在Windows上将PHP事件消息发送到远程Logstash

tech2022-09-04  122

This article was peer reviewed by Wern Ancheta, Scott Molinari, and Jeff Madsen. Thanks to all of SitePoint’s peer reviewers for making SitePoint content the best it can be!

Wern Ancheta , Scott Molinari和Jeff Madsen对本文进行了同行评审。 感谢所有SitePoint的同行评审人员使SitePoint内容达到最佳状态!



By opening this article you’ve endeavored yourself to expanding your knowledge of PHP applications as part of event-based distributed systems. You’ll be given a quick intro into what we are referring to when we say event messages, what Logstash is, and why it is so cool.

通过打开本文,您已经尽力扩展了对PHP应用程序的了解,将其作为基于事件的 分布式系统的一部分。 您将快速了解当我们说事件消息时所指的是什么, Logstash是什么,以及它为什么这么酷。

If you’ve already heard of Beats or understand you can run Logstash locally to ship logs to another Logstash instance or directly to a datastore such as Elasticsearch, this article is still for you and will show you an easy-to-configure-and-run, hopefully more effective and certainly fun-to-use alternative.

如果您已经听说过Beats或了解了您的知识,则可以在本地运行Logstash来将日志发送到另一个Logstash实例或直接将其发送到诸如Elasticsearch的数据存储,本文仍然适合您,并且将向您展示易于配置和-运行,希望更有效,并且一定很有趣。

快速介绍事件消息和Logstash (Quick Intro into Event Messages and Logstash)

With event messages, we gather information about events that occur in our applications, be it business-oriented decisions of the applications’ users, decisions made by the applications themselves, or their failures. Each event, besides the message it conveys, is typically determined by a timestamp and a type such as informational, warning or error. A record of an event is an event log.

通过事件消息,我们可以收集有关应用程序中发生的事件的信息,无论是应用程序用户的面向业务的决策,应用程序本身做出的决策还是它们的故障。 每个事件,除了它传达的消息之外,通常还由时间戳和信息,警告或错误等类型决定。 事件的记录是事件日志 。

Additionally, there’s also Event Sourcing – a somewhat different but also somewhat similar concept which you may want to check out.

另外,还有事件采购 -您可能需要检查的有点不同但也有些相似的概念。

There are many tools built specifically for the purpose of shipping logs to datastores for later analysis and making knowledge-based decisions. Logstash is one of them, and because of the vast number of input, output, codec and filter plugins it offers, the most popular. Out of the box, it can read from Heroku app logs, GitHub webhooks or Twitter Streaming API, create new events and send them to Graylog, IRC, or JIRA.

有许多专门构建的工具,用于将日志传送到数据存储以进行以后的分析和做出基于知识的决策。 Logstash是其中之一,并且由于它提供的大量输入,输出,编解码器和过滤器插件,因此最受欢迎。 它可以直接从Heroku应用程序日志 , GitHub webhooks或Twitter Streaming API中读取,创建新事件并将其发送到Graylog , IRC或JIRA 。

The event messages would ordinarily be of interest to the users of your applications, too. In an application, one page would generate events and another one would display them in an aggregated form.

通常,您的应用程序用户也会对事件消息感兴趣。 在一个应用程序中,一页将生成事件,而另一页将以汇总形式显示它们。

Let’s consider an example where the first page publishes new blog posts and the other one lists all blog posts related to PHP that have been published in the last month. The application could have talked to a relational database directly for both read and write. But with event messages it is decoupled from the database so other subscribers can be added easily, e.g. an email list or a more performant datastore like Elasticsearch.

让我们考虑一个示例,其中第一页发布新的博客文章,而另一个页面列出了上个月已发布的所有与PHP相关的博客文章。 该应用程序可能已经直接与关系数据库进行了读写操作。 但是通过事件消息,它与数据库分离,因此可以轻松添加其他订户 ,例如电子邮件列表或性能更好的数据存储,例如Elasticsearch。

发布事件 (Publishing Events)

For quick comparison, let’s first consider event publishing on Linux with Rsyslog, the favorite syslog of many computer systems.

为了快速比较,我们首先考虑使用Rsyslog在Linux上进行事件发布, Rsyslog是许多计算机系统中最喜欢的系统日志。

Running this simple oneliner will write “Hello Wold!” to syslog.

运行这个简单的oneliner会写“ Hello Wold!”。 到系统日志。

php -r "openlog('greeting', LOG_NDELAY, LOG_USER); syslog(LOG_INFO, 'Hello World!');"

Since both Rsyslog and Logstash use RELP, a TCP based protocol for reliable delivery of event messages, sending that message to Logstash requires adding only two short statements to the Rsyslog configuration file.

由于Rsyslog和Logstash都使用RELP (基于TCP的协议,用于可靠地传递事件消息),因此将该消息发送到Logstash只需在Rsyslog配置文件中添加两个简短的语句即可。

$ModLoad omrelp if $source == 'PHP-5.5.37' then :omrelp:centralserv:2514

provided that Logstash is listening on centralserv, port 2514.

