Nxlog配置
Nxlog的配置文件只有一個,即無論多少種日志采集文件都只有一個配置文件。對于nxlog配置文件可以分為六個部分 :“定義模塊”“Extension” “Processor”“Input” “Output”“Route”,這六個部分在nxlog的順序也是如上的,看下面按照順序說明每個模塊
?
樣例來源windows2012測試主機?
IP:192.168.161.63
密碼: Xx123456
?
1.定義模塊模板如下
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert???????????????????????????????
?
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
?
說明:安裝時就已經提供了該模塊
??????????? 前兩行
#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog
根據操作系統的是32位還是64決定
define CERTDIR %ROOT%\cert??
是自己添加的加密文件路徑,cert路徑本身nxlog就存在,只需要將對應的文件放入目錄即可
其他都是配置文件默認的
2.Extension部分
一些前期引入的操作
<Extension _syslog>
??? Module????? xm_syslog
</Extension>
?
<Extension _json>
??? Module????? xm_json
</Extension>
#解決文件內容中解析失敗問題
<Extension charconv>
??? Module????? xm_charconv
</Extension>
?
只有這兩種,暫時不需要添加(可能支持日志的類型增多,回會增加處理函數)
3.Processor部分
此部分主要是對日志的一個簡單處理,增加必要的字段
此部分模板如下
<Processor PRO_NAME>
??? Module????? pm_transformer
??? Exec??????? ??$uuid = "UUID";???????????????????????????????????????????
??? Exec??????????????????? $log_type = "LOG_TYPE";
??? Exec??????????????????? $parser_rule = "PARSER_RULE";
??? Exec??????????????????? $collector_type = "COLLECTOR_TYPE";
??? Exec??????? ??$log_path = "LOG_PATH";
??? Exec??????????? $ip = "IP";????????
</Processor>
說明:
PRO_NAME: 為此處理模塊命名,在同一配置文件中命名唯一
UUID:? 唯一標識,之前定的命名規則應為 “項目標示_采集端標示”必須整個系統唯一
IP: 采集端IP地址
????????????? ????LOG_TYPE: 采集的日志類型,詳見準備支持的日志解析規則以及日志源 的數據源類型列表中的“數據源命名列”
????????????? ????PARSER_RULE:? 日志解析規則,詳見準備支持的日志解析規則以及日志源 的數據源類型列表中的"日志解析規則列"
?????????????? ???COLLECTOR_TYPE: 日志收集方式類型,可選值? “nxlog”、“rsyslog”、“agent”,在此位置已經固定為“nxlog”
?????????????? ???LOG_PATH: 日志文件路徑,對于windows主機無路徑,此位置直接用“eventlogpath”代替。
????????????? ①windows系統處理樣例
<Processor pro_win_system>
??? Module????? pm_transformer
??? Exec??????? $uuid = "windows_2012_0002";???????????????????????????????????????????
??? Exec????????$log_type = "win_event_log";
??? Exec????????$parser_rule = "nxlog_win_event_rule";
??? Exec????????$collector_type = "nxlog";
??? Exec??????? $log_path = "eventlogpath";
??? Exec????????$ip = "192.168.161.63";????????????????
</Processor>
②apache access處理樣例
<Processor pro_apache_access>
??? Module????? pm_transformer
??? Exec??????????????? $uuid = "windows_2012_0002";???????????????????????????????????????????
??? Exec ????????$log_type = "apache_access_log";
??? Exec ????????$parser_rule = "nxlog_apache_access_rule";
??? Exec?????????????????????? $collector_type = "nxlog";
??? Exec?????? ??????$log_path = "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\logs\access.log";
??? Exec ????????$ip = "192.168.161.63";????????
</Processor>
③mysql error 處理樣例
<Processor pro_mysql_error>
??? Module????? pm_transformer
??? Exec??????? ?????$uuid = "windows_2012_0002";???????????????????????????????????????????
