本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
适用于 Windows 的 Kinesis 代理配置示例
这些区域有:appsettings.json配置文件是一个 JSON 文档,控制面向 Microsoft Windows 的 Amazon Kinesis 代理如何收集日志、事件和指标。它还控制 Windows Kinesis Agent 如何将数据转换为数据并将其流式传输到各个 AWS 服务。有关配置文件中的源、接收器和管道声明的详细信息,请参阅源声明、接收器声明和管道声明。
以下部分包含多个不同类型场景的配置文件示例。
从不同源流式传输到 Kinesis Data Streams
以下示例appsettings.json配置文件演示将来自不同源的日志和事件流式传输到 Kinesis Data Streams 指标,以及从 Windows 性能计数器流式传输到 Amazon CloudWatch 指标。
DirectorySource、SysLog 记录解析程序
以下文件将 syslog 格式的日志记录,从所有文件,流式传输到.log文件扩展名C:\LogSource\目录中的SyslogKinesisDataStreamus-east-1 区域中的 Kinesis Data Streams。其中将建立一个书签,确保发送来自日志文件的所有数据,即使代理关闭并稍后重启。自定义应用程序可以读取和处理来自 SyslogKinesisDataStream 流的记录。
{ "Sources": [ { "Id": "SyslogDirectorySource", "SourceType": "DirectorySource", "Directory": "C:\\LogSource\\", "FileNameFilter": "*.log", "RecordParser": "SysLog", "TimeZoneKind": "UTC", "InitialPosition": "Bookmark" } ], "Sinks": [ { "Id": "KinesisStreamSink", "SinkType": "KinesisStream", "StreamName": "SyslogKinesisDataStream", "Region": "us-east-1" } ], "Pipes": [ { "Id": "SyslogDS2KSSink", "SourceRef": "SyslogDirectorySource", "SinkRef": "KinesisStreamSink" } ] }
DirectorySource、SingleLineJson 记录解析程序
以下文件将 JSON 格式的日志记录,从所有文件,流式传输到.log文件扩展名C:\LogSource\目录中的JsonKinesisDataStreamus-east-1 区域中的 Kinesis Data Streams。在流式传输之前,ComputerName 的键/值对和 DT 键添加到各个 JSON 对象中,并带有计算机名称的值以及处理记录的日期和时间。自定义应用程序可以读取和处理来自 JsonKinesisDataStream 流的记录。
{ "Sources": [ { "Id": "JsonLogSource", "SourceType": "DirectorySource", "RecordParser": "SingleLineJson", "Directory": "C:\\LogSource\\", "FileNameFilter": "*.log", "InitialPosition": 0 } ], "Sinks": [ { "Id": "KinesisStreamSink", "SinkType": "KinesisStream", "StreamName": "JsonKinesisDataStream", "Region": "us-east-1", "Format": "json", "ObjectDecoration": "ComputerName={ComputerName};DT={timestamp:yyyy-MM-dd HH:mm:ss}" } ], "Pipes": [ { "Id": "JsonLogSourceToKinesisStreamSink", "SourceRef": "JsonLogSource", "SinkRef": "KinesisStreamSink" } ] }
ExchangeLogSource
以下文件将 Microsoft Exchange 生成的日志记录,以及存储在.log扩展名C:\temp\ExchangeLog\目录中的ExchangeKinesisDataStream以 JSON 格式显示的 us-east-1 区域中的 Kinesis 力学数据流。虽然 Exchange 日志并非 JSON 格式,Windows Kinesis 代理程序可以解析日志并将其传输到 JSON。在流式传输之前,ComputerName 的键/值对和 DT 键添加到各个 JSON 对象中,其中包含计算机名称的值以及处理记录的日期和时间。自定义应用程序可以读取和处理来自 ExchangeKinesisDataStream 流的记录。
{ "Sources": [ { "Id": "ExchangeSource", "SourceType": "ExchangeLogSource", "Directory": "C:\\temp\\ExchangeLog\", "FileNameFilter": "*.log" } ], "Sinks": [ { "Id": "KinesisStreamSink", "SinkType": "KinesisStream", "StreamName": "ExchangeKinesisDataStream", "Region": "us-east-1", "Format": "json", "ObjectDecoration": "ComputerName={ComputerName};DT={timestamp:yyyy-MM-dd HH:mm:ss}" } ], "Pipes": [ { "Id": "ExchangeSourceToKinesisStreamSink", "SourceRef": "ExchangeSource", "SinkRef": "KinesisStreamSink" } ] }
W3SVCLogSource
