Skip to main content

vector maintenance

version 3.1.1

Systemd

[Unit]
Description=Vector
Documentation=https://vector.dev
After=network-online.target
Requires=network-online.target


[Service]
Type=simple
WorkingDirectory=/opt/vector/bin
User=root
ExecStart=/bin/sh -c "./vector --config /opt/vector/config/syslog-vector.toml"
ExecReload=/bin/kill -HUP $MAINPID
PrivateTmp=true
Restart=on-failure
# ExecStopPost=/bin/sh -c "python3 /opt/notify.py -t 'Vector 现已离线' -d '当前报告Vector程序已离线,请及时介入处理。'"
# Since systemd 229, should be in [Unit] but in order to support systemd <229,
# it is also supported to have it here.
StartLimitInterval=10
StartLimitBurst=5
service vector restart

Config

source

syslog-vector.toml

syslog

# remote syslog
[sources.remote_udp_syslog_1]
type = "syslog"
address = "0.0.0.0:514"
mode = "udp"

# Parse Syslog logs
# See the Vector Remap Language reference for more info: https://vrl.dev
[transforms.parse_logs]
type = "remap"
inputs = ["remote_udp_syslog_1"]
metric_tag_values = "full"
source = '''
. |= parse_syslog!(.message)
'''

# Print parsed logs to stdout
[sinks.print]
type = "console"
inputs = ["parse_logs"]
encoding.codec = "json"

json log

# 接收JSON日志,绑定到9000端口
[sources.app_logs]
type = "socket"
address = "0.0.0.0:9000"
max_length = 102_400
mode = "tcp"
decoding.codec = "json"

sink

sink to Loki

ref: https://stackoverflow.com/questions/77509044/logs-from-vector-not-getting-to-loki

[sinks.loki_sink_1]
type = "loki"
inputs = ["parse_logs"]
endpoint = "http://localhost:3100"
encoding.codec = "json"
encoding.metric_tag_values = "full"
[sinks.loki_sink_1.labels]
source = 'syslog'
[sinks.loki_sink_1.healthcheck]
enabled = false

sink to ES

# output to ELK
[sinks.to_elk]
type = "elasticsearch"
inputs = [ "app_logs" ]
endpoint = "https://localhost:9200/"
auth.user = "elastic"
auth.password = "elastic"
auth.strategy = "basic"
# CA 证书文件
tls.ca_file = "/usr/local/share/ca-certificates/http_ca.crt"
mode = "bulk"
bulk.action = "index"
# 索引名称
bulk.index = "app-dev-%Y-%m-%d"
batch.max_events = 10
compression = "none"
# 这个非常重要 默认值为false 会发送失败。
suppress_type_name = true

sink to HTTP(s)

[sinks.better_stack_http_sink_1]
type = "http"
method = "post"
inputs = [ "better_stack_transform_1" ]
uri = "https://in.logs.betterstack.com/"
encoding.codec = "json"
auth.strategy = "bearer"
auth.token = ""

run

bin/vector -C config/ --require-healthy=true -v
  • -C :配置文件目录
  • --require-healthy=true : 节点必须是健康的才能启动
  • -v: debug模式