Windows系统⽇志收集
⽅案
采⽤nxlog+fluentd+elasticsearch组件。nxlog 是⽤ C 语⾔写的⼀个跨平台⽇志收集处理软件,其内部⽀持使⽤ Perl 正则和语法来进⾏数据结构化和逻辑判断操作。nxlog负责收集Windows系统⽇志,并将⽇志传给fluentd,fluentd将这些⽇志信息抛给elasticsearch。fluentd官⽅⽂档中也是推荐使⽤该⽅案的。
预先准备
1. Windows服务器(本次使⽤的是Win10)。
2. Linux服务器(本次使⽤的CentOS7)。
3. 下载并安装在Linux服务器上。
环境搭建步骤
Windows上安装nxlog
1. 下载Windows版本的。
2. 直接点击next安装即可。
补充:nxlog默认是安装在C:\Program Files (x86)\nxlog⽬录中。powershell创建目录
Linux上安装fluentd
1. 若从rpm库安装,执⾏如下命令:
$ curl -L asuredata/sh/install-redhat-td- agent2.sh | sh
1. 常⽤命令:
$ /etc/init.d/td-agent start
$ /etc/init.d/td-agent stop
$ /etc/init.d/td-agent restart
$ /etc/init.d/td-agent status
测试
修改配置⽂件
1. 修改td-agent配置⽂件/etc/f
$ vim /etc/f
增添如下配置并保存:
<source>
@type tcp
format json
port 5140
tag windowslog
</source>
<match windowslog>
type elasticsearch
</match>
2. 修改nxlog配置⽂件C:\Program Files (x86)\nxlog\conf
改后的⽂件如下所⽰:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension json>
Module xm_json
</Extension>
#⽇志输⼊端
<Input in>
Module im_msvistalog
#For windows 2003 and earlier use the following:
#Module im_mseventlog
Exec to_json();
</Input>
#⽇志输出端
<Output out>
Module om_tcp
Host 192.168.159.133 #安装有td-agent的服务器地址
Port 5140 #此端⼝要与td-agent监听端⼝⼀致
</Output>
<Output outfile>
Module om_file
File "D:\logs\log" #为了便于观察,将收集到的系统⽇志存放在该位置下
</Output>
#绑定某输⼊到具体某输出
<Route r1>
Path in => out
</Route>
<Route r2>
Path in => outfile
</Route>
启动服务
1. 启动td-agent:
$ /etc/init.d/td-agent start
2. 启动nxlog,使⽤powershell进⼊到C:\Program Files (x86)\nxlog⽬录下,执⾏命令:
C:\Program Files (x86)\nxlog> .\\ -f -c ./f
部分输出如下:
2017-07-13 14:43:30 INFO connecting to 192.168.159.133:5140
2017-07-13 14:43:30 INFO nxlog-ce-2.9.1716 started
结果
在Linux控制台查看elasticsearch中的索引:
[root@localhost ~]# curl 'localhost:9200/_cat/indices?v'
health status index uuid pri unt docs.deleted store.size pri.store.size yellow open fluentd c05Ykvp_RPebnOppfsa1_w 5 1 2 0 67.7kb 67.7kb yellow open .kibana Zldk9n-BSweLtaeVNMsNtg 1 1 8 0 54kb 54kb
查看fluentd索引中的数据,部分输出如下:
[root@localhost ~]# curl -XGET 'localhost:9200/fluentd/_search?pretty'
{
"took" : 363,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 68,
"max_score" : 1.0,
"hits" : [
{
"_index" : "fluentd",
"_type" : "fluentd",
"_id" : "AV06sthgdjHN6maqugXM",
"_score" : 1.0,
"_source" : {
"EventTime" : "2017-07-13 14:45:59",
"Hostname" : "LAPTOP-AQ1VQEMH",
"Keywords" : 576460752303423488,
"EventType" : "INFO",
"SeverityValue" : 2,
"Severity" : "INFO",
"EventID" : 20,
"SourceName" : "Microsoft-Windows-Audio",
"ProviderGuid" : "{AE4BD3BE-F36F-45B6-8D21-BDD6FB832853}",
"Version" : 0,
"Task" : 116,
"OpcodeValue" : 0,
"RecordNumber" : 113490,
