Information : 玩ELK也挺久了,有时间把遇到的坑都写出来

1. 测试环境

CentOS7 操作系统 , rsyslog , logstash6.2.4(二进制方式安装)

2. 问题

在设置以logstash用户去启动服务的时候会发生如下报错

Jul 27 17:39:02 zabbix-server logstash: [2019-07-27T17:39:02,995][INFO ][logstash.inputs.syslog   ] Starting syslog udp listener {:address=>"0.0.0.0:514"}
Jul 27 17:39:03 zabbix-server logstash: [2019-07-27T17:39:02,997][WARN ][logstash.inputs.syslog   ] syslog listener died {:protocol=>:udp, :address=>"0.0.0.0:514", 
:exception=>#, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:197:in `bind'", 
"/usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:149:in `udp_listener'", 
"/usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:130:in `server'", 
"/usr/local/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-syslog-3.4.1/lib/logstash/inputs/syslog.rb:110:in `block in run'"]}

原因启动端口的时候没有权限,是因为Linux系统的安全设置,1024以下端口的应用程序启动必须以root 用户去启动,不能以普通用户去启动

3. 解决方法

(1)以root去启动logstash服务

logstash.service

[Unit]
Description=logstash

[Service]
Type=simple
User=root
Group=root
Environment=JAVA_HOME=/usr/local/jdk
Environment=LS_HOME=/usr/local/logstash
Environment=LS_SETTINGS_DIR=/usr/local/logstash/config/
Environment=LS_PIDFILE=/usr/local/logstash/logstash.pid
Environment=LS_USER=root
Environment=LS_GROUP=root
Environment=LS_GC_LOG_FILE=/usr/local/logstash/logs/gc.log
Environment=LS_OPEN_FILES=16384
Environment=LS_NICE=19
Environment=SERVICE_NAME=logstash
Environment=SERVICE_DESCRIPTION=logstash
ExecStart=/usr/local/logstash/bin/logstash "--path.settings" "/usr/local/logstash/config/"
Restart=always
WorkingDirectory=/usr/local/logstash
Nice=19
LimitNOFILE=16384

[Install]
WantedBy=multi-user.target

logstash配置

input {
    syslog {
        port => "514"
    }
}
filter {
}
output {
    stdout { codec => rubydebug }
}

测试结果:

(2)以logstash普通用户去启动Logstash服务,设置firewalld防火墙把514端口流量转发到1300端口,logstash中syslog设置以1300端口去接口日志信息

logstash.service如下:

[Unit]
Description=logstash

[Service]
Type=simple
User=logstash
Group=logstash
Environment=JAVA_HOME=/usr/local/jdk
Environment=LS_HOME=/usr/local/logstash
Environment=LS_SETTINGS_DIR=/usr/local/logstash/config/
Environment=LS_PIDFILE=/usr/local/logstash/logstash.pid
Environment=LS_USER=logstash
Environment=LS_GROUP=logstash
Environment=LS_GC_LOG_FILE=/usr/local/logstash/logs/gc.log
Environment=LS_OPEN_FILES=16384
Environment=LS_NICE=19
Environment=SERVICE_NAME=logstash
Environment=SERVICE_DESCRIPTION=logstash
ExecStart=/usr/local/logstash/bin/logstash "--path.settings" "/usr/local/logstash/config/"
Restart=always
WorkingDirectory=/usr/local/logstash
Nice=19
LimitNOFILE=16384

[Install]
WantedBy=multi-user.target

logstash的conf测试配置

input {
    syslog {
        port => "1300"
    }
}
filter {
}
output {
    stdout { codec => rubydebug }
}

设置firewalld防火墙端口转发,514端口流量转发至 1300端口

firewall-cmd --permanent --zone=public --add-port=514/tcp
firewall-cmd --permanent --zone=public --add-forward-port=port=514:proto=tcp:toport=1300
firewall-cmd --reload
firewall-cmd --list-ports
firewall-cmd --list-forward-ports

测试结果如下:

欢迎关注公众号,蟹蟹