以下文件将存储在这些文件标准位置的 Windows 日志记录,流式传输到IISKinesisDataStreamus-east-1 区域中的 Kinesis Data Streams。自定义应用程序可以读取和处理来自 IISKinesisDataStream 流的记录。IIS 是适用于 Windows 的 Web 服务器。
{ "Sources": [ { "Id": "IISLogSource", "SourceType": "W3SVCLogSource", "Directory": "C:\\inetpub\\logs\\LogFiles\\W3SVC1", "FileNameFilter": "*.log" } ], "Sinks": [ { "Id": "KinesisStreamSink", "SinkType": "KinesisStream", "StreamName": "IISKinesisDataStream", "Region": "us-east-1" } ], "Pipes": [ { "Id": "IISLogSourceToKinesisStreamSink", "SourceRef": "IISLogSource", "SinkRef": "KinesisStreamSink" } ] }
带有查询的 WindowsEventLogSource
以下文件将日志事件从 Windows 系统事件日志进行流式处理,这些事件具有Critical或者Error(小于或等于 2)设置为SystemKinesisDataStream以 JSON 格式显示的 us-east-1 区域中的 Kinesis 力学数据流。自定义应用程序可以读取和处理来自 SystemKinesisDataStream 流的记录。
{ "Sources": [ { "Id": "SystemLogSource", "SourceType": "WindowsEventLogSource", "LogName": "System", "Query": "*[System/Level<=2]" } ], "Sinks": [ { "Id": "KinesisStreamSink", "SinkType": "KinesisStream", "StreamName": "SystemKinesisDataStream", "Region": "us-east-1", "Format": "json" } ], "Pipes": [ { "Id": "SLSourceToKSSink", "SourceRef": "SystemLogSource", "SinkRef": "KinesisStreamSink" } ] }
WindowsETWEventSource
以下文件将 Microsoft 公共语言运行时 (CLR) 异常和安全事件流式传输到ClrKinesisDataStream以 JSON 格式显示的 us-east-1 区域中的 Kinesis 力学数据流。自定义应用程序可以读取和处理来自 ClrKinesisDataStream 流的记录。
{ "Sources": [ { "Id": "ClrETWEventSource", "SourceType": "WindowsETWEventSource", "ProviderName": "Microsoft-Windows-DotNETRuntime", "TraceLevel": "Verbose", "MatchAnyKeyword": "0x00008000, 0x00000400" } ], "Sinks": [ { "Id": "KinesisStreamSink", "SinkType": "KinesisStream", "StreamName": "ClrKinesisDataStream", "Region": "us-east-1", "Format": "json" } ], "Pipes": [ { "Id": "ETWSourceToKSSink", "SourceRef": "ClrETWEventSource", "SinkRef": "KinesisStreamSink" } ] }
WindowsPerformanceCounterSource
以下文件将所有打开文件的性能计数器、重启以来的登录尝试总数、每秒磁盘读取数以及空闲磁盘空间百分比,流式传输到 us-east-1 区域中的 CloudWatch 指标。您可以在 CloudWatch 中绘制这些指标的图形、从图形构建控制面板以及设置在超过阈值时发送通知的警报。
{ "Sources": [ { "Id": "PerformanceCounter", "SourceType": "WindowsPerformanceCounterSource", "Categories": [ { "Category": "Server", "Counters": [ "Files Open", "Logon Total" ] }, { "Category": "LogicalDisk", "Instances": "*", "Counters": [ "% Free Space", { "Counter": "Disk Reads/sec", "Unit": "Count/Second" } ] } ], } ], "Sinks": [ { "Namespace": "MyServiceMetrics", "Region": "us-east-1", "Id": "CloudWatchSink", "SinkType": "CloudWatch" } ], "Pipes": [ { "Id": "PerformanceCounterToCloudWatch", "SourceRef": "PerformanceCounter", "SinkRef": "CloudWatchSink" } ] }
从 Windows 应用程序事件日志流式传输到接收器
以下示例appsettings.json配置文件演示将 Windows 应用程序事件日志流式传输到亚 Amazon Kinesis 代理中的各个接收器。有关使用 KinesisStream 和 CloudWatch 接收器类型的示例,请参阅从不同源流式传输到 Kinesis Data Streams。
KinesisFirehose
以下文件流Critical或者ErrorWindows 应用程序将事件记录到WindowsLogFirehoseDeliveryStream在 us-east-1 区域中的 Kinesis Data Firehose 传输流。如果与 Kinesis Data Firehose 的连接中断,则首先将事件在内存中排队。接下来,如有必要,这些事件在磁盘上的文件中排队,直至恢复连接。然后,事件将出队并发送,后跟任何新事件。
