Use cases elk gather network equipment

Brief introduction

With the increase in server and network equipment in the room, log management, and query the system administrator has become a headache.

Common problems encountered by the system administrator as follows:

1. Routine maintenance is not possible to log in to each server and equipment up to view the log;
2. Limited storage space on the network equipment, the date can not be stored too long log, and system problems there may be some operations due to take place a long time ago;
3. In some trespass case, the intruder usually clear the local log, clear signs of intrusion;
4. zabbix and other monitoring systems can not replace log management, such as project monitoring system can not log on, the scheduled task execution.

For these reasons, Rsyslog build a log server for centralized management of logs in the current network environment, it is very necessary.

Advantage Rsyslog services are as follows:

1. Rsyslog server can support most network devices, device options in the system network device configuration options are mostly remote log service. Simply fill in the IP address and port (most devices have a default is 514), and then determine on it;
2. Linux servers only need to add in the local Rsyslog service configuration in a single line can send logs to the log server, configure and deploy it very simple;
   deployment architecture

Deployment Architecture

Rsyslog Configuration

系统环境及软件版本：
CentOS Linux release 7.5.1804 (Core)
Elasticserch-6.8.4
Kibana-6.8.4
Logstash-6.8.4
Filebeat-6.8.4
Rsyslog-8.24.0

The SELINUX set to disabled

# setenforce 0
# sed -i 's#SELINUX=enforcing#SELINUX=disabled#g' /etc/selinux/config

Firewall Configuration

firewall-cmd  --add-service=syslog --permanent
firewall-cmd  --reload

Check whether the software is installed rsyslog

# CentOS7 installed by default rsyslog

[root@ZABBIX-Server ~]# rpm -qa |grep rsyslog
rsyslog-8.24.0-16.el7.x86_64

Rsyslog configuration file editing

vim /etc/rsyslog.conf # changes were as follows

[root@ZABBIX-Server mnt]# egrep -v "*#|^$" /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none;local4.none                /var/log/messages
$template h3c,"/mnt/h3c/%FROMHOST-IP%.log"
local6.* ?h3c
$template huawei,"/mnt/huawei/%FROMHOST-IP%.log"
local5.* ?huawei
$template cisco,"/mnt/cisco/%FROMHOST-IP%.log"
local4.* ?cisco

$ModLoad imudp            # immark是模块名，支持tcp协议  
$ModLoad imudp             # imupd是模块名，支持udp协议    
$InputTCPServerRun 514
$UDPServerRun 514          #允许514端口接收使用UDP和TCP协议转发过来的日志

note:

*.info;mail.none;authpriv.none;cron.none;local6.none;local5.none;local4.none         /var/log/messages
默认没有添加local6.none;local5.none;local4.none 命令，网络日志在写入对应的文件的同时会写入/var/log/messages 中

Check the rsyslog service

Restart rsyslog service

systemctl restart rsyslog.service

Log store directory

Point to the network device log syslog server, attention to the different devices from different manufacturers corresponding local, correspondence is as follows:

/mnt/huawei   --- local6
/mnt/h3c      --- local5
/mnt/cisco     --- local4

Network Device Configuration

Huawei：
info-center loghost source Vlanif99
info-center loghost 192.168.99.50 facility local5

H3C:
info-center loghost source Vlan-interface99
info-center loghost 192.168.99.50 facility local6

CISCO:
(config)#logging on
(config)#logging 192.168.99.50 
(config)#logging facility local4
(config)#logging source-interface e0

Ruijie：
logging buffered warnings
logging source interface VLAN 99
logging facility local6
logging server 192.168.99.50

Note: 192.168.99.50 to rsyslog server IP

Edit the configuration file filebeat

Log files collected under rsyslog to logstash

[root@ZABBIX-Server mnt]# egrep -v "^#|^$" /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /mnt/huawei/*
  tags: ["huawei"]
  include_lines: ['Failed','failed','error','ERROR','\bDOWN\b','\bdown\b','\bUP\b','\bup\b']
  drop_fields:
    fields: ["beat","input_type","source","offset","prospector"]
- type: log
  paths:
    - /mnt/h3c/*
  tags: ["h3c"]
  include_lines: ['Failed','failed','error','ERROR','\bDOWN\b','\bdown\b','\bUP\b','\bup\b']
  drop_fields:
    fields: ["beat","input_type","source","offset","prospector"]
setup.template.settings:
  index.number_of_shards: 3
output.logstash:
  hosts: ["192.168.99.185:5044"]
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

Edit the configuration file logstash

Filebeat log of transmitted according to different tags each treatment, the log data storage process is completed on the transmitted ES, and further on the visual display kibana

[root@elk-node1 ~]# egrep -v "^#|^$" /etc/logstash/conf.d/networklog.conf
input {
  beats {
    port => 5044
  }

}
filter {
  if "huawei" in [tags] {
    grok{
      match => {"message" => "%{SYSLOGTIMESTAMP:time} %{DATA:hostname} %{GREEDYDATA:info}"}
        }
  }
   else if "h3c" in [tags] {
    grok{
      match => {"message" => "%{SYSLOGTIMESTAMP:time} %{YEAR:year} %{DATA:hostname} %{GREEDYDATA:info}"}
        }
  }
mutate {
      remove_field => ["message","time","year","offset","tags","path","host","@version","[log]","[prospector]","[beat]","[input][type]","[source]"]
    }
}
output{
stdout {codec => rubydebug}
elasticsearch {
    index => "networklogs-%{+YYYY.MM.dd}"
    hosts => ["192.168.99.185:9200"]
    sniffing => false
    }
}

Do visual configuration on kibana

Create an index matching pattern storage network equipment log index

Creating a data table

kibana data tables can be exported as a CSV file

Create a pie chart

---

Welcome attention to individual public number "Master Chen's no story."