2018-01-26 logstash收集httpd日志传至za

1、安装logstash-output-zabbix插件

[root@beijing ~]#/usr/share/logstash/bin/logstash-plugin install logstash-output-zabbix

2、修改Logstash配置文件

[root@beijing ~]#vim /etc/logstash/conf.d/test.conf 

input {
     file {
          path => ["/var/log/httpd/access_log"]
          start_position => "beginning"
           }
}

filter {
      grok {
         match => {
                  "message" => "%{HTTPD_COMBINEDLOG}"
                  }
                  add_field => ["[@metadata][zabbix_host]","beijing.zhangdazhi.com"] #添加一个字段，为被监控的主机的主机名，注意这里一定要和被监控的主机名对上
                  add_field => ["[@metadata][zabbix_key]","logstash.key"] #添加一个字段，为被监控的主机的键值
          }
     geoip {
       source => "clientip"
       target => "geoip"
       database => "/app/GeoLite2-City_20180102/GeoLite2-City.mmdb"
          }
}
output {
       elasticsearch {
                    hosts => ["http://66.112.215.110"]
                    index => "apache_logstash-%{+YYYY.MM.dd}"
                    action => "index"
                    document_type => "apache_logs"
                   }
                                             
      stdout{ codec => rubydebug }
      zabbix {
              timeout => 1
              workers => 1
              zabbix_host => "[@metadata][zabbix_host]" #被监控的主机的主机名，上面已经定义
              zabbix_server_host => "66.112.215.110" #zabbix_server的ip地址
              zabbix_server_port => 10051 #zabbix_server监听的端口
              zabbix_key => "[@metadata][zabbix_key]" #被监控的主机的键值，上面已经定义
              zabbix_value => "message" #要传给zabbix的字段名
              }
}

3、修改zabbix_agent的配置文件

[root@beijing ~]#vim /etc/logstash/conf.d/test.conf 
[root@beijing ~]#cat /etc/zabbix/zabbix_agentd.conf |grep ^[^#]
PidFile=/var/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=1
EnableRemoteCommands=1
LogRemoteCommands=1
Server=66.112.215.110
StartAgents=5
ServerActive=66.112.215.110 #开启主动模式下server端的地址
Hostname=beijing.zhangdazhi.com #主动模式下被监控的主机的主机名，这样server端才知道是谁发送的信息

配置好后重启zabbix_agentd

4、zabbix上的设置

添加主机

image.png

添加监控项

image.png
在被监控端发送消息测试，看zabbix中能否收到

[root@beijing ~]#zabbix_sender -z 66.112.215.110 -p 10051 -s beijing.zhangdazhi.com -k "logstash.key" -o "hello" 
info from server: "processed: 1; failed: 0; total: 1; seconds spent: 0.000083"
sent: 1; skipped: 0; total: 1
-z指明server的地址 -p为server端端口 -s指明被监控端的主机名 -k指明被监控端自定义的键值，这里要和zabbix图形界面定义的键值对上 -o指明发送的信息

在zabbix中可以收到，说明测试成功

image.png

5、添加触发器

image.png
image.png

6、启动logstash

[root@beijing ~]# nohup /usr/share/logstash/bin/logstash  -f /etc/logstash/conf.d/test.conf  & #让程序后台运行
停止的时候可以用kill