本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 适用于 Windows 的 Kinesis 代理配置示例
这些区域有:`appsettings.json`配置文件是一个 JSON 文档,控制面向 Microsoft Windows 的 Amazon Kinesis 代理如何收集日志、事件和指标。它还控制 Windows Kinesis Agent 如何将数据转换为数据并将其流式传输到各个 AWS 服务。有关配置文件中的源、接收器和管道声明的详细信息,请参阅[源声明](source-object-declarations.md)、[接收器声明](sink-object-declarations.md)和[管道声明](pipe-object-declarations.md)。
以下部分包含多个不同类型场景的配置文件示例。
**Topics**
+ [从不同源流式传输到 Kinesis Data Streams](#configuring-kaw-examples-sources)
+ [从 Windows 应用程序事件日志流式传输到接收器](#configuring-kaw-examples-sinks)
+ [使用管道](#configuring-kaw-examples-pipes)
+ [使用多个源和管道](#configuring-kaw-examples-multiple)
## 从不同源流式传输到 Kinesis Data Streams
以下示例`appsettings.json`配置文件演示将来自不同源的日志和事件流式传输到 Kinesis Data Streams 指标,以及从 Windows 性能计数器流式传输到 Amazon CloudWatch 指标。
### `DirectorySource`、`SysLog` 记录解析程序
以下文件将 syslog 格式的日志记录,从所有文件,流式传输到`.log`文件扩展名`C:\LogSource\`目录中的`SyslogKinesisDataStream`us-east-1 区域中的 Kinesis Data Streams。其中将建立一个书签,确保发送来自日志文件的所有数据,即使代理关闭并稍后重启。自定义应用程序可以读取和处理来自 `SyslogKinesisDataStream` 流的记录。
```
{
"Sources": [
{
"Id": "SyslogDirectorySource",
"SourceType": "DirectorySource",
"Directory": "C:\\LogSource\\",
"FileNameFilter": "*.log",
"RecordParser": "SysLog",
"TimeZoneKind": "UTC",
"InitialPosition": "Bookmark"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "SyslogKinesisDataStream",
"Region": "us-east-1"
}
],
"Pipes": [
{
"Id": "SyslogDS2KSSink",
"SourceRef": "SyslogDirectorySource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `DirectorySource`、`SingleLineJson` 记录解析程序
以下文件将 JSON 格式的日志记录,从所有文件,流式传输到`.log`文件扩展名`C:\LogSource\`目录中的`JsonKinesisDataStream`us-east-1 区域中的 Kinesis Data Streams。在流式传输之前,`ComputerName` 的键/值对和 `DT` 键添加到各个 JSON 对象中,并带有计算机名称的值以及处理记录的日期和时间。自定义应用程序可以读取和处理来自 `JsonKinesisDataStream` 流的记录。
```
{
"Sources": [
{
"Id": "JsonLogSource",
"SourceType": "DirectorySource",
"RecordParser": "SingleLineJson",
"Directory": "C:\\LogSource\\",
"FileNameFilter": "*.log",
"InitialPosition": 0
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "JsonKinesisDataStream",
"Region": "us-east-1",
"Format": "json",
"ObjectDecoration": "ComputerName={ComputerName};DT={timestamp:yyyy-MM-dd HH:mm:ss}"
}
],
"Pipes": [
{
"Id": "JsonLogSourceToKinesisStreamSink",
"SourceRef": "JsonLogSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `ExchangeLogSource`
以下文件将 Microsoft Exchange 生成的日志记录,以及存储在`.log`扩展名`C:\temp\ExchangeLog\`目录中的`ExchangeKinesisDataStream`以 JSON 格式显示的 us-east-1 区域中的 Kinesis 力学数据流。虽然 Exchange 日志并非 JSON 格式,Windows Kinesis 代理程序可以解析日志并将其传输到 JSON。在流式传输之前,`ComputerName` 的键/值对和 `DT` 键添加到各个 JSON 对象中,其中包含计算机名称的值以及处理记录的日期和时间。自定义应用程序可以读取和处理来自 `ExchangeKinesisDataStream` 流的记录。
```
{
"Sources": [
{
"Id": "ExchangeSource",
"SourceType": "ExchangeLogSource",
"Directory": "C:\\temp\\ExchangeLog\",
"FileNameFilter": "*.log"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "ExchangeKinesisDataStream",
"Region": "us-east-1",
"Format": "json",
"ObjectDecoration": "ComputerName={ComputerName};DT={timestamp:yyyy-MM-dd HH:mm:ss}"