如果Logstash正在监听centralserv端口2514 。

In this example, we are also filtering messages by source so that only those made with our PHP will be sent over.

在此示例中,我们还将按源过滤消息,以便仅发送用我们PHP生成的消息。

We won’t be giving you more details here. This is not supposed to be that kind of party. Instead, let’s switch over to Windows for a while. We’ll give you step-by-step instructions on how to do the same thing from there.

我们在这里不会为您提供更多详细信息。 这不应该是那种聚会。 相反,让我们切换到Windows一段时间。 我们将逐步指导您如何从那里开始做同样的事情。

But just in case you want to learn more about this Linux setup, here are two quality links.

但是,以防万一,您想了解有关此Linux设置的更多信息,这里有两个质量链接。

20.6. Using Rsyslog Modules

20.6。 使用Rsyslog模块

omrelp: RELP Output Module — rsyslog 8.22.0 documentation

omrelp:RELP输出模块— rsyslog 8.22.0文档

在Windows上发布事件 (Publishing Events on Windows)

We’ll be getting instructional at this point. Find yourself a Windows box and run the oneliner from before in the Command Prompt. PHP is cross-platform. This time, it means the greeting is recorded by the Windows Event Log service and you are able to see it in the Event Viewer.

在这一点上,我们将获得指导。 找到一个Windows框,然后从命令提示符中运行oneliner。 PHP是跨平台的。 这次,这意味着问候语是由Windows 事件日志服务记录的,您可以在“ 事件查看器”中看到它。

Event Viewer can be found from the Cortana Search box. Alternatively, press Windows key + R to open the Run box, type eventvwr and click OK to open the Event Viewer.

可以从“ Cortana搜索”框中找到“事件查看器” 。 或者,按Windows键+ R打开“ 运行”框 ,键入eventvwr ,然后单击“确定”打开“事件查看器”。

Once the Event Viewer is open, expand Windows Logs in the Console Tree view on the left, click on the Application and scroll down the displayed logs at the central part of the window if necessary to reach the log you previously made.

打开事件查看器后,在左侧的控制台树视图中展开“ Windows日志”,单击“应用程序”,并在必要时向下滚动窗口中央部分显示的日志,以获取以前创建的日志。

At this point you should be getting something like this:

在这一点上,您应该得到这样的东西:

Level Information matches the first argument LOG_INFO we’ve passed into the syslog() call and the Source PHP-5.5.37 matches the version of the PHP CLI we ran (update to match yours). Knowing this, you may also want to filter the Application log or create a Custom View by clicking on the corresponding actions from the Actions Pane to the right.

“级别 Information与我们传递到syslog()调用中的第一个参数LOG_INFO匹配,并且源 PHP-5.5.37与我们运行PHP CLI的版本匹配(更新以匹配您PHP CLI)。 知道这一点,您可能还想通过单击右侧“动作”窗格中的相应动作来过滤应用程序日志或创建自定义视图。

Note: If you are also seeing a message like this:

注意:如果您还看到这样的消息:

The description for Event ID 2 from source PHP-5.5.37 cannot be found.

找不到源PHP-5.5.37中事件ID 2的描述。

then your PHP installation did not add the required information to the Windows Registry so you have to do it manually. Download /win32/syslog.reg from the PHP source repository, open it in a text editor, adjust the PHP version and the path to the dll file e.g. change key name from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PHP-5.3.99-dev to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PHP-5.5.37 and EventMessageFile value from g:\\test\\srctrunkinstall\\php7ts.dll to C:\\xampp\\php\\php5ts.dll and import the key into the registry by double-clicking the file icon.

那么您PHP安装未将所需信息添加到Windows注册表中,因此您必须手动进行操作。 从PHP源代码库下载/win32/syslog.reg ,在文本编辑器中将其打开,调整PHP版本和dll文件的路径,例如,从HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PHP-5.3.99-dev更改键名 。 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PHP-5.3.99-dev至HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PHP-5.5.37和EventMessageFile值从g:\\test\\srctrunkinstall\\php7ts.dll到C:\\xampp\\php\\php5ts.dll然后通过双击文件图标将密钥导入注册表。

使用Rsyslog Windows代理将事件消息流式传输到Logstash (Streaming Event Messages to Logstash with Rsyslog Windows Agent)

The remaining step is to stream such messages to the Logstash. We will show you how to do it with the Rsyslog Windows Agent, a Windows service that comes from the creators of Rsyslog and RELP. The agent will automatically monitor the Event Log and let you define rules and actions.

剩下的步骤是将此类消息流式传输到Logstash。 我们将向您展示如何使用Rsyslog Windows代理 (来自Rsyslog和RELP的创建者的Windows服务)来执行此操作。 该代理将自动监视事件日志,并让您定义规则和操作。

Download the agent from here, install it, then run the Configuration Client that comes with the service in order to tell the service which messages to send and where to.