??? Exec??????????????????????? $log_type = "mysql_error_log";
??? Exec ????????$parser_rule = "nxlog_mysql_error_rule";
??? Exec?????????????????????? $collector_type = "nxlog";
??? Exec??????? ?????$log_path = "C:\ProgramData\MySQL\MySQL Server 5.5\data\cloudzmb-11.err";
??? Exec??? ????????$ip = "192.168.161.63";????????
| </Processor> | ? |
④tomcat access 處理樣例
<Processor pro_tomcat_access>
??? Module????? pm_transformer
??? Exec?????? ?????$uuid = "windows_2012_0002";???????????????????????????????????????????
??? Exec????????????????????? $log_type = "tomcat_access_log";
??? Exec???????????????????? $parser_rule = "nxlog_tomcat_access_rule";
??? Exec???????????????????? $collector_type = "nxlog";
??? Exec???? ??????$log_path = "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\logs\localhost_access_log.*.txt";
??? Exec???????????? $ip = "192.168.161.63";????????
</Processor>
4.Input部分
此部分完成日志的獲取,不同類型的日志需要有不同的獲取方式,目前存在兩種獲取模板,windows系統日志獲取和文件類型日志獲取模板
?windows日志獲取模板
<Input in_win_system>
??? Module????? im_msvistalog
# For windows 2003 and earlier use the following:
#?? Module????? im_mseventlog
</Input>
說明:模板基本不會變, im_msvistalog支持的是2003之后的版本,? im_mseventlog支持的是2003之前版本,包括2003
?? 樣例說明(windows2008主機):
<Input in_win_system>
??? Module????? im_msvistalog
</Input>
?
?????????? 文件日志獲得模板
<Input IN_NAME>
??? Module????? im_file
??? File????????????????????? "FILE_PATH"????????
???? Exec???? ????????convert_fields("GB2312", "utf-8");????????
</Input>
說明:
???? IN_NAME:input模塊的唯一命名,全文件不相同即可
???? FILE_PATH:文件路徑
?
①mysql error 日志文件樣例
<Input in_mysql_error>
??? Module????? im_file
??? File????????"C:\ProgramData\MySQL\MySQL Server 5.5\data\cloudzmb-11.err"
???? Exec? ????????convert_fields("GB2312", "utf-8");????????????????
</Input>
②tomcat access 日志文件樣例
<Input in_tomcat_access>
??? Module????? im_file
??? File????????????????????? "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\logs\localhost_access_log.*.txt"
??? Exec? ????????convert_fields("GB2312", "utf-8");????????????????
</Input>
③apache access 日志文件樣例
<Input in_apache_access>
??? Module????? im_file
??? File?????????????????????? "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\logs\access.log"
???? Exec? ????????convert_fields("GB2312", "utf-8");????????????????
</Input>
?
5.Output部分
output部分樣例目前只支持兩種,根據目前的調研情況只需要支持兩種,發送windows系統日志,發送文件類型日志,但是會有兩種模式,SSL加密和非加密模式。
?發送windows系統日志
加密模式模板
<Output out>
??? Module????? ???????om_ssl
??? Host??????? ??????????DST_IP
??? Port?????? ????????????DST_PORT
??? CAFile????? ??????????CA_CERT
??? CertFile??? ??????????CLIENT_CERT
??? CertKeyFile??????? CLENT_KET
??? KeyPass???? ????????PASSWORD
??? AllowUntrusted???? TRUE
??? Exec??????? $raw_event = to_json();
</Output>
說明:
DST_IP:為發送的目的主機IP地址,或者也可以是域名
DST_PORT: 為發送目的主機端口
CA_CERT:為CA證書路徑
?CLIENT_CERT:為在服務端為客戶機生成的證書
?CLIENT_KEY:為在服務端為客戶主機生成的key
