Demand: ubuntu collection system log, to logstash sent, then the data is transmitted to the logstash elasticsearch, and finally through kibana display log data.
Filebeat System Module
Filebeat Modules can simplify the gathering of common log format, parsing and visualization. A typical module (e.g., for Nginx log) by one or more log files (fileset) Composition (for Nginx, the default is access.log and error.log). Here we can use Filebeat the System Module complete ubuntu system log.
The following steps (if you have already installed the Filebeat) Configuration System Module introduction.
Enable Module System
Filebeat support modules are not enabled by default, we can enable the module using the following method. Find filebeat program, execute moudles enable command:
$ sudo ./filebeat modules enable system
The above command enables the system module, use the following command to view the modules which are currently enabled:
$ sudo ./filebeat modules list
To send data to logstash
configured to send log lines to Filebeat Logstash. To do this, disable Elasticsearch output in the configuration file filebeat.yml and enable Logstash output:
#output.elasticsearch: #hosts: ["xxx.xxx.xxx.xxx:9200"] output.logstash: hosts: ["xxx.xxx.xxx.xxx:5044"]
Restart filebeat Service
$ sudo systemctl restart filebeat.service
Data processing configuration Logstash
Let logstash Filebeat System Module accepts data sent or some difficulty, at least we need to look a little complex configuration :
input { beats { port => 5064 host => "0.0.0.0" } } filter { if [fileset][module] == "system" { if [fileset][name] == "auth" { grok { match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?", "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}", "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}", "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}", "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}", "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][user][add][name]}, UID=%{NUMBER:[system][auth][user][add][uid]}, GID=%{NUMBER:[system][auth][user][add][gid]}, home=%{DATA:[system][auth][user][add][home]}, shell=%{DATA:[system][auth][user][add][shell]}$", "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] } pattern_definitions => { "GREEDYMULTILINE"=> "(.|\n)*" } remove_field => "message" } date { match => [ "[system][auth][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } geoip { source => "[system][auth][ssh][ip]" target => "[system][auth][ssh][geoip]" } } else if [fileset][name] == "syslog" { grok { match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] } pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" } remove_field => "message" } date { match => [ "[system][syslog][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] } } } } output { elasticsearch { hosts => xxx.xxx.xxx.xxx manage_template => false index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" } }
Dealing with the problem area
to see how this configuration I want it to be able to work directly ah! Unfortunately it does not work well, at least not on my ubuntu 18.04. The core issue is whether auth.log or syslog, recording all the local time zone of the region:
In the above configuration of these time as UTC time to deal with. Find out the reason, it is very easy to correct, add the local plug-in date time zone information on it. For example, the author time zone to the East eight districts, respectively, then add the following information in two configurations date:
timezone => "Asia/Chongqing"
让独立的 pipeline 处理该数据流
下面创建一个新的目录 /etc/logstash/myconf.d,并在 /etc/logstash/myconf.d 目录下创建 Logstash 配置文件 krtest.conf。然后在 /etc/logstash/pipelines.yml 文件中添加新的 pipeline 配置:
- pipeline.id: main
path.config: "/etc/logstash/conf.d/*.conf"
- pipeline.id: krtest
path.config: "/etc/logstash/myconf.d/krtest.conf"
其中 pipeline.id 为 main 的管道是默认的配置,我们新添加了 id 为 krtest 的管道并指定了对应的配置文件路径。把上面的配置写入到 /etc/logstash/myconf.d/krtest.conf 文件中。然后重启 logstash 服务:
$ sudo systemctl restart logstash.service
在 Kibana 中查看日志
最后在 kibana 中添加 filebeat 开头的 index pattern,就可以通过图形界面查看 ubuntu 的系统日志了:
参考:
Filebeat Modules
System module
Working with Filebeat Modules