2023年7月17日发(作者：)

ELKlogstash-7.5收集交换机⽇志问题：有⼈反馈说7.x版本收集不了交换机⽇志，在此记录⼀次logstash-7.5收集华为交换机的⽇志记录。前提：ELK环境已经安装完成，具体操作查看另外篇⽂章⼀、交换机配置添加：info-center loghost 192.168.14.210，IP地址是logstash服务器，华为交换机默认是UDP514端⼝发送数据1、查看交换机版本[SW30]display version

Huawei Versatile Routing Platform SoftwareVRP (R) software, Version 5.70 (S2700 V100R006C05)Copyright (C) 2003-2013 HUAWEI TECH CO., LTDQuidway S2700-9TP-SI-AC Routing Switch uptime is 23 weeks, 5 days, 7 hours, 28 minutesE8FED 0(Master) : uptime is 23 weeks, 5 days, 7 hours, 27 minutes64M bytes DDR Memory16M bytes FLASHPcb Version : VER EBasic BOOTROM Version : 149 Compiled at Mar 15 2013, 11:02:25Software Version : VRP (R) Software, Version 5.70 (V100R006C05)2、配置内容[SW30]display current-configuration | in info info-center loghost 192.168.14.210 snmp-agent sys-info version all⼆、logstash7.5安装1、安装JDK[root@localhost ~]# tar -zxvf jdk-11.0.5_linux-x64_ -C /usr/local/[root@localhost ~]# vim /etc/profileexport JAVA_HOME=/usr/local/jdk-11.0.5/export PATH=$PATH:$JAVA_HOME/binexport CLASSPATH=.:$JAVA_HOME/lib/:$JAVA_HOME/lib/:$CLASSPATH

[root@localhost ~]# source /etc/profile2、解压logstash⼆进制包[root@localhost ~]#tar -zxvf -C /usr/local/3、添加环境变量[root@localhost ~]# vi /etc/profileexport PATH=$PATH:/usr/local/logstash-7.5.0/bin[root@localhost ~]# source /etc/profile三、logstash7.5配置1、关闭rsyslog服务，因为这个会占⽤514端⼝[root@localhost ~]# systemctl stop rsyslog2、添加logstash配置⽂件，根据监听交换机端⼝区分不通⽹络设备型号(直接复制可⽤，修改下IP地址)[root@localhost ~]# vi /usr/local/logstash-7.5.0/config/

[root@localhost ~]# cat /usr/local/logstash-7.5.0/config/

input{ tcp { port => 5002

type => "Cisco"} udp { port => 514 type => "HUAWEI"} udp { port => 5002 type => "Cisco"} udp { port => 5003 type => "H3C"}}filter { if [type] == "Cisco" { grok { match => { "message" => "<%{BASE10NUM:syslog_pri}>%{NUMBER:log_sequence}: .%{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:seve add_field => {"severity_code" => "%{severity}"} overwrite => ["message"] }} elseif [type] == "H3C" { grok { remove_field => [ "year" ] add_field => {"severity_code" => "%{severity}"} overwrite => ["message"] }} elseif [type] == "HUAWEI" { grok { match => { "message" => "<%{BASE10NUM:syslog_pri}>%{NUMBER:log_sequence}: %{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:seve match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{YEAR:year} %{DATA:hostname} %%%{DATA:vvmodule}/%{PO match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{DATA:hostname} %%%{DATA:ddModuleName}/%{POSINT: remove_field => [ "timestamp" ] add_field => {"severity_code" => "%{severity}"} overwrite => ["message"] }}#mutate {# gsub => [# "severity", "0", "Emergency",# "severity", "1", "Alert",# "severity", "2", "Critical",# "severity", "3", "Error",# "severity", "4", "Warning",# "severity", "5", "Notice",# "severity", "6", "Informational",# "severity", "7", "Debug"

# ]# }}output{ stdout { codec => rubydebug} elasticsearch { index => "syslog-%{+}" hosts => ["192.168.14.211:9200"] user => "elastic" password => "password" }} match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{DATA:hostname} %{DATA:ddModuleName}/%{POSINT:seve这⾥为了⽅便查看，直接输出到终端显⽰了，⼯作环境可以删除stdout的配置。并且添加了⽤户名和密码认证3、启动，在终端可以查看到数据[root@localhost ~]# logstash -f /usr/local/logstash-7.5.0/config/ 四、kibana查看交换机⽇志1、打开Management2、添加索引3、搜索在配置⽂件⾥⾯⾃定义的索引名称 4、点击创建 5、回到⾸页查看⽇志 五、错误记录1、因为elk7的elasticsearch增加了认证功能，如果logstash配置⽂件没有添加⽤户名和密码就有如下连接错误提⽰