Logstash-forwarder作为Windows服务

时间:2015-04-13 17:02:38

标签: elasticsearch windows-services logstash logstash-forwarder

我正在努力为Windows 2008 R2 Server上的logstash转发器创建Windows服务。

我的设置如下:

Ubuntu Server 14.04 LTS

  • Elasticsearch
  • Logstash
  • Kibana

Windows Server 2008 R2:

  • 应用程序记录到某个路径。
  • 通过Logstash-forwarder将日志发送到ELK Stack

我目前正在使用此处的说明通过Logstash转发器成功将日志发送到ELK-Stack ... https://github.com/elastic/logstash-forwarder。唯一的问题是,我必须在CLI窗口中运行logstash转发器,并且我无法将其设置为Windows服务。

我尝试了以下SC命令,创建了服务,但服务根本无法启动。只返回以下错误:服务未及时响应启动或控制请求。 

sc create LogstashForwarder binpath= "\"C:\_Logstash\logstash-forwarder.exe\" -config=\"C:\_Logstash\logstash-forwarder.conf\"" start= Auto displayname= "Logstash forwarder"

不幸的是谷歌也不知道任何答案。

是否有人能够使用SC命令在Windows上作为Windows服务启动logstash转发器?一些好的建议将非常感激。

3 个答案:

答案 0 :(得分:4)

如果您的logstash配置正确,请尝试以下步骤。

  1. 获取nssm
  2. 解压缩logstash的bin文件夹中的nssm zip

  3. 从命令行执行 nssm install logstash

  4. 在已启动的配置屏幕

    5. 上添加您的bat的路径
  5. 也添加您的启动目录。

    6. 您可以在这里获得更多帮助

    https://blog.basefarm.com/blog/how-to-install-logstash-on-windows-server-2012-with-kibana-in-iis/

    https://github.com/verbosemode/public-notes/blob/master/logstash-windows.md

    希望这个帮助

答案 1 :(得分:0)

要添加到Rys的答案,Logstash-Forwarder本身不会读取Windows事件日志。在研究如何解决这个问题时,我发现了Sean-M的this gist

我修改了原始脚本,以便Powershell脚本启动LSF,然后将事件日志传递到stdin。然后我将NSSM指向脚本并将其作为服务运行。如果您的配置文件设置如下:

        {
          "network": {
            "servers": [ "<logstash IP>:5000" ],
            "timeout": 15,
            "ssl ca": "C:/path/to/logstash-forwarder.crt"
          },
          "files": [
                {
                  "paths": [
                     "C:/inetpub/logs/LogFiles/W3SVC*/*.log"
                   ],
                   "fields": { "type": "iis-w3svc" }
                },
                {
                  "paths": [
                    "-"
                  ],
                  "fields": { "type": "windows-event" }
                }
          ]
        }

LSF将捕获JSON输入并将其发送到Logstash。以下Powershell代码**: 

#Requires -Version 3
param (
    [string]$lognames
)

#reading security log requires elevated privileges so only read Application and System for now
[string[]]$logname = $("Application", "System" )

if ($lognames)
{
    [string[]]$logname = $lognames -split ", "
}


##################################
#            Functions           #
##################################

function EvenSpace{
    param ($word) 

    $tabWidth = 48

    $wordTabs = $tabWidth - $word.Length
    $tabNum = [Math]::Floor($($wordTabs/4)) / 2

    ("`t" * $tabNum)
}


## Read events, write to file
function ReadEvents {
    param ([hashtable]$filter, [string]$OutFile=[String]::Empty)

    ## Make it look pretty if writting to stdout    
    try {
        [object[]]$data = Get-WinEvent -FilterHashtable $filter -ErrorAction SilentlyContinue | sort RecordId

        [int]$count = 0
        if ((-not $data -eq $null) -or ($data.Count -gt 0)) {            
            $count = $data.Count
        }


        Write-Verbose ("Log: $($filter["LogName"])" + (EvenSpace -word $filter["LogName"]) + "Count: $count")
    }
    catch {
        $Error[0]
        Write-Verbose ""
        Write-Verbose "Filter:"
        $filter
        return
    }


    if ($data.Count -gt 0) {

        foreach ($event in $data) {
            $json = $event | ConvertTo-Json -Compress
            #$jsonbytes = @($json)
            #$process.StandardInput.BaseStream.Write($jsonbytes,0,$jsonbytes.Count)

            Write-Verbose $json

            $process.StandardInput.WriteLine($json)
        }
    }
}

## Use a try/catch/finally to allow for the inputs to be closed and the process stopped
[System.Diagnostics.Process]$process = $null
$endTime = Get-Date

try
{
    ## Prepare to invoke the process
    $processStartInfo = New-Object System.Diagnostics.ProcessStartInfo
    $processStartInfo.FileName = (Get-Command .\logstash-forwarder.exe).Definition
    $processStartInfo.WorkingDirectory = (Get-Location).Path
    $processStartInfo.Arguments = "-config logstash-forwarder.conf"
    $processStartInfo.UseShellExecute = $false

    ## Always redirect the input and output of the process.
    ## Sometimes we will capture it as binary, other times we will
    ## just treat it as strings.
    $processStartInfo.RedirectStandardOutput = $true
    $processStartInfo.RedirectStandardInput = $true

    $process = [System.Diagnostics.Process]::Start($processStartInfo)

    ##################################
    #           Main Logic           #
    ##################################

    ## Loop to capture events
    while ($true) {
        [String]::Empty | Write-Verbose

        Start-Sleep -Seconds 5

        $startTime = $endTime

        [TimeSpan]$diff = (Get-Date) - $startTime
        if ($diff.TotalHours -gt 1) {
            $endTime = $startTime + (New-TimeSpan -Minutes 30)
        }
        else {
            $endTime = Get-Date
        }

        Write-Verbose "Starting timespan $($startTime) -> $($endTime)"

        ## Supports reading multiple logs
        if ($logname.Count -gt 1) {
            foreach ($log in $logname) {
                ReadEvents -filter @{LogName=$log; StartTime=$startTime; EndTime=$endTime} -OutFile $output
            }
        }
        else {
            ReadEvents -filter @{LogName=$logname; StartTime=$startTime; EndTime=$endTime} -OutFile $output
        }
    }
}
catch
{
    Write-Error $error[0]|format-list -force
    throw $_.Exception
}
finally
{
    if($process)
    {
        $process.StandardInput.Close()
        $process.Close()
    }
}

**该脚本并不能真正处理LSF失败,但它现在可以满足我的目的。

答案 2 :(得分:0)

尝试使用nssm在Answer下添加此内容。您还可以使用以下命令在没有UI的情况下从命令行创建服务。

确保nssm.exe位于同一目录中,然后从那里运行脚本(或者只编辑脚本)。

@echo off
set BASE_DIR=C:\temp\logstash-forwarder
nssm install Logstash-Forwarder "%BASE_DIR%\logstash-forwarder.exe"
nssm set Logstash-Forwarder AppDirectory "%BASE_DIR%"
nssm set Logstash-Forwarder AppStopMethodSkip "6"
nssm set Logstash-Forwarder AppParameters "-config %BASE_DIR%\logstash-forwarder.conf"
相关问题
最新问题