Loki部署

一、安装grafana
[root@loki ~]# yum install -y https://dl.grafana.com/enterprise/release/grafana-enterprise-10.0.0-1.x86_64.rpm
二、安装loki
[root@loki ~]# wget https://github.com/grafana/loki/releases/download/v2.8.2/loki-linux-amd64.zip
[root@loki ~]# unzip loki-linux-amd64.zip
[root@loki ~]# mkdir -p /etc/loki
[root@loki ~]# mv loki-linux-amd64 /etc/loki
[root@loki ~]# vim /etc/loki/loki.yaml

auth_enabled: false

server:
  http_listen_port: 3100
  grpc_listen_port: 9096

common:
  path_prefix: /data/loki
  storage:
    filesystem:
      chunks_directory: /data/loki/chunks
      rules_directory: /data/loki/rules
  replication_factor: 1
  ring:
    instance_addr: 127.0.0.1
    kvstore:
      store: inmemory

schema_config:
  configs:
    - from: 2023-07-18
      store: boltdb-shipper
      object_store: filesystem
      schema: v11
      index:
        prefix: index_
        period: 24h

ruler:
  alertmanager_url: http://localhost:9093

[root@loki ~]# /etc/loki/loki-linux-amd64 -config.file loki.yaml
[root@loki ~]# vim /lib/systemd/system/loki.service

[Unit]
Description=Loki service
After=network.target

[Service]
Type=simple
User=root
ExecStart=/etc/loki/loki-linux-amd64 -config.file /etc/loki/loki.yaml

[Install]
WantedBy=multi-user.target

三、安装promtail
[root@loki ~]# wget https://github.com/grafana/loki/releases/download/v2.8.2/promtail-linux-amd64.zip
[root@loki ~]# unzip promtail-linux-amd64.zip
[root@loki ~]# mkdir -p /etc/promtail
[root@loki ~]# mv promtail-linux-amd64 /etc/promtail/
[root@loki ~]# vim /etc/promtail/promtail.yaml

server: 
  http_listen_port: 9080
  grpc_listen_port: 0
 
positions: 
  filename: /tmp/positions.yaml
 
clients: 
  - url: http://127.0.0.1:3100/loki/api/v1/push
 
scrape_configs: 
- job_name: r1
  static_configs: 
  - targets:
      - 127.0.0.1
    labels: 
      job: 网络设备日志
      location: 办公室机房
      vendor: 华为
      hostname: R1
      __path__: /var/log/network/r1/*.log
- job_name: r2
  static_configs:
  - targets:
      - 127.0.0.1
    labels:
      job: 网络设备日志
      location: 数据中心
      vendor: 思科
      hostname: R2
      __path__: /var/log/network/r2/*.log

[root@loki ~]# /etc/promtail/promtail-linux-amd64 -config.file promtail.yaml
[root@loki ~]# vim /lib/systemd/system/promtail.service

[Unit]
Description=Promtail service
After=network.target

[Service]
Type=simple
User=root
ExecStart=/etc/promtail/promtail-linux-amd64 -config.file /etc/promtail/promtail.yaml

[Install]
WantedBy=multi-user.target

四、启用服务
[root@loki ~]# systemctl start promtail.service
[root@loki ~]# systemctl start loki.service
[root@loki ~]# systemctl start grafana-server.service
五、加入开机启动
[root@loki ~]# ystemctl enable promtail.service
[root@loki ~]# systemctl enable loki.service
[root@loki ~]# systemctl enable grafana-server.service
六、配置rsyslog
1、添加hosts解析
[root@loki ~]# cat /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.140.130 R1
192.168.140.131 R2

2、修改/etc/rsyslog.conf文件
[root@loki ~]# vim /etc/rsyslog.conf

$ModLoad imudp
$UDPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none;local5.none;local6.none       /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

3、添加/etc/rsyslog.d/network.conf文件
[root@loki ~]# vim /etc/rsyslog.d/network.conf   # 以下为示例配置，按需使用

# 设置日志文件和路径所属用户和组，以及文件和路径权限
$FileOwner user1
$FileGroup user1
$DirOwner user1
$DirGroup user1
$FileCreateMode 0600
$DirCreateMode 0600
# $Umask 0022

$template NETWORK,"接收日志时间:%timegenerated:1:10:date-rfc3339% %timereported:12:19:date-rfc3339% %fromhost%:%fromhost-ip% msg:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

# %$now%等于%$YEAR%-%$MONTH%-%$DAY%，%fromhost%获取设备名称(hosts文件中需要有相关的主机名和IP记录)
$template NETWORKDIR,"/var/log/network/%fromhost%/%$now%.log"