}
],
"Pipes": [
{
"Id": "ExchangeSourceToKinesisStreamSink",
"SourceRef": "ExchangeSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `W3SVCLogSource`
以下文件将存储在这些文件标准位置的 Windows 日志记录,流式传输到`IISKinesisDataStream`us-east-1 区域中的 Kinesis Data Streams。自定义应用程序可以读取和处理来自 `IISKinesisDataStream` 流的记录。IIS 是适用于 Windows 的 Web 服务器。
```
{
"Sources": [
{
"Id": "IISLogSource",
"SourceType": "W3SVCLogSource",
"Directory": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",
"FileNameFilter": "*.log"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "IISKinesisDataStream",
"Region": "us-east-1"
}
],
"Pipes": [
{
"Id": "IISLogSourceToKinesisStreamSink",
"SourceRef": "IISLogSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### 带有查询的 `WindowsEventLogSource`
以下文件将日志事件从 Windows 系统事件日志进行流式处理,这些事件具有`Critical`或者`Error`(小于或等于 2)设置为`SystemKinesisDataStream`以 JSON 格式显示的 us-east-1 区域中的 Kinesis 力学数据流。自定义应用程序可以读取和处理来自 `SystemKinesisDataStream` 流的记录。
```
{
"Sources": [
{
"Id": "SystemLogSource",
"SourceType": "WindowsEventLogSource",
"LogName": "System",
"Query": "*[System/Level<=2]"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "SystemKinesisDataStream",
"Region": "us-east-1",
"Format": "json"
}
],
"Pipes": [
{
"Id": "SLSourceToKSSink",
"SourceRef": "SystemLogSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `WindowsETWEventSource`
以下文件将 Microsoft 公共语言运行时 (CLR) 异常和安全事件流式传输到`ClrKinesisDataStream`以 JSON 格式显示的 us-east-1 区域中的 Kinesis 力学数据流。自定义应用程序可以读取和处理来自 `ClrKinesisDataStream` 流的记录。
```
{
"Sources": [
{
"Id": "ClrETWEventSource",
"SourceType": "WindowsETWEventSource",
"ProviderName": "Microsoft-Windows-DotNETRuntime",
"TraceLevel": "Verbose",
"MatchAnyKeyword": "0x00008000, 0x00000400"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "ClrKinesisDataStream",
"Region": "us-east-1",
"Format": "json"
}
],
"Pipes": [
{
"Id": "ETWSourceToKSSink",
"SourceRef": "ClrETWEventSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `WindowsPerformanceCounterSource`
以下文件将所有打开文件的性能计数器、重启以来的登录尝试总数、每秒磁盘读取数以及空闲磁盘空间百分比,流式传输到 us-east-1 区域中的 CloudWatch 指标。您可以在 CloudWatch 中绘制这些指标的图形、从图形构建控制面板以及设置在超过阈值时发送通知的警报。
```
{
"Sources": [
{
"Id": "PerformanceCounter",
"SourceType": "WindowsPerformanceCounterSource",
"Categories": [
{
"Category": "Server",
"Counters": [
"Files Open",
"Logon Total"
]
},
{
"Category": "LogicalDisk",
"Instances": "*",
"Counters": [
"% Free Space",
{
"Counter": "Disk Reads/sec",
"Unit": "Count/Second"
}
]
}
],
}
],
"Sinks": [
{
"Namespace": "MyServiceMetrics",
"Region": "us-east-1",
"Id": "CloudWatchSink",
"SinkType": "CloudWatch"
}
],
"Pipes": [
{
"Id": "PerformanceCounterToCloudWatch",
"SourceRef": "PerformanceCounter",
"SinkRef": "CloudWatchSink"
}
]
}
```
## 从 Windows 应用程序事件日志流式传输到接收器
以下示例`appsettings.json`配置文件演示将 Windows 应用程序事件日志流式传输到亚 Amazon Kinesis 代理中的各个接收器。有关使用 `KinesisStream` 和 `CloudWatch` 接收器类型的示例,请参阅[从不同源流式传输到 Kinesis Data Streams](#configuring-kaw-examples-sources)。
