Updated installation/running instructions. Created an agent with sane

defaults for redhat-based systems.
2025-04-24 14:47:19 -04:00 · 2009-09-10 21:24:20 +00:00 · 2009-09-10 21:24:20 +00:00 · 9df61fc0c1
commit 9df61fc0c1
parent 13a54a1620
2 changed files with 84 additions and 15 deletions
--- a/32
+++ b/32
@ -1,10 +1,3 @@
-required gems:
- mkdtemp
- json
- ferret
- file-tail
- stomp
-
 This code is not beta, not alpha, but like something unnamed where
 only three people in the world have gotten it to run. YMMV. Expect
 much debuggery.
@ -20,11 +13,13 @@ You should have ruby and rubygems installed.
 After that install the following gems, via 'gem install gemname'

 required gems:
+- ruby-prof
 - mkdtemp
 - json
 - ferret
- ruby-prof
-
+- file-tail
+- stomp
+- uuid

 You'll also need ruby-grok - see instructions below..

@ -50,11 +45,18 @@ Check your /etc/ld.so.conf, or /etc/ld.so.conf.d/* .
 If not already set add /usr/local/lib

 # RUNNING INSTRUCTIONS
-Unpack into /opt/logstash, then cd into that directory
+cd into /opt/logstash
+You'll need to start stompserver.. From the command line: 'stompserver'
+Next start logstashd via 'ruby bin/logstashd.rb'
+In another window start up the agent via 
+'ruby bin/agent.redhat.rb localhost:61613'
+This assumes your system is redhat derivative (fedora, centos, etc..)
+You should see a bunch of traffic as 'agent' loads log data.

-ruby sandbox/srv.rb
-... in another window...
-ruby sandbox/client.rb /var/log/messages # loads messages into logstash
-# ^^ get "Entry was nil" ..
-ruby sandbox/searchclient.rb linux-syslog "search_string"
+Now search via:
+ruby bin/search.rb linux-syslog '*alsa*'
+ruby bin/search.rb httpd-access '*favicon.ico*'
+
+Note: All files will need access to /var/tmp/ruby-uuid so run all scripts
+as the same user..

--- a/bin/agent.redhat.rb
+++ b/bin/agent.redhat.rb
@ -0,0 +1,67 @@
+#!/usr/bin/env ruby
+
+require 'rubygems'
+require 'lib/net/client'
+require 'lib/net/messages/indexevent'
+require 'lib/net/messages/quit'
+require 'lib/file/tail/since'
+require 'stomp'
+require 'socket'
+
+
+class Agent < LogStash::Net::MessageClient
+  def initialize(host, port)
+    super(username="", password="", host=host, port=port)
+    @hostname = Socket.gethostname
+    @msgs = []
+  end # def initialize
+
+  def start_log_watcher
+    @threads = []
+    @threads << Thread.new do
+      File::Tail::Since.new("/var/log/messages").tail do |line|
+        line.chomp!
+        index("linux-syslog", line)
+      end
+    end
+    @threads << Thread.new do
+      File::Tail::Since.new("/var/log/httpd/access_log").tail do |line|
+        line.chomp!
+        index("httpd-access", line)
+      end
+    end
+  end # def start_log_watcher
+
+  def index(type, string)
+    ier = LogStash::Net::Messages::IndexEventRequest.new
+    ier.log_type = type
+    ier.log_data = string
+    ier.metadata["source_host"] = @hostname
+
+    #puts "Sending: #{ier}"
+    sendmsg("/queue/logstash", ier)
+  end # def index
+
+  def IndexEventResponseHandler(msg)
+    if msg.code != 0
+      puts msg.inspect
+    end
+  end # def IndexEventResponseHandler
+
+  def run
+    start_log_watcher
+    super
+  end
+end
+
+
+if $0 == __FILE__
+  if ARGV.length == 0
+    puts "Usage: #{$0} host:port"
+    exit 1
+  end
+  Thread::abort_on_exception = true
+  host, port = ARGV[0].split(":")
+  agent = Agent.new(host, port)
+  agent.run
+end