从此处下载代理,进行安装,然后运行服务随附的Configuration Client ,以告知服务要发送哪些消息以及将消息发送到何处。

筛选器 (Filters)

We are going to send only messages generated by PHP, so, once the Configuration Client is open, go to the filters dialog by clicking on the Filters label in the tree view on the left side of the window. Click on the AND node of the central tree view, that’s the graphical representation of the boolean expression we are going to make.

我们将仅发送由PHP生成的消息,因此,一旦打开配置客户端,请通过单击窗口左侧树视图中的“ 过滤器”标签转到过滤器对话框。 单击中央树视图的AND节点,这是我们将要创建的布尔表达式的图形表示。

Now click on Add Filter > button on the right. From the dropdown menus choose Add Filter > > Event Log Monitor V2 > Event Source. Click to focus the newly created expression and in the Details tab below change Compare Operation from contains to is equal and in the Set Property Value field type the source name of your logs. In our example, it’s PHP-5.5.37.

现在,单击右侧的“ 添加过滤器”>“按钮”。 从下拉菜单中选择添加过滤器 >> 事件日志监视器V2 > 事件源 。 单击以聚焦新创建的表达式,然后在下面的“ 详细信息”选项卡中,将“ 比较操作”从“ contains更改is equal然后在“ 设置属性值”字段中键入日志的源名称。 在我们的示例中,它是PHP-5.5.37 。

We’ve made a rule. Next, we are going to create an action.

我们已经制定了规则。 接下来,我们将创建一个动作。

动作 (Actions)

Remove the default action under the Actions label in the tree view on the left by right-clicking on it, then selecting Delete Action from the dropdown menu. Then, add a new action by right-clicking on the Actions label and choosing Add Action > Send RELP from the context menu.

右键单击左侧树视图中“ 动作”标签下的默认动作,方法是右键单击它,然后从下拉菜单中选择“ 删除动作” 。 然后,通过右键单击“动作”标签并从上下文菜单中选择“ 添加动作” >“ 发送RELP”来添加新动作 。

Now that the Send RELP action is focused, you are able to set RELP Servername and RELP Port. Also, as a start, change Message Format to %msg%. This will pass the messages to the RELP server just as they are, without modifying them.

现在,“发送RELP”操作已成为重点,您就可以设置RELP Servername和RELP Port了 。 另外,首先,将消息格式更改为%msg% 。 这会将消息按原样传递给RELP服务器,而无需修改它们。

启动服务和调试 (Starting the Service & Debugging)

There’s only one more thing to do: click on the blue triangle to start the service. From this point onward the messages should be flying over to Logstash and you won’t even have to start the service on the next Windows boot, it will start up automatically.

只需要做一件事:单击蓝色三角形以启动服务。 从现在开始,消息应该飞到Logstash上,您甚至不必在下次Windows启动时启动该服务,它将自动启动。

While you are confirming the setup really works, it’s good to know that the agent emits an error message on its own in case a message, your application’s message, could not be received by the RELP server. You can see the service messages as you would expect in the Event Viewer, but also by clicking on the Service Events node of the tree view on the left side of the Configuration Client window.

当您确认设置确实可行时,很高兴知道代理会自行发出错误消息,以防RELP服务器无法接收到您的应用程序消息。 您可以在事件查看器中看到所需的服务消息,也可以通过单击“配置客户端”窗口左侧树状视图的“ 服务事件”节点来查看。

结论 (Conclusion)

By now you’ve gained a basic understanding of what Logstash and Rsyslog are, learned that they can be used to make an event-based distributed system and acquired some hands-on experience.

到目前为止,您已经对Logstash和Rsyslog是什么有了基本的了解,了解到它们可用于构建基于事件的分布式系统,并获得了一些动手实践的经验。

And now let’s hear what you have to say. Do you develop on Windows and use Logstash in production or have interest in using it now? Great! We’d also love to hear about your use cases or questions in the comments below.

现在让我们听听您要说些什么。 您是在Windows上开发并在生产中使用Logstash还是现在有兴趣使用它? 大! 我们也希望在下面的评论中听到您的用例或问题。

参考文献 (References)

How Logstash Works

Logstash的工作原理

5 Logstash Alternatives

5种Logstash替代品

Reliable Event Logging Protocol

可靠的事件记录协议

relp | Logstash Reference [5.0] | Elastic

relp | Logstash参考[5.0] | 有弹性

Event Logging (Windows)

事件记录(Windows)

Rsyslog

Rsyslog

About Rsyslog Windows Agent

关于Rsyslog Windows代理

PHP :: Bug #72806 :: syslog issue with Event Viewer

PHP ::错误#72806 ::事件查看器的系统日志问题

翻译自: https://www.sitepoint.com/sending-php-event-messages-to-remote-logstash-on-windows/

相关资源:jdk-8u281-windows-x64.exe
最新回复(0)