您可以配置 Kinesis Data Firehose,以根据数据管道要求,将流式传输的数据存储到多个不同类型的存储和分析服务。
{ "Sources": [ { "Id": "ApplicationLogSource", "SourceType": "WindowsEventLogSource", "LogName": "Application", "Query": "*[System/Level<=2]" } ], "Sinks": [ { "Id": "WindowsLogKinesisFirehoseSink", "SinkType": "KinesisFirehose", "StreamName": "WindowsLogFirehoseDeliveryStream", "Region": "us-east-1", "QueueType": "file" } ], "Pipes": [ { "Id": "ALSource2ALKFSink", "SourceRef": "ApplicationLogSource", "SinkRef": "WindowsLogKinesisFirehoseSink" } ] }
CloudWatchLogs
以下文件流Critical或者ErrorWindows 应用程序日志事件 CloudWatch Logs 事件流式传输到MyServiceApplicationLog-Group日志组。各个流的名称以 Stream- 开头。它以创建流的四位数年份、两位数月份以及两位数日期结尾,所有数字连在一起(例如,Stream-20180501 是创建于 2018 年 5 月 1 日的流)。
{ "Sources": [ { "Id": "ApplicationLogSource", "SourceType": "WindowsEventLogSource", "LogName": "Application", "Query": "*[System/Level<=2]" } ], "Sinks": [ { "Id": "CloudWatchLogsSink", "SinkType": "CloudWatchLogs", "LogGroup": "MyServiceApplicationLog-Group", "LogStream": "Stream-{timestamp:yyyyMMdd}", "Region": "us-east-1", "Format": "json" } ], "Pipes": [ { "Id": "ALSource2CWLSink", "SourceRef": "ApplicationLogSource", "SinkRef": "CloudWatchLogsSink" } ] }
使用管道
以下示例 appsettings.json 配置文件演示使用与管道相关的功能。
此示例将日志条目流式传输到c:\LogSource\添加到ApplicationLogFirehoseDeliveryStreamKinesis Data Firehose 传输流。它仅包含与 FilterPattern 键/值对所指定的正则表达式匹配的行。具体来说,只有日志文件中以10或者11将流式传输到 Kinesis Data Firehose。
{ "Sources": [ { "Id": "ApplicationLogSource", "SourceType": "DirectorySource", "Directory": "C:\\LogSource\\", "FileNameFilter": "*.log", "RecordParser": "SingleLine" } ], "Sinks": [ { "Id": "ApplicationLogKinesisFirehoseSink", "SinkType": "KinesisFirehose", "StreamName": "ApplicationLogFirehoseDeliveryStream", "Region": "us-east-1" } ], "Pipes": [ { "Id": "ALSourceToALKFSink", "Type": "RegexFilterPipe", "SourceRef": "ApplicationLogSource", "SinkRef": "ApplicationLogKinesisFirehoseSink", "FilterPattern": "^(10|11),.*" } ] }
使用多个源和管道
以下示例 appsettings.json 配置文件演示使用多个源和管道。
此示例将应用程序、安全和系统 Windows 事件日志流式传输到EventLogStreamKinesis Data Firehose 传输流,使用三个源,三个管道,和一个接收器。
{ "Sources": [ { "Id": "ApplicationLog", "SourceType": "WindowsEventLogSource", "LogName": "Application" }, { "Id": "SecurityLog", "SourceType": "WindowsEventLogSource", "LogName": "Security" }, { "Id": "SystemLog", "SourceType": "WindowsEventLogSource", "LogName": "System" } ], "Sinks": [ { "Id": "EventLogSink", "SinkType": "KinesisFirehose", "StreamName": "EventLogStream", "Format": "json" }, ], "Pipes": [ { "Id": "ApplicationLogToFirehose", "SourceRef": "ApplicationLog", "SinkRef": "EventLogSink" }, { "Id": "SecurityLogToFirehose", "SourceRef": "SecurityLog", "SinkRef": "EventLogSink" }, { "Id": "SystemLogToFirehose", "SourceRef": "SystemLog", "SinkRef": "EventLogSink" } ] }
