ELK 通过 Logstash 收集 messages、secure 系统日志
1、logstash配置文件编写
[root@linux-elk1 ~]# vim /etc/logstash/conf.d/system-log.conf
input {
file {
path => "/var/log/messages"
type => "systemlog"
start_position => "beginning"
stat_interval => "3"
}
file {
path => "/var/log/secure"
type => "securelog"
start_position => "beginning"
stat_interval => "3"
}
}
output {
if [type] == "systemlog" {
elasticsearch {
hosts => ["192.168.182.10:9200"]
index => "system-log-%{+YYYY.MM.dd}"
}
}
if [type] == "securelog" {
elasticsearch {
hosts => ["192.168.182.10:9200"]
index => "secure-log-%{+YYYY.MM.dd}"
}
}
}
2、给日志文件赋予可读权限并重启logstash
[root@linux-elk1 ~]# chmod 644 /var/log/secure
[root@linux-elk1 ~]# chmod 644 /var/log/messages
[root@linux-elk1 ~]# systemctl restart logstash
3、向被收集的文件中写入测试数据
是为了马上能在elasticsearch的web界面和klbana的web界面里面查看到测试数据
[root@linux-elk1 ~]# echo "test" >> /var/log/secure
[root@linux-elk1 ~]# echo "test" >> /var/log/messages
4、在kibana界面添加system-log索引模式
5、测试
- 在终端向
/var/log/secure
输入信息
[root@localhost ~]# echo "villian-test" >> /var/log/secure
- 在 kibana-web 端查看信息