# local5.* /var/log/network/network.log;NETWORK
# local5.* ?NETWORKDIR;NETWORK
# local5.* action(type="omfile"  FileGroup="promtail" FileOwner="promtail" FileCreateMode="0755" dirCreateMode="0755" dynaFile="NETWORKDIR" template="NETWORK")
# local5.* if $fromhost-ip != '127.0.0.1' and $fromhost-ip != '10.122.8.10' then ?NETWORKDIR;NETWORK
# local5.* if not ($msg contains("up")) then ?NETWORKDIR;NETWORK
local5.* if $fromhost-ip == '192.168.140.140' then action(type="omfile"  FileGroup="user1" FileOwner="user1" FileCreateMode="0755" dirCreateMode="0755" dynaFile="NETWORKDIR" template="NETWORK")

# IP为127.0.0.1和10.122.8.10不使用NETWORKDIR模板记录日志
if $fromhost-ip != '127.0.0.1' and $fromhost-ip != '10.122.8.10' then ?NETWORKDIR;NETWORK

$template VPNRemoteLogsSystemformat,"%timegenerated:1:10:date-rfc3339% %timereported:12:19:date-rfc3339% User:%msg:F,32:4% Src:%msg:F,32:13% dst:%msg:F,32:17%\n"

$template VPNRemoteLogsSessionformat,"%timegenerated:1:10:date-rfc3339% %timereported:12:19:date-rfc3339% %msg:F,59:4% %msg:F,59:5% %msg:F,59:6% %msg:F,59:7%\n"

$template VPNRemoteLogsSystem,"/var/log/network/%fromhost%/System-%$YEAR%-%$MONTH%-%$DAY%.log"

$template VPNRemoteLogsSession,"/var/log/network/%fromhost%/Session-%$YEAR%-%$MONTH%-%$DAY%.log"

# 匹配日志调用相关的日志格式、存放路径以及设置文件和文件夹的权限
# contains：包含；startswith：开始；contains_i和startswith_i：不区分大小写
# :msg,contains,"VsysId:1" ?VPNRemoteLogsSession
# :msg,contains_i,"vsysid:1" ?VPNRemoteLogsSession
# :msg,contains,"10SSLVPN/6/SSLVPN_IP_RESOURCE_PERMIT" ?VPNRemoteLogsSystem
:msg,contains,"VsysId:1" action(type="omfile" FileGroup="promtail" FileOwner="promtail" FileCreateMode="0600" dirCreateMode="0600" dynaFile="VPNRemoteLogsSession" template="VPNRemoteLogsSessionformat")
:msg,contains,"SSLVPN/6/SSLVPN_IP" action(type="omfile" FileGroup="promtail" FileOwner="promtail" FileCreateMode="0600" dirCreateMode="0600" dynaFile="VPNRemoteLogsSystem" template="VPNRemoteLogsSystemformat")

# 忽略之前所有的日志，远程主机日志记录完之后不再继续往下记录
& ~

4、检查rsyslog.conf文件是否有语法错误
[root@loki ~]# rsyslogd -f /etc/rsyslog.conf -N1

5、重启rsyslog服务
[root@loki ~]# systemctl restart rsyslog.service

6、格式化日志

"％msg:1:2％"  # 提取消息文本的前两个字符
"％msg:80:$％"  # 从第80个字符开始一直截取到末尾的剩下的文本
"％msg:::drop-last-lf％" #获取日志消息的整个消息文本，并删除其最后一个换行符
"%msg:R:Inter.*--end%\n"  # 正则匹配从字符Inter开始到该行结尾，--end为固定搭配
"%msg:F,32:5%\n"  # 以空格为分隔符取第五列（32在ASCII码中表示空格）
"%msg:F,59,1:5,12%\n"  # 以;为分隔符，取第五列中的第一个字符到第十二个字符（59在ASCII码中表示分号，5表示第五列）

七、思科路由器配置

R1(config)#logging host x.x.x.x
R1(config)#logging facility local5
R1(config)#logging on

参考链接：
       https://www.cnblogs.com/eeexu123/p/13441149.html        # 轻量日志系统Loki
       https://zhuanlan.zhihu.com/p/601612530        # 使用loki收集网络设备日志
       https://cloud.tencent.com/developer/article/1889851     # 使用loki收集网络设备日志
       https://cloud.tencent.com/developer/article/2115403?areaSource=102001.8&traceId=zQBXqjTEipWR4Bn25Hft6
       https://zhuanlan.zhihu.com/p/602336166      # Rsyslog-日志收集快速上手
       https://www.rsyslog.com/doc/v8-stable/    # rsyslog服务官方文档
       https://grafana.com/docs/loki/latest/configuration/examples/     # loki.yaml配置示例
       https://grafana.com/docs/loki/latest/operations/storage/table-manager/    # Loki日志保留时间设置
       https://grafana.com/docs/loki/latest/clients/promtail/    # promtail.yaml