Flume采集rsyslog日志并发送到elasticsearch上

上一篇写的采用tail -F的方式采集数据，但对于远程的客户端实现需要借助其他软件或服务，如centos 6.4默认自带的rsyslog。下述为配置：

[root@laiym ~]# cd /usr/local/flume/

[root@laiym ~]# vim syslog-es.conf

#文件名称为syslog-es.conf

#本机ip为192.168.1.159

#定义sources,channel和sinks的名称

agent.sources = syslog

agent.sinks = elasticsearch

agent.channels = memoryChannel 

#日志过滤暂时没有做，按个人需求将日志过滤

#配置source的详情

agent.sources.syslog.type = syslogudp

agent.sources.syslog.port = 514

agent.sources.syslog.host = 192.168.1.159

agent.sources.syslog.eventSize = 10000000

agent.sources.syslog.interceptors=i1 i2

agent.sources.syslog.interceptors.i1.type=regex_extractor

agent.sources.syslog.interceptors.i1.regex=\(.+\)\\[\\d+\\]\\:.+for\\s+\(.+\)\\s+from\\s+\(.+\)\\s+port\\s+\(\\d+\)\\s

agent.sources.syslog.interceptors.i1.serializers = s1s2 s3 s4

agent.sources.syslog.interceptors.i1.serializers.s1.name= service

agent.sources.syslog.interceptors.i1.serializers.s2.name= user

agent.sources.syslog.interceptors.i1.serializers.s3.name= src

agent.sources.syslog.interceptors.i1.serializers.s4.name= src_port

#agent.sources.syslog.interceptors.i2.type = timestamp

agent.sources.syslog.interceptors.i2.type =org.apache.flume.interceptor.EventTimestampInterceptor$Builder

agent.sources.syslog.interceptors.i2.preserveExisting= false

agent.sources.syslog.interceptors.i2.dateFormatField =time

agent.sources.syslog.interceptors.i2.dateFormat = MMMdd HH:mm:ss

#agent.sources.syslog.interceptors.i3.type=regex_filter

#agent.sources.syslog.interceptors.i3.regex=

#agent.sources.syslog.interceptors.i3.type=org.apache.flume.interceptor.HostInterceptor$Builder

#agent.sources.syslog.interceptors.i3.hostHeader =host

 

#配置channel的详情

agent.channels.memoryChannel.type = memory

agent.channels.channel1.capacity = 1000000

agent.channels.channel1.transactionCapacity = 5000

#agentes.channels.channel1.keep-alive = 10

 

#配置sink的详情

agent.sinks.elasticsearch.type=org.apache.flume.sink.elasticsearch.ElasticSearchSink

agent.sinks.elasticsearch.batchSize=100

agent.sinks.elasticsearch.hostNames=127.0.0.1:9300

agent.sinks.elasticsearch.indexName=linux_syslog

agent.sinks.elasticsearch.indexType=message

agent.sinks.elasticsearch.clusterName=elasticsearch

agent.sinks.elasticsearch.serializer=org.apache.flume.sink.elasticsearch.ElasticSearchLogStashEventSerializer

 

#配置source、sink和channel的详情 

agent.sources.syslog.channels = memoryChannel

agent.sinks.elasticsearch.channel = memoryChannel

下述为splunk02客户端的rsyslog配置

[root@splunk02 ~]# vim /etc/rsyslog.conf

在46行添加authpriv.* @192.168.1.159:514

[root@splunk02 ~]# service rsyslog restart

启动时打开INFO日志和console日志，查看启动状态。

[root@laiym ~]# cd /usr/local/flume/

[root@laiym flume]# ./bin/flume-ng agent -c ./conf/ -f./conf/syslog-es.conf -n agent -Dflume.root.logger=INFO,console 

 

验证一下，在kibana中创建索引 linux_syslog* 如下图字段也解析出来了。

ok，完成。下一次测试flume拦截器正则匹配多种日志格式的常用字段。