"ProcessID" : 6804,
"ThreadID" : 13988,
"Channel" : "Microsoft-Windows-Audio/PlaybackManager",
"Domain" : "LAPTOP-AQ1VQEMH",
"AccountName" : "WHL",
"UserID" : "S-1-5-21-2442955922-1256182451-2774828708-1001",
"AccountType" : "User",
"Message" : "格式: 1\r\n采样率 : 22050Hz\r\n已卸载: false",
"Opcode" : "信息",
"Format" : "1",
"Format" : "1",
"SamplingRate" : "22050",
"bAudioSrvStreamResourceType" : "false",
"EventReceivedTime" : "2017-07-13 14:46:00",
"SourceModuleName" : "in",
"SourceModuleType" : "im_msvistalog"
}
},
{
"_index" : "fluentd",
"_type" : "fluentd",
"_id" : "AV06uizFdjHN6maqugXh",
"_score" : 1.0,
"_source" : {
"EventTime" : "2017-07-13 14:53:26",
"Hostname" : "LAPTOP-AQ1VQEMH",
"Keywords" : 576460752303423488,
"EventType" : "INFO",
"SeverityValue" : 2,
"Severity" : "INFO",
"EventID" : 505,
"SourceName" : "Microsoft-Windows-Application-Experience",
"ProviderGuid" : "{EEF54E71-0661-422D-9A98-82FD4940B820}",
"Version" : 0,
"Task" : 0,
"OpcodeValue" : 0,
"RecordNumber" : 31916,
"ProcessID" : 14276,
"ThreadID" : 13872,
"Channel" : "Microsoft-Windows-Application-Experience/Program-Telemetry",
"Domain" : "LAPTOP-AQ1VQEMH",
"AccountName" : "WHL",
"UserID" : "S-1-5-21-2442955922-1256182451-2774828708-1001",
"AccountType" : "User",
"Message" : "兼容性修复程序已应⽤于 C:\\Users\\WHL\\AppData\\Local\\Google\\Chrome\\Application\\。\r\n修补程序信息: Google Chrome,{18 "Opcode" : "信息",
"EventReceivedTime" : "2017-07-13 14:53:28",
"SourceModuleName" : "in",
"SourceModuleType" : "im_msvistalog"
}
},
打开D:\logs下的log⽂件,部分输出如下:
{"EventTime":"2017-07-13 14:43:51","Hostname":"LAPTOP-AQ1VQEMH","Keywords":4611686018429485056,"EventType":"INFO","SeverityValue":2,"Sev {"EventTime":"2017-07-13 14:43:51","Hostname":"LAPTOP-AQ1VQEMH","Keywords":4611686018429485056,"EventType":"INFO","SeverityValue":2,"Severity":"IN {"EventTime":"2017-07-13 14:45:52","Hostname":"LAPTOP-AQ1VQEMH","Keywords":576460752303423488,"EventType":"INFO","SeverityValue":2,"Severity":"IN {"EventTime":"2017-07-13 14:45:59","Hostname":"LAPTOP-AQ1VQEMH","Keywords":576460752303423488,"EventType":"INFO","SeverityValue":2,"Severity":"IN
{"EventTime":"2017-07-13 14:45:59","Hostname":"LAPTOP-AQ1VQEMH","Keywords":576460752303423488,"EventType":"INFO","SeverityValue":2,"Severity":"IN {"EventTime":"2017-07-13 14:45:59","Hostname":"LAPTOP-AQ1VQEMH","Keywords":576460752303423488,"EventType":"INFO","SeverityValue":2,"Severity":"IN {"EventTime":"2017-07-13 14:45:59","Hostname":"LAPTOP-AQ1VQEMH","Keywords":576460752303423488,"EventType":"INFO","SeverityValue":2,"Severity":"IN
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论