?PASSWORD:證書密碼,默認設置為“123456”可修改,根據證書生成時的密碼決定
樣例
<Output out>
??? Module????? ?om_ssl
??? Host??????? ?????192.168.161.96
??? Port??????? ??????1514
??? CAFile????? ?????%CERTDIR%\ca-cert.pem
??? CertFile??? ?????%CERTDIR%\client-cert.pem
??? CertKeyFile %CERTDIR%\client-key.pem
??? KeyPass???? ??123456
??? AllowUntrusted???? TRUE
??? Exec?????? ????????$raw_event = to_json();
</Output>
非加密模板
<Output out>
??? Module????? ??????om_tcp
??? ?Host??????? ?????DST_IP
??? Port?????? ???????DST_PORT
??? Exec??????? ????????$raw_event = to_json();
</Output>
說明:
DST_IP:為發送的目的主機IP地址,或者也可以是域名
DST_PORT: 為發送目的主機端口
樣例
<Output out>
??? Module????? om_tcp
??? Host??????? 192.168.161.96
??? Port??????? 1514
??? Exec??????? $raw_event = to_json();
</Output>
發送文件類型日志
加密模板
<Output out1>
???? Module????? ???????om_ssl
??? Host??????? ??????????DST_IP
??? Port?????? ????????????DST_PORT
??? CAFile????? ??????????CA_CERT
??? CertFile??? ??????????CLIENT_CERT
??? CertKeyFile??????? CLENT_KET
??? KeyPass???? ????????PASSWORD
??? AllowUntrusted???? TRUE
??? Exec????????? $msg = $raw_event;
??? Exec????????? $raw_event = to_json();
</Output>
說明:
DST_IP:為發送的目的主機IP地址,或者也可以是域名
DST_PORT: 為發送目的主機端口
CA_CERT:為CA證書路徑
?CLIENT_CERT:為在服務端為客戶機生成的證書
?CLIENT_KEY:為在服務端為客戶主機生成的key
?PASSWORD:證書密碼,默認設置為“123456”可修改,根據證書生成時的密碼決定
樣例
<Output out1>
??? Module????? om_ssl
??? Host??????? 192.168.161.96
??? Port??????? 1514
??? CAFile????? %CERTDIR%\ca-cert.pem
??? CertFile??? %CERTDIR%\client-cert.pem
??? CertKeyFile %CERTDIR%\client-key.pem
??? KeyPass???? 123456
??? AllowUntrusted???? TRUE
??? Exec????????? $msg = $raw_event;
??? Exec????????? $raw_event = to_json();
</Output>
?
非加密模板
<Output out>
??? Module????? ??????om_tcp
??? ?Host??????? ?????DST_IP
??? Port?????? ???????DST_PORT
???? Exec????????? $msg = $raw_event;
??? Exec????????? $raw_event = to_json();
</Output>
說明:
DST_IP:為發送的目的主機IP地址,或者也可以是域名
DST_PORT: 為發送目的主機端口
樣例
<Output out>
??? Module????? om_tcp
??? Host??????? ????192.168.161.96
??? Port??????? ?????1514
???? Exec???????? ????$msg = $raw_event;
??? Exec??????? ?????$raw_event = to_json();
</Output>
6.Route部分
Route部分主要是處理日志的處理順序的一個模塊,對于不同的日志需要有一個單獨的Route。
此部分模板如下:
<Route ROUTE_NAME>
??? Path?????? IN_NAME => PRO_NAME => OUT_NAME
</Route>
說明:
ROUTE_NAME:Route部分的命名,需要全文唯一
IN_NAME:Input模塊名稱
PRO_NAME:Processor模塊名稱
OUT_NAME:Output模塊名稱,在上面Output模塊中未對此命名,直接使用“out”和“out1”必要時也可為其命名
①windows系統output樣例
<Route win_system>
??? Path??????? in_win_system => pro_win_system => out
</Route>
②apache access output樣例
<Route apache_access>
??? Path??????? in_apache_access => pro_apache_access => out1
</Route>
③msyql error output樣例
<Route mysql_error>
??? Path??????? in_mysql_error => pro_mysql_error => out1
</Route>
④tomcat access output樣例
<Route tomcat_access>
??? Path??????? in_tomcat_access => pro_tomcat_access => out1
</Route>
?
總結
- 上一篇: PS的安装
- 下一篇: x79主板bios设置中文_新买的电脑不