-AC Routing Switch uptime is 23 weeks, 5 days, 7 hours, 28 minutes
   
5. E8FED 0(Master) : uptime is 23 weeks, 5 days, 7 hours, 27 minutes
   
6. 64M bytes DDR Memory
   
7. 16M bytes FLASH
   
8. Pcb      Version :  VER E
   
9. Basic  BOOTROM  Version :  149 Compiled at Mar 15 2013, 11:02:25
   
10. Software Version : VRP (R) Software, Version 5.70 (V100R006C05)

复制代码

2、配置内容
[SW30]display  current-configuration  | in info
info-center loghost 192.168.14.210
snmp-agent sys-info version all

二、logstash7.5安装
1、安装JDK

1. tar -zxvf jdk-11.0.5_linux-x64_bin.tar.gz -C /usr/local/

复制代码

将java目录信息添加到系统环境变量中

1. vim /etc/profile

复制代码

以下目录请按实际安装目录红色部分进行调整

1. export JAVA_HOME=<font color="#ff0000">/usr/local/jdk-11.0.5/</font>
   
2. export PATH=$PATH:$JAVA_HOME/bin
   
3. export CLASSPATH=.:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib/dt.jar:$CLASSPATH
   
4. [root@localhost ~]# source  /etc/profile
   

复制代码

2、解压logstash⼆进制包

1. tar -zxvf logstash-7.5.0.tar.gz  -C /usr/local/

复制代码

3、添加环境变量

1. vi /etc/profile

复制代码

将以下以下目录请按实际安装目录红色部分进行调整

1. export PATH=$PATH:<font color="#ff0000">/usr/local/logstash-7.5.0/bin</font>

复制代码

使环境变量，生效

1. source /etc/profile

复制代码

三、logstash7.5配置
1、关闭rsyslog服务，因为这个会占⽤514端⼝

1. systemctl stop rs

复制代码

2、添加logstash配置⽂件，根据监听交换机端⼝区分不通⽹络设备型号(直接复制可⽤，修改下IP地址)

1. vi  /usr/local/logstash-7.5.0/config/switch.conf

复制代码

1. cat /usr/local/logstash-7.5.0/config/switch.conf

复制代码

1. input{
   
2.     tcp { port => 5002
   
3.     type => "Cisco"}
   
4.     udp { port => 514
   
5.     type => "HUAWEI"}
   
6.     udp { port => 5002
   
7.     type => "Cisco"}
   
8.     udp { port => 5003
   
9.     type => "H3C"}
   
10. }
    
11. filter {
    
12.     if [type] == "Cisco" {
    
13.     grok {
    
14.     match => { "message" => "<%{BASE10NUM:syslog_pri}>%{NUMBER:log_sequence}: .%{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:seve
    
15.     match => { "message" => "<%{BASE10NUM:syslog_pri}>%{NUMBER:log_sequence}: %{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:seve
    
16.     add_field => {"severity_code" => "%{severity}"}
    
17.     overwrite => ["message"]
    
18.     }
    
19. }
    
20.     elseif [type] == "H3C" {
    
21.     grok {
    
22.     match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{YEAR:year} %{DATA:hostname} %%%{DATA:vvmodule}/%{P
    
23. match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{DATA:hostname} %{DATA:ddModuleName}/%{POSINT:seve
    
24.        remove_field => [ "timestamp" ]
    
25.     add_field => {"severity_code" => "%{severity}"}
    
26.     overwrite => ["message"]
    
27.     }
    
28. }
    
29. #mutate {
    
30. #        gsub => [
    
31. #        "severity", "0", "Emergency",
    
32. #        "severity", "1", "Alert",
    
33. #        "severity", "2", "Critical",
    
34. #        "severity", "3", "Error",
    
35. #        "severity", "4", "Warning",
    
36. #        "severity", "5", "Notice",
    
37. #        "severity", "6", "Informational,
    
38. #        "severity", "7", "Debug"
    
39. #        ]
    
40. #    }
    
41. }
    
42. output{
    
43.     stdout {
    
44.        codec => rubydebug
    
45. }
    
46.     elasticsearch {
    
47.         index =>
    
48.         "syslog-%{+YYYY.MM.dd}"
    
49.         hosts => ["<font color="#ff0000">192.168.14.211:9200</font>"]
    
50.         user => "elastic"
    
51.         password => "password"
    
52. }
    
53. }

复制代码

这⾥为了⽅便查看，直接输出到终端显⽰了，⼯作环境可以删除stdout的配置。并且添加了⽤户名和密码认证



3、启动，在终端可以查看到数据

1. logstash -f /usr/local/logstash-7.5.0/config/switch.conf

复制代码