ELK收集交换机日志

1、环境介绍
交换机&＃xff1a;华为、思科、H3C
Elasticsearch版本&＃xff1a;7.13.3
kibana版本&＃xff1a;v 7.13.3
logstash版本&＃xff1a;7.17.8

2、ES集群配置
参考&＃xff1a;
https://blog.csdn.net/zyj81092211/article/details/118935274

3、kibana配置
参考
https://blog.csdn.net/zyj81092211/article/details/118967979

4、logstash配置
安装key

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch


添加软件源&＃xff0c;编辑logstash.repo文件添加如下

[logstash-7.x]
name&＃61;Elastic repository for 7.x packages
baseurl&＃61;https://artifacts.elastic.co/packages/7.x/yum
gpgcheck&＃61;1
gpgkey&＃61;https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled&＃61;1
autorefresh&＃61;1
type&＃61;rpm-md


安装logstash

yum install logstash


编辑systemd启动文件&＃xff0c;更改为root用户&＃xff08;端口号小于1000的程序&＃xff0c;普通用户会因为权限问题不能启动&＃xff0c;这里改成root用户启动&＃xff09;

vi /etc/systemd/system/logstash.service


5、编辑logstash交换机配置文件
配置文件放到目录/etc/logstash/conf.d/

vi /etc/logstash/conf.d/switch.conf


添加如下

input{
syslog {
type &＃61;> "HUAWEI"
port &＃61;> 514
}

syslog {
type &＃61;> "CISCO"
port &＃61;> 5002
}

syslog {
type &＃61;> "H3C"
port &＃61;> 5003
}
}
output{
stdout {
#将日志输出到当前终端上显示
codec &＃61;> rubydebug
}
#同时也发送到elasticsearch
elasticsearch {
index &＃61;>
"switch-syslog-%{&＃43;YYYY.MM}"
user &＃61;> elastic
password &＃61;> "Smtgbk_123"
hosts &＃61;> ["esdn01.wtown.com:9200"]
}
}


6、启动logstash

systemctl start logstash
systemctl enable logstash


7、华为交换机配置外置日志中心

info-center loghost source Vlanif1
info-center loghost 10.99.50.123
info-center enable


8、H3C交换机配置外置日志中心

info-center loghost source Vlan-interface1
info-center loghost 10.99.50.123 port 5003


9、思科交换机配置外置日志中心

enable
configure terminal
logging host 10.99.50.123 transport tcp port 5002
logging on
logging trap 7
logging facility local5
logging source-interface Loopback 0 //这里改成交换机地址所在端口
service timestamps log datetime localtime


10、Edge ES浏览器插件



11、配置kibana