Suzf Blog

前言

本文的主要目的是将 Apache 的访问日志转换成 JSON 格式，然后存储到 ES, 供 ELK Stack Platform 进行数据分析与统计。 尽管现在许多发行版本都已经默认安装上了 rsyslog, 但是还是推荐从 rsyslog repositories 获取最新的稳定版本。这样你将从中获益。你将需要下面的软件包：

• rsyslog-mmnormalize. This gives you mmnormalize, a module that will do the parsing of common Apache logs to JSON
• rsyslog-elasticsearch, for the Elasticsearch output

让我现在就开始配置吧。需要执行以下操作：

1. 加载所需模块
2. 将 Apache log 传送到中心日志服务器
3. 配置主队列缓冲您的消息。 这也是定义工作线程数和批量大小的地方（也可以是 Elasticsearch 块的大小）
4. 将 Apache log 转换成 JSON
5. 定义一个模板，您可以在其中指定 JSON 信息的格式。 您可以使用此模板通过Elasticsearch输出将日志发送到 Elasticsearch / Logstash

前言 我想使用 RHEL/CentOS 系统自带的日志工具Rsyslog, 根据程序日志类别动态存储到一个以程序名命名的文件。

Originally posted on Centralized logging for fun and profit

Setting up a centralized log server using syslog isn't as hard as many may believe. Whether it's logs from Apache, nginx, email services, or even from your own Python applications having a central log server gives you many benefits:

Benefits to a centralized logs

• Reduces disk space usage and disk I/O on core servers that should be busy doing something else. This is especially true if you want to log all queries to your database. Doing this on the same disk as your actual database creates a write for every read and an extra write for every write.
• Removes logs from the server in the event of an intrusion or system failure. By having the logs elsewhere you at least have a chance of finding something useful about what happened.
• All of your logs are in one place, duh! This makes things like grepping through say Apache error logs across multiple webservers easier than bouncing around between boxes. Any log processing and log rotation can also be centralized which may delay your sysadmin from finally snapping and killing everyone.

前言 本文主要简述的如何使用 Rsyslog 实现日志的中心化，并利用 ELK Stack 实现图形搜索与数据统计。

Originally posted on the server as code: Rsyslog to Elasticsearch

长时间以来，系统管理部门已经知道，集中日志很重要，无论是故障排除还是出于安全考虑。 在我看来，我不仅要集中日志，还要让它们可以搜索。 （在集中式日志文件上的 grep 不是很强大，但这不是我正在寻找的解决方案。）

Elasticsearch

... is a distributed, RESTful search and analytics engine capable of solving a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data so you can discover the expected and uncover the unexpected.

它提供的几个基础的功能有：存储/索引/搜索 数据。它是典型 ELK Stack（Elasticsearch, Logstash, and Kibana ）的一部分。 作为系统管理员，我认为还需要注意的是，当用作集群时，Elasticsearch是分布式系统。 不应该轻率地添加另一个分布式系统。 作为一个例子，我现在有了生产分布式系统的MySQL Galera，RabbitMQ，Nomad和Elasticsearch。

Article: Structured Logging with Rsyslog and Elasticsearch Author: Radu Gheorghe

As more and more organizations are starting to use our Performance Monitoring and Search Analytics services, we have more and more logs from various components that make up these applications.  So what do we do?  Do we just keep logging everything to files, rotating them, and grepping them when we need to troubleshoot something?  There must be something better we can do!  And indeed, there is – so much so, that we’ll soon be launching Logsene – a Log Analytics service to complement SPM.  When your applications generate a lot of logs, you’d probably want to make some sense of them by searching and/or statistics. Here’s when structured logging comes in handy, and I would like to share some thoughts and configuration examples of how you could use a popular syslog daemon like rsyslog to handle both structured and unstructured logs. Then I’m going to look at how you can take those logs, format them in JSON, and index them with Elasticsearch – for some fast and easy searching and statistics.  If you are going to Berlin Buzzwords this year and you are into logging, Logstash, ElasticSearch, or Kibana, I’ll be talking about them in my JSON logging with ElasticSearch presentation.

一、简介

LogAnalyzer 是一款syslog日志和其他网络事件数据的Web前端。它提供了对日志的简单浏览、搜索、基本分析和一些图表报告的功能。数据可以从数据库或一般的 syslog文本文件中获取，所以LogAnalyzer不需要改变现有的记录架构。基于当前的日志数据，它可以处理syslog日志消息，Windows事件日志记录，支持故障排除，使用户能够快速查找日志数据中看出问题的解决方案。

LogAnalyzer 获取客户端日志会有两种保存模式，一种是直接读取客户端/var/log/目录下的日志并保存到服务端该目录下，一种是读取后保存到日志服务器数据库中，推荐使用后者。

LogAnalyzer 采用php开发，所以日志服务器需要php的运行环境，本文采用LAMP。

有时您可能会想，是否您创建的配置真的被使用。至少它的一部分没有生效，这真的可以在很多情况下发生。目前，配置格式发生了很大改变。这迫使想要使用新格式的用户使用旧的和新的配置风格的混合模式。这是可以发生很多混乱的地方，这导致不能正确设置配置变量。实际上，您只需要在配置中创建一些一致的。大多数输出​​模块已经更新。如果要使用新格式，则不能同时使用一些旧的配置指令和一些新的配置指令。旧的将被忽略。相反，将使用默认值。一个很常见的情况是队列，这是我将用于展示的例子

# grep "Debug Rsyslog" -A 2 /etc/rsyslog.conf
# Debug Rsyslog
$DebugFile /var/log/rsyslog-debug.log
$DebugLevel 2

之后重启 Rsyslog

# head /var/log/rsyslog-debug.log 

7201.157636478:7fda87eb9780: debug level 2 set via config file
7201.157787141:7fda87eb9780: This is rsyslog version 7.4.7
7201.157882255:7fda87eb9780: cnf:global:cfsysline: $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
7201.157990846:7fda87eb9780: Requested to load module 'imuxsock'
7201.158081765:7fda87eb9780: loading module '/usr/lib64/rsyslog/imuxsock.so'
7201.229115267:7fda87eb9780: imuxsock version 7.4.7 initializing
7201.229297485:7fda87eb9780: rsyslog/glbl: using '127.0.0.1' as localhost IP
7201.229537950:7fda87eb9780: module imuxsock of type 0 being loaded (keepType=0).
7201.229673687:7fda87eb9780: module config name is 'imuxsock'

Reference

[0] http://www.rsyslog.com/how-to-use-debug-on-demand/

[1] http://www.rsyslog.com/how-to-create-debug-information-with-strace/

[2] http://www.rsyslog.com/how-to-check-if-config-variables-are-used/