ELK 联动 ZABBIX 实现异常日志告警
ELK 联动 ZABBIX 实现异常日志告警
Kevin song
发布于 2020-02-19 14:50:41
发布于 2020-02-19 14:50:41
本篇文章是基于"ELK 部署可视化网络日志分析监控平台"进行升级, 实现网络异常日志联动ZABBIX告警,网络日志分析监控平台部署请参考前期文章。
简介
由于ELK 开源版本不提供告警模块,网络异常日志只能通过ELK 过滤查看,无法实现告警实时推送,存在告警遗漏等问题! 本着能用机器做的事情就不要人去介入的懒惰原则实现网络设备异常日志自动化监控告警。
实现思路
使用logstash-output-zabbix插件,将logstash收集到的数据过滤出异常日志输出到ZABBIX实现告警推送。
安装logstash-output-zabbix插件
/usr/share/logstash/bin/logstash-plugin install logstash-output-zabbixfilebeat 配置
# egrep -v "*#|^$" /etc/filebeat/filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /mnt/huawei/*
tags: ["huawei"]
include_lines: ['Failed','failed','error','ERROR','\bDOWN\b','\bdown\b','\bUP\b','\bup\b']
drop_fields:
fields: ["beat","input_type","source","offset","prospector"]
- type: log
paths:
- /mnt/h3c/*
tags: ["h3c"]
include_lines: ['Failed','failed','error','ERROR','\bDOWN\b','\bdown\b','\bUP\b','\bup\b']
drop_fields:
fields: ["beat","input_type","source","offset","prospector"]
- type: log
paths:
- /mnt/ruijie/*
tags: ["ruijie"]
include_lines: ['Failed','failed','error','ERROR','\bDOWN\b','\bdown\b','\bUP\b','\bup\b']
drop_fields:
fields: ["beat","input_type","source","offset","prospector"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
name: 192.168.99.185
setup.template.settings:
index.number_of_shards: 3
setup.kibana:
output.logstash:
hosts: ["192.168.99.185:5044"]
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~logstash 配置
[root@elk-node1 conf.d]# cat networklog.conf
input {
beats {
port => 5044
}
}
filter {
if "huawei" in [tags] {
grok{
match => {"message" => "%{SYSLOGTIMESTAMP:time} %{DATA:hostname} %{GREEDYDATA:info}"}
}
}
else if "h3c" in [tags] {
grok{
match => {"message" => "%{SYSLOGTIMESTAMP:time} %{YEAR:year} %{DATA:hostname} %{GREEDYDATA:info}"}
}
}
else if "ruijie" in [tags] {
grok{
match => {"message" => "%{SYSLOGTIMESTAMP:time} %{DATA:hostname} %{GREEDYDATA:info}"}
}
}
mutate {
add_field => [ "[zabbix_key]", "networklogs" ]
add_field => [ "[zabbix_host]", "192.168.99.185" ]
add_field => [ "count","%{hostname}%{info}" ]
remove_field => ["message","time","year","offset","tags","path","host","@version","[log]","[prospector]","[beat]","[input][type]","[source]"]
}
}
output{
stdout{codec => rubydebug}
elasticsearch{
index => "networklogs-%{+YYYY.MM.dd}"
hosts => ["192.168.99.185:9200"]
sniffing => false
}
if [count] =~ /(error|ERROR|Failed|failed)/ {
zabbix {
zabbix_host => "[zabbix_host]"
zabbix_key => "[zabbix_key]"
zabbix_server_host => "192.168.99.200"
zabbix_server_port => "10051"
zabbix_value => "count"
}
}
}logstash参数介绍
add_field => [ "[zabbix_key]", "networklogs" ]
#新增的字段,字段名是zabbix_key,值为networklogs。
add_field => [ "[zabbix_host]", "192.168.99.185" ]
#新增的字段,字段名是zabbix_host,该字段必须和zabbix 中调用模板的主机的名称对应
add_field => [ "count","%{hostname}%{info}" ]
#新增的字段,字段名是count,该字段是合并网络日志切割后的主机名和告警信息,用于在zabbix上区分网络主机的日志
if [count] =~ /(error|ERROR|Failed|failed)/ {
#定义在count字段中过滤的网络异常关键字日志推送zabbix。
zabbix {
zabbix_host => "[zabbix_host]"
#zabbix_host 调用filter中定义的变量
zabbix_key => "[zabbix_key]"
#zabbix_key 调用filter中定义的变量
zabbix_server_host => "192.168.99.200"
#指定zabbix server的IP地址
zabbix_server_port => "10051"
#指定zabbix server 监听的端口
zabbix_value => "count"
#指定传送zabbix监控项item(networklogs)的值
}
}测试字段切割合并是否正常
ZABBIX Web 配置
创建模板
创建应用集
创建监控项
创建触发器
{logstash-output-zabbix:networklogs.strlen()}>0 and {logstash-output-zabbix:networklogs.nodata(60)}=0主机关联模板
zabbix-sender 安装
yum install zabbix-sender
#使用zabbix-sender向zabbix 发送数据测试
[root@elk-node1 conf.d]# zabbix_sender -s 192.168.99.185 -z 192.168.99.200 -k "networklogs" -o 1 -vv
zabbix_sender [2444]: DEBUG: answer [{"response":"success","info":"processed: 1; failed: 0; total: 1; seconds spent: 0.000057"}]
Response from "192.168.99.200:10051": "processed: 1; failed: 0; total: 1; seconds spent: 0.000057"
sent: 1; skipped: 0; total: 1
参数介绍:
-s:指定agent ip
-z:指定zabbix server
-k:指定键值ZABBIX 查看最新文本数据
Kibana 查看网络日志
ZABBIX 告警
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2019-12-18,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
相关产品与服务
Elasticsearch Service
腾讯云 Elasticsearch Service(ES)是云端全托管海量数据检索分析服务,拥有高性能自研内核,集成X-Pack。ES 支持通过自治索引、存算分离、集群巡检等特性轻松管理集群,也支持免运维、自动弹性、按需使用的 Serverless 模式。使用 ES 您可以高效构建信息检索、日志分析、运维监控等服务,它独特的向量检索还可助您构建基于语义、图像的AI深度应用。