### `KinesisFirehose`
以下文件流`Critical`或者`Error`Windows 应用程序将事件记录到`WindowsLogFirehoseDeliveryStream`在 us-east-1 区域中的 Kinesis Data Firehose 传输流。如果与 Kinesis Data Firehose 的连接中断,则首先将事件在内存中排队。接下来,如有必要,这些事件在磁盘上的文件中排队,直至恢复连接。然后,事件将出队并发送,后跟任何新事件。
您可以配置 Kinesis Data Firehose,以根据数据管道要求,将流式传输的数据存储到多个不同类型的存储和分析服务。
```
{
"Sources": [
{
"Id": "ApplicationLogSource",
"SourceType": "WindowsEventLogSource",
"LogName": "Application",
"Query": "*[System/Level<=2]"
}
],
"Sinks": [
{
"Id": "WindowsLogKinesisFirehoseSink",
"SinkType": "KinesisFirehose",
"StreamName": "WindowsLogFirehoseDeliveryStream",
"Region": "us-east-1",
"QueueType": "file"
}
],
"Pipes": [
{
"Id": "ALSource2ALKFSink",
"SourceRef": "ApplicationLogSource",
"SinkRef": "WindowsLogKinesisFirehoseSink"
}
]
}
```
### `CloudWatchLogs`
以下文件流`Critical`或者`Error`Windows 应用程序日志事件 CloudWatch Logs 事件流式传输到`MyServiceApplicationLog-Group`日志组。各个流的名称以 `Stream-` 开头。它以创建流的四位数年份、两位数月份以及两位数日期结尾,所有数字连在一起(例如,`Stream-20180501` 是创建于 2018 年 5 月 1 日的流)。
```
{
"Sources": [
{
"Id": "ApplicationLogSource",
"SourceType": "WindowsEventLogSource",
"LogName": "Application",
"Query": "*[System/Level<=2]"
}
],
"Sinks": [
{
"Id": "CloudWatchLogsSink",
"SinkType": "CloudWatchLogs",
"LogGroup": "MyServiceApplicationLog-Group",
"LogStream": "Stream-{timestamp:yyyyMMdd}",
"Region": "us-east-1",
"Format": "json"
}
],
"Pipes": [
{
"Id": "ALSource2CWLSink",
"SourceRef": "ApplicationLogSource",
"SinkRef": "CloudWatchLogsSink"
}
]
}
```
## 使用管道
以下示例 `appsettings.json` 配置文件演示使用与管道相关的功能。
此示例将日志条目流式传输到`c:\LogSource\`添加到`ApplicationLogFirehoseDeliveryStream`Kinesis Data Firehose 传输流。它仅包含与 `FilterPattern` 键/值对所指定的正则表达式匹配的行。具体来说,只有日志文件中以`10`或者`11`将流式传输到 Kinesis Data Firehose。
```
{
"Sources": [
{
"Id": "ApplicationLogSource",
"SourceType": "DirectorySource",
"Directory": "C:\\LogSource\\",
"FileNameFilter": "*.log",
"RecordParser": "SingleLine"
}
],
"Sinks": [
{
"Id": "ApplicationLogKinesisFirehoseSink",
"SinkType": "KinesisFirehose",
"StreamName": "ApplicationLogFirehoseDeliveryStream",
"Region": "us-east-1"
}
],
"Pipes": [
{
"Id": "ALSourceToALKFSink",
"Type": "RegexFilterPipe",
"SourceRef": "ApplicationLogSource",
"SinkRef": "ApplicationLogKinesisFirehoseSink",
"FilterPattern": "^(10|11),.*"
}
]
}
```
## 使用多个源和管道
以下示例 `appsettings.json` 配置文件演示使用多个源和管道。
此示例将应用程序、安全和系统 Windows 事件日志流式传输到`EventLogStream`Kinesis Data Firehose 传输流,使用三个源,三个管道,和一个接收器。
```
{
"Sources": [
{
"Id": "ApplicationLog",
"SourceType": "WindowsEventLogSource",
"LogName": "Application"
},
{
"Id": "SecurityLog",
"SourceType": "WindowsEventLogSource",
"LogName": "Security"
},
{
"Id": "SystemLog",
"SourceType": "WindowsEventLogSource",
"LogName": "System"
}
],
"Sinks": [
{
"Id": "EventLogSink",
"SinkType": "KinesisFirehose",
"StreamName": "EventLogStream",
"Format": "json"
},
],
"Pipes": [
{
"Id": "ApplicationLogToFirehose",
"SourceRef": "ApplicationLog",
"SinkRef": "EventLogSink"
},
{
"Id": "SecurityLogToFirehose",
"SourceRef": "SecurityLog",
"SinkRef": "EventLogSink"
},
{
"Id": "SystemLogToFirehose",
"SourceRef": "SystemLog",
"SinkRef": "EventLogSink"
}
]
}
```