如何使用 filebeat 从 juniper 交换机获取日志消息以供 ELK 堆栈处理?
[英]How can I get log messages from a juniper switch to get processed by the ELK stack using filebeat?
问题描述
I apologize in advanced as I am fairly new to using stack overflow.
我提前道歉,因为我对使用堆栈溢出还很陌生。 Please let me know if I need to change anything with my question.如果我需要更改我的问题,请告诉我。
I am currently trying to set up a log aggregator for my work.我目前正在尝试为我的工作设置一个日志聚合器。 My plan is to use the elastic stack and filebeat to gather the logs and display them.我的计划是使用 elastic stack 和 filebeat 来收集日志并显示它们。 I used this tutorial to setup the initial server:我使用本教程来设置初始服务器:
https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-18-04 https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elastic-stack-on-ubuntu-18-04
I was able to read the syslogs from the system using the filebeat system module just like in the tutorial.就像在教程中一样,我能够使用 filebeat 系统模块从系统中读取系统日志。 I then disabled it so that I could try to log the syslogs from a juniper switch without the interference of having to read through all the server syslogs.然后我禁用了它,这样我就可以尝试从瞻博网络交换机记录系统日志,而不必阅读所有服务器系统日志的干扰。
Right now I am just trying to get the logs to come in from a juniper switch to my virtual machine.现在我只是想让日志从 juniper 交换机进入我的虚拟机。 I have the switch set up to send syslogs to the virtual machine's ip on port 9513. I can see the logs coming in when I use tcpdump to monitor the port.我将交换机设置为将系统日志发送到端口 9513 上虚拟机的 ip。当我使用 tcpdump 监视端口时,我可以看到日志进来。
user@logserver:~$ sudo tcpdump -i ens160 port 9513
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
16:42:20.558768 IP ***.***.***.***.syslog > logserver.9513: SYSLOG local7.info, length: 124
16:45:00.571980 IP ***.***.***.***.syslog > logserver.9513: SYSLOG cron.info, length: 79
16:45:00.576370 IP ***.***.***.***.syslog > logserver.9513: SYSLOG cron.info, length: 91
16:47:45.944277 IP ***.***.***.***.syslog > logserver.9513: SYSLOG local7.info, length: 124
16:48:20.568840 IP ***.***.***.***.syslog > logserver.9513: SYSLOG local7.info, length: 64
16:50:00.653082 IP ***.***.***.***.syslog > logserver.9513: SYSLOG cron.info, length: 91
16:50:55.769884 IP ***.***.***.***.syslog > logserver.9513: SYSLOG local7.info, length: 106
16:50:55.777058 IP ***.***.***.***.syslog > logserver.9513: SYSLOG local7.notice, length: 112
16:50:57.704914 IP ***.***.***.***.syslog > logserver.9513: SYSLOG local7.info, length: 101
16:50:57.817315 IP ***.***.***.***.syslog > logserver.9513: SYSLOG local7.notice, length: 112
16:55:00.701165 IP ***.***.***.***.syslog > logserver.9513: SYSLOG cron.info, length: 91
17:00:00.766060 IP ***.***.***.***.syslog > logserver.9513: SYSLOG cron.info, length: 91
17:00:00.777780 IP ***.***.***.***.syslog > logserver.9513: SYSLOG cron.info, length: 79
I know there are few different ways I can use filebeat to read this input data.我知道有几种不同的方法可以使用 filebeat 来读取此输入数据。 One is using the default juniper module, which I have enabled.一种是使用我已启用的默认瞻博网络模块。 I could also setup a syslog type input in the filebeat.yml config file.我还可以在 filebeat.yml 配置文件中设置一个 syslog 类型的输入。 I have tried both of these methods using both port 9513 and port 514.我已经使用端口 9513 和端口 514 尝试了这两种方法。
filebeat.inputs:
- type: syslog
protocol.udp:
host: "localhost:514"
- type: syslog
protocol.udp:
host: "localhost:9513"
- module: juniper
junos:
enabled: true
# Set which input to use between udp (default), tcp or file.
var.input: udp
var.syslog_host: localhost
var.syslog_port: 514
- module: juniper
junos:
enabled: true
# Set which input to use between udp (default), tcp or file.
var.input: udp
var.syslog_host: localhost
var.syslog_port: 9513
I am guessing that there is something in the filebeat configuration that I am not understanding, since filebeat isn't sending any of the syslog info to logstash.我猜 filebeat 配置中有些东西我不理解,因为 filebeat 没有将任何系统日志信息发送到 logstash。 I also used tcpdump on port 5044 and the lo interface, the port that the tutorial uses to setup the output of filebeat and the input of logstash.我还在端口 5044 和 lo 接口上使用了 tcpdump,教程使用该端口设置 filebeat 的 output 和 logstash 的输入。 When I run it and receive a new log from the switch on either port 514 or 9513 nothing gets sent through 5044 as shown here:当我运行它并从端口 514 或 9513 上的交换机接收到新日志时,没有任何内容通过 5044 发送,如下所示:
user@logserver:~$ sudo tcpdump -i lo port 5044
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
Any help understanding filebeat would be much appreciated.非常感谢任何有助于理解 filebeat 的帮助。 Thank you in advanced谢谢你先进
1 个解决方案
解决方案1
0 已采纳 2020-12-28 17:59:12
I am not sure what I did exactly, but it appears to be working now.我不确定我到底做了什么,但它现在似乎正在工作。 I deleted the juniper configuration of "set system syslog host . . . " and redid it without the port assignment.我删除了“set system syslog host ...... ”的 juniper 配置,并在没有端口分配的情况下重新配置。 This meant all my syslog messages were now going to the 514 port, so I checked that port on the server.这意味着我所有的系统日志消息现在都发送到 514 端口,所以我检查了服务器上的那个端口。 It was receiving all the logs, so I then reset the logstash and filebeat config files to the default settings and disabled all modules on filebeat.它正在接收所有日志,因此我随后将 logstash 和 filebeat 配置文件重置为默认设置并禁用了 filebeat 上的所有模块。 I disabled and stopped both filebeat and logstash, re-enabled, and restarted.我禁用并停止了 filebeat 和 logstash,重新启用并重新启动。 After that I re-enabled the system and juniper modules in filebeat.之后,我在 filebeat 中重新启用了系统和 juniper 模块。 This somehow worked and I can now see the syslogs coming in to elasticsearch from the juniper switch.这不知何故奏效了,我现在可以看到系统日志从瞻博网络交换机进入 elasticsearch。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.