How to build a client client in elk How to send logs to the server Logstash

Background

We want to unify the collection of logs, unified analysis, unified on a platform to search the filter log! In the previous article has completed the construction of elk, then how to set the log of each client to the Elk platform?

"Introduction of this system"

ELK--192.168.100.10 (this place needs to have FQDN to create an SSL certificate, you need to configure fqdn,www.elk.com)

The client that is collecting logs (also called Logstash shipper)---192.168.100.13

Elk Environment:

[Email protected] ~]# Ifconfig | grep 192.168.100

inet addr:192.168.100.10 bcast:192.168.100.255 mask:255.255.255.0

[Email protected] ~]# Cat/etc/hosts | grep 192.168.100.10

192.168.100.10 www.elk.com

[Email protected] ~]# cat/etc/issue

CentOS Release 6.4 (Final)

Kernel \ r on an \m

Client (Logstash Shipper) Environment:

[Email protected] ~]# Ifconfig | grep "192.168."

inet addr:192.168.100.13 bcast:192.168.100.255 mask:255.255.255.0

[Email protected] ~]# Cat/etc/hosts | grep 192.168.100.10

192.168.100.10 www.elk.com

[Email protected] ~]# cat/etc/issue

CentOS Release 6.4 (Final)

Kernel \ r on an \m

"Client and server are like and communicate"

Reference:

Http://udn.yyuap.com/doc/logstash-best-practice-cn/get_start/full_config.html

"Communication architecture Diagram"

The Logstash configuration file in the server side (that is, the file specified after-f)

/usr/local/logstash/bin/logstash-f/usr/local/logstash/etc/logstash.conf

There must be an input end and an output end

The input can be from a local file or from another machine over the network (port).

Therefore, the C/s architecture of Logstash will be transmitted over the network

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/7F/ED/wKioL1cx6AjCRDLpAAArxORZbuk807.png "title=" Logstash_forword2.png "alt=" Wkiol1cx6ajcrdlpaaarxorzbuk807.png "/>

Rationale explanation The client installs a Logstash-forwarder software that outputs logs from the specified file to Logstash (he already has ports that are monitoring and receiving input from forwarder clients)

"Client transfer to server scenario"

Reference: http://udn.yyuap.com/doc/logstash-best-practice-cn/ecosystem/logstash_forwarder.html

"Server-side Configuration"

1 First you need to create a CA certificate for the server

cd/etc/pki/tls/

OpenSSL req-subj '/cn=www.elk.com/'-x509-days 3650-batch-nodes-newkey rsa:2048-keyout private/logstash-forwarder.ke Y-out CERTS/LOGSTASH-FORWARDER.CRT

Copy the LOGSTASH-FORWARDER.CRT to the client side

SCP CERTS/LOGSTASH-FORWARDER.CRT 192.168.100.13:/etc/pki/tls/certs/

Configuration of the logstash.conf of the 2 server segment

[Email protected] tls]# cat/usr/local/logstash/etc/logstash.conf

Input {

File {

Type = "Syslog"

Path = ["/var/log/messages", "/var/log/secure"]

}

Lumberjack {

Port = 5000

Type = "Logs"

Ssl_certificate = "/ETC/PKI/TLS/CERTS/LOGSTASH-FORWARDER.CRT"

Ssl_key = "/etc/pki/tls/private/logstash-forwarder.key"

}

}

Output {

stdout {codec=> Rubydebug}

Elasticsearch {hosts = "192.168.100.10:9200"}

}

(Yellow is, this architecture must be configured to explain the connection of a field)

Lumberjack is Logstash-forwarder, and Golang rewrite the name before.

Type = "Anything" type arbitrarily specified, does not matter

3 Start Logstash

/usr/local/logstash/bin/logstash-f/usr/local/logstash/etc/logstash.conf &

or use the screen command to keep it running in the background

"Client Installation forwarder and configuration"

Download software

wget https://download.elastic.co/logstash-forwarder/binaries/logstash-forwarder-0.4.0-1.x86_64.rpm

Installation

Yum Localinstall logstash-forwarder-0.4.0-1.x86_64.rpm

Note Two files

A configuration file/etc/logstash-forwarder.conf

A log directory/var/log/logstash-forwarder/

Save original file

Cp/etc/logstash-forwarder.conf/etc/logstash-forwarder.conf.orig

Modify Logstash-forwarder.conf to

{"Network": {"Servers": ["www.elk.com:5000"], "SSL CA": "/etc/pki/tls/certs/logstash-forwarder.crt", "Timeou T ":", "Files": [{"Paths": ["/var/log/messages", "/var/log/secure"], "fields": {"type": "Syslog"}}, {"Paths": ["File for Other path]", "fields": {"type": "Nginx"}}]}

Attention:

Servers ": [" www.elk.com:5000 "]

Must write the domain name, cannot write the server side IP, because writes the IP cannot pass the certificate the Cognition

"SSL CA" must correctly specify the path

Authentication

Client execution

[[email protected] ~]# echo "I am Logstash client, via forward to server side" >>/var/log/secure

View Kibana Front End

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7F/F0/wKiom1cx667hhTKmAAAxCi84a7g583.png "title=" Logstash_forword3.png "alt=" Wkiom1cx667hhtkmaaaxci84a7g583.png "/>

"What to study Next"

1 Index of Elk

2 Multiple log files

3 Configuration files in Logstash

This article is from the "Tridewah operation and maintenance work Road" blog, please be sure to keep this source http://cuidehua.blog.51cto.com/5449828/1771979

How to build a client client in elk How to send logs to the server Logstash