elasticsearch+logstash+kibana分析windowns日志

#####项目背景
客户需求需要监控windows下面的IIS相关日志,无解只能上去安装部署了,但是这东西只在Linux上玩过,为了以后少走弯路特此记录下。

####准备工作:
1台windows2008 x86_64
JAVA jdk包
nssm包
logstash包
设置环境变量

####下载JAVA jdk包 选择x86_64
http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html

####下载nssm 为了把启动logstash已服务器的方式启动
https://nssm.cc/ci/nssm-2.24-23-gfb96938.zip

####下载logstash1.4.2文件
https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.zip

####安装JAVA包,安装步骤省略

####设置环境变量
elk

####解压logstash-1.4.2.zip包文件到C:/logstash-1.4.2 省略

#####编写logstash.conf配置文件(C:/logstash-1.4.2/logstash.conf),如下:
input {
file {

    #type => "iis"
    path => ["C:/logs/*.log”]  
    start_position => "beginning"
  }
}

filter {

  #ignore log comments
  if [message] =~ "^#" {
    drop {}
  }


  grok {
    # check that fields match your IIS log settings
    match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IPORHOST:site} %{WORD:method} %{URIPATH:page} %{NOTSPACE:querystring} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clienthost} %{NOTSPACE:useragent} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:scstatus} %{NUMBER:time_taken}"]
  }

  #Set the Event Timesteamp from the log
    date {
    match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
      timezone => "Etc/UCT"
  }    


  useragent {
    source=> "useragent"
    prefix=> "browser"
  }

  mutate {
    remove_field => [ "log_timestamp"]
  }
}

# See documentation for different protocols:
# http://logstash.net/docs/1.4.2/outputs/elasticsearch
output {
  stdout { codec => rubydebug }
  elasticsearch {
    host => "121.40.28.126"
    port => "9200"
    protocol => "http"
  }
} 

####启动
c:\logstash-1.4.2\bin>logstash.bat agent -f “C:/logstash-1.4.2/logstash.conf”
elk

####在kibana中查看是否有日志过来
elk

OpsNotes wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!