客户端rsyslog 配置文件。
在最低端加入
$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
:programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl
*.* @192.168.0.66:514
<!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"> <v:stroke joinstyle="miter"/> <v:formulas> <v:f eqn="if lineDrawn pixelLineWidth 0"/> <v:f eqn="sum @0 1 0"/> <v:f eqn="sum 0 0 @1"/> <v:f eqn="prod @2 1 2"/> <v:f eqn="prod @3 21600 pixelWidth"/> <v:f eqn="prod @3 21600 pixelHeight"/> <v:f eqn="sum @0 0 1"/> <v:f eqn="prod @6 1 2"/> <v:f eqn="prod @7 21600 pixelWidth"/> <v:f eqn="sum @8 21600 0"/> <v:f eqn="prod @7 21600 pixelHeight"/> <v:f eqn="sum @10 21600 0"/> </v:formulas> <v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/> <o:lock v:ext="edit" aspectratio="t"/> </v:shapetype><v:shape id="图片_x0020_2" o:spid="_x0000_i1029" type="#_x0000_t75" style='width:415.5pt;height:62.25pt;visibility:visible;mso-wrap-style:square'> <v:imagedata src="file:///C:/Users/ADMINI~1/AppData/Local/Temp/msohtmlclip1/01/clip_image001.png" o:title=""/> </v:shape><![endif]--><!--[if !vml]--><!--[endif]-->
服务器端rsyslog 配置文件
<!--[if gte vml 1]><v:shape id="图片_x0020_3" o:spid="_x0000_i1028" type="#_x0000_t75" style='width:415.5pt; height:280.5pt;visibility:visible;mso-wrap-style:square'> <v:imagedata src="file:///C:/Users/ADMINI~1/AppData/Local/Temp/msohtmlclip1/01/clip_image003.png" o:title=""/> </v:shape><![endif]--><!--[if !vml]--><!--[endif]-->
去掉
$ModLoad imudp
$UDPServerRun 514
前的注释
在#### GLOBAL DIRECTIVES #### 下加入
$template IpTemplate,"/var/log/%FROMHOST-IP%.log"
*.* ?IpTemplate
& ~
在最低端加入
$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
#
:programname, startswith, "spice-vdagent"<span style="white-space:pre"> </span>/var/log/spice-vdagent.log;SpiceTmpl
<!--[if gte vml 1]><v:shape id="图片_x0020_4" o:spid="_x0000_i1027" type="#_x0000_t75" style='width:415.5pt; height:48.75pt;visibility:visible;mso-wrap-style:square'> <v:imagedata src="file:///C:/Users/ADMINI~1/AppData/Local/Temp/msohtmlclip1/01/clip_image005.png" o:title=""/> </v:shape><![endif]--><!--[if !vml]--><!--[endif]-->
<!--[if !supportLists]-->• <!--[endif]-->
logstash 创建agent脚本
input {
syslog{
# host =>"192.168.0.66"
port =>5514
}
file {
path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog", "/var/log/aaa.log","/var/log/lastlog"]
type => "syslog"
}
}
output {
elasticsearch {
hosts =>["192.168.0.66:9200"]
}
stdout { codec => rubydebug }
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
<!--[if gte vml 1]><v:shape id="图片_x0020_5" o:spid="_x0000_i1026" type="#_x0000_t75" style='width:414.75pt; height:255.75pt;visibility:visible;mso-wrap-style:square'> <v:imagedata src="file:///C:/Users/ADMINI~1/AppData/Local/Temp/msohtmlclip1/01/clip_image007.png" o:title=""/> </v:shape><![endif]--><!--[if !vml]--><!--[endif]-->
启动log
<!--[if gte vml 1]><v:shape id="图片_x0020_6" o:spid="_x0000_i1025" type="#_x0000_t75" style='width:414.75pt; height:33pt;visibility:visible;mso-wrap-style:square'> <v:imagedata src="file:///C:/Users/ADMINI~1/AppData/Local/Temp/msohtmlclip1/01/clip_image009.png" o:title=""/> </v:shape><![endif]--><!--[if !vml]--><!--[endif]-->