frankel/gist:1a81103dc8c2fb5e1f33

## gistfile1.txt
参考文章：
https://www.digitalocean.com/community/tutorials/how-to-use-logstash-and-kibana-to-centralize-and-visualize-logs-on-ubuntu-14-04

logstash
http://logstash.net/

logstash-forwarder
https://github.com/elasticsearch/logstash-forwarder

在接收log的服务器上安装logstash，简称ServerA
在发送log的服务器上安装logstash-forwarder，简称ServerB

启动命令：
logstash -f /root/opt/logstash-1.4.2/conf/logstash.conf -- web   WALKER(ServerA)
logstash_forward -config /root/opt/logstash-forwarder/conf/logstash-forward.conf  STAGING(ServerB)
ssl key pair 存放在 /etc/pki/tls/certs 和 /etc/pki/tls/private 目录下

logstash.conf 的内容大致如下：
input {
  lumberjack {
    port => 6000
    type => "logs"
    codec =>  json {
      charset => "UTF-8"
    }
    ssl_certificate => "/etc/pki/tls/certs/selfsigned.crt"
    ssl_key => "/etc/pki/tls/private/selfsigned.key"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { embedded => true }
  stdout { codec => rubydebug }
}


logstash-forward.conf 的内容大致如下
{
  "network": {
    "servers": [ "115.29.249.226:6000" ],
    "timeout": 15,
    "ssl ca": "/etc/pki/tls/certs/selfsigned.crt",
    "ssl_key": "/etc/pki/tls/private/selfsigned.key"
  },
  "files": [
    {
      "paths": [
        "/var/www/jiguang/shared/log/staging.log"
       ],
      "fields": { "type": "syslog" }
    }
   ]
}


注意：
在生成ssl key pair的时候，不能根据上面的digitalocean的文章里说的来生成，会导致
cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs
的错误。所以需要用下面的脚本：
https://github.com/driskell/log-courier/blob/develop/src/lc-tlscert/lc-tlscert.go
go run lc-tlscert.go
选择ServerA的ip地址。
相关文章说明：https://github.com/elasticsearch/logstash-forwarder/issues/221
	参考文章：
	https://www.digitalocean.com/community/tutorials/how-to-use-logstash-and-kibana-to-centralize-and-visualize-logs-on-ubuntu-14-04

	logstash
	http://logstash.net/

	logstash-forwarder
	https://github.com/elasticsearch/logstash-forwarder

	在接收log的服务器上安装logstash，简称ServerA
	在发送log的服务器上安装logstash-forwarder，简称ServerB

	启动命令：
	logstash -f /root/opt/logstash-1.4.2/conf/logstash.conf -- web WALKER(ServerA)
	logstash_forward -config /root/opt/logstash-forwarder/conf/logstash-forward.conf STAGING(ServerB)
	ssl key pair 存放在 /etc/pki/tls/certs 和 /etc/pki/tls/private 目录下

	logstash.conf 的内容大致如下：
	input {
	lumberjack {
	port => 6000
	type => "logs"
	codec => json {
	charset => "UTF-8"
	}
	ssl_certificate => "/etc/pki/tls/certs/selfsigned.crt"
	ssl_key => "/etc/pki/tls/private/selfsigned.key"
	}
	}

	filter {
	if [type] == "syslog" {
	grok {
	match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
	add_field => [ "received_at", "%{@timestamp}" ]
	add_field => [ "received_from", "%{host}" ]
	}
	syslog_pri { }
	date {
	match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
	}
	}
	}

	output {
	elasticsearch { embedded => true }
	stdout { codec => rubydebug }
	}


	logstash-forward.conf 的内容大致如下
	{
	"network": {
	"servers": [ "115.29.249.226:6000" ],
	"timeout": 15,
	"ssl ca": "/etc/pki/tls/certs/selfsigned.crt",
	"ssl_key": "/etc/pki/tls/private/selfsigned.key"
	},
	"files": [
	{
	"paths": [
	"/var/www/jiguang/shared/log/staging.log"
	],
	"fields": { "type": "syslog" }
	}
	]
	}


	注意：
	在生成ssl key pair的时候，不能根据上面的digitalocean的文章里说的来生成，会导致
	cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs
	的错误。所以需要用下面的脚本：
	https://github.com/driskell/log-courier/blob/develop/src/lc-tlscert/lc-tlscert.go
	go run lc-tlscert.go
	选择ServerA的ip地址。
	相关文章说明：https://github.com/elasticsearch/logstash-forwarder/issues/221