elasticsearch+logstash+kibana分析windowns日志

elasticsearch+logstash+kibana分析windowns日志

 Posted on May 22, 2015  |  1 minutes  |  150 words  |  Kenng zhang

elasticsearch+logstash+kibana分析windowns日志

elasticsearch+logstash+kibana分析windowns日志

 Posted on May 22, 2015  |  1 minutes  |  150 words  |  Kenng zhang

项目背景

客户需求需要监控windows下面的IIS相关日志,无解只能上去安装部署了,但是这东西只在Linux上玩过,为了以后少走弯路特此记录下。

准备工作:

1台windows2008 x86_64
JAVA jdk包
nssm包
logstash包
设置环境变量

下载JAVA jdk包 选择x86_64

http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

下载nssm 为了把启动logstash已服务器的方式启动

https://nssm.cc/ci/nssm-2.24-23-gfb96938.zip

下载logstash1.4.2文件

https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.zip

安装JAVA包,安装步骤省略

设置环境变量

elk

解压logstash-1.4.2.zip包文件到C:/logstash-1.4.2 省略

编写logstash.conf配置文件(C:/logstash-1.4.2/logstash.conf),如下:

input {
 file {
    #type => "iis"
    path => ["C:/logs/*.log”]  
    start_position => "beginning"
  }
}

filter {

  #ignore log comments
  if [message] =~ "^#" {
    drop {}
  }


  grok {
    # check that fields match your IIS log settings
    match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
  }

  #Set the Event Timesteamp from the log
    date {
    match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
      timezone => "Etc/UCT"
  }    


  useragent {
    source=> "useragent"
    prefix=> "browser"
  }

  mutate {
    remove_field => [ "log_timestamp"]
  }
}

# See documentation for different protocols:
# http://logstash.net/docs/1.4.2/outputs/elasticsearch
output {
  stdout { codec => rubydebug }
  elasticsearch {
    host => "121.40.28.126"
    port => "9200"
    protocol => "http"
  }
}

启动

c:\logstash-1.4.2\bin>logstash.bat agent -f "C:/logstash-1.4.2/logstash.conf"

elk

在kibana中查看是否有日志过来

elk

ELK 

See also