本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 適用於視窗設定範例的 Kinesis 代理程式
所以此`appsettings.json`組態檔案是一種 JSON 文件 Amazon Kinesis 可控制如何收集日誌、事件和指標。它也可以控制 Windows 專用 Kinesis Agent 如何轉換這些資料並將其串流到各種 AWS 服務。如需組態檔案中來源、目的地和管道宣告的詳細資訊,請參閱[來源宣告](source-object-declarations.md)、[目的地宣告](sink-object-declarations.md)以及[管道宣告](pipe-object-declarations.md)。
下列各節包含各種不同類型案例的組態檔案範例。
**Topics**
+ [從各種來源串流到 Kinesis Data Streams](#configuring-kaw-examples-sources)
+ [從 Windows 應用程式事件日誌串流到目的地](#configuring-kaw-examples-sinks)
+ [使用管道](#configuring-kaw-examples-pipes)
+ [使用多個來源和管道](#configuring-kaw-examples-multiple)
## 從各種來源串流到 Kinesis Data Streams
以下為範例示範:`appsettings.json`組態檔案示範如何將日誌和事件從各種來源串流到 Kinesis Data Streams,以及從 Windows 效能計數器串流到 Amazon CloudWatch 指標。
### `DirectorySource`、`SysLog` 記錄剖析器
以下檔案會將 syslog 格式日誌記錄從所有檔案串流到,其中包含`.log`副檔名為`C:\LogSource\`目錄中的`SyslogKinesisDataStream`Kinesis Data Streams 會將 us-east-1 區域中的 Kinesis Data stream 串流。您可以建立書籤,以確保即使代理程式關閉並於稍後重新啟動時,仍會傳送日誌檔的所有資料。自訂應用程式可以讀取及處理來自 `SyslogKinesisDataStream` 串流的記錄。
```
{
"Sources": [
{
"Id": "SyslogDirectorySource",
"SourceType": "DirectorySource",
"Directory": "C:\\LogSource\\",
"FileNameFilter": "*.log",
"RecordParser": "SysLog",
"TimeZoneKind": "UTC",
"InitialPosition": "Bookmark"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "SyslogKinesisDataStream",
"Region": "us-east-1"
}
],
"Pipes": [
{
"Id": "SyslogDS2KSSink",
"SourceRef": "SyslogDirectorySource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `DirectorySource`、`SingleLineJson` 記錄剖析器
以下檔案會將 JSON 格式日誌記錄從具有`.log`副檔名為`C:\LogSource\`目錄中的`JsonKinesisDataStream`Kinesis Data Streams 會將 us-east-1 區域中的 Kinesis Data stream 串流。串流之前,系統會將 `ComputerName` 和 `DT` 索引鍵的鍵/值對新增到每個 JSON 物件,包括電腦名稱和處理記錄的日期與時間值。自訂應用程式可以讀取及處理來自 `JsonKinesisDataStream` 串流的記錄。
```
{
"Sources": [
{
"Id": "JsonLogSource",
"SourceType": "DirectorySource",
"RecordParser": "SingleLineJson",
"Directory": "C:\\LogSource\\",
"FileNameFilter": "*.log",
"InitialPosition": 0
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "JsonKinesisDataStream",
"Region": "us-east-1",
"Format": "json",
"ObjectDecoration": "ComputerName={ComputerName};DT={timestamp:yyyy-MM-dd HH:mm:ss}"
}
],
"Pipes": [
{
"Id": "JsonLogSourceToKinesisStreamSink",
"SourceRef": "JsonLogSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `ExchangeLogSource`
以下檔案會將 Microsoft Exchange 產生的日誌記錄和存放在具有`.log`擴充功能`C:\temp\ExchangeLog\`目錄中的`ExchangeKinesisDataStream`在 us-east-1 區域中的 Kinesis Data stream,以 JSON 格式串流。雖然 Exchange 日誌不是 JSON 格式,但 Windows 適用 Kinesis 代理程式可以剖析這些日誌並轉換為 JSON。串流之前,系統會將 `ComputerName` 和 `DT` 索引鍵的鍵/值對新增到每個 JSON 物件,其中包含電腦名稱和處理記錄的日期與時間值。自訂應用程式可以讀取及處理來自 `ExchangeKinesisDataStream` 串流的記錄。
```
{
"Sources": [
{
"Id": "ExchangeSource",
"SourceType": "ExchangeLogSource",
"Directory": "C:\\temp\\ExchangeLog\",
"FileNameFilter": "*.log"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "ExchangeKinesisDataStream",
"Region": "us-east-1",
"Format": "json",
"ObjectDecoration": "ComputerName={ComputerName};DT={timestamp:yyyy-MM-dd HH:mm:ss}"
}
],
"Pipes": [
{
"Id": "ExchangeSourceToKinesisStreamSink",
"SourceRef": "ExchangeSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `W3SVCLogSource`
以下檔案會將 Internet Information Services (IIS) (存放在這些檔案的標準位置中) 串流到`IISKinesisDataStream`Kinesis Data Streams 會將 us-east-1 區域中的 Kinesis Data stream 串流。自訂應用程式可以讀取及處理來自 `IISKinesisDataStream` 串流的記錄。IIS 是一種 Windows web 伺服器。
```
{
"Sources": [
{
"Id": "IISLogSource",
"SourceType": "W3SVCLogSource",
"Directory": "C:\\inetpub\\logs\\LogFiles\\W3SVC1",
"FileNameFilter": "*.log"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "IISKinesisDataStream",
"Region": "us-east-1"
}
],
"Pipes": [
{
"Id": "IISLogSourceToKinesisStreamSink",
"SourceRef": "IISLogSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `WindowsEventLogSource` 與查詢
下列檔案會從 Windows 系統事件記錄檔資料流記錄事件,其層級為`Critical`或`Error`(小於或等於 2) 串流到`SystemKinesisDataStream`在 us-east-1 區域中的 Kinesis Data stream,以 JSON 格式串流。自訂應用程式可以讀取及處理來自 `SystemKinesisDataStream` 串流的記錄。
```
{
"Sources": [
{
"Id": "SystemLogSource",
"SourceType": "WindowsEventLogSource",
"LogName": "System",
"Query": "*[System/Level<=2]"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "SystemKinesisDataStream",
"Region": "us-east-1",
"Format": "json"
}
],
"Pipes": [
{
"Id": "SLSourceToKSSink",
"SourceRef": "SystemLogSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `WindowsETWEventSource`
以下檔案會將 Microsoft 通用語言執行平台 (CLR) 的例外狀況和安全事件串流到`ClrKinesisDataStream`在 us-east-1 區域中的 Kinesis Data stream,以 JSON 格式串流。自訂應用程式可以讀取及處理來自 `ClrKinesisDataStream` 串流的記錄。
```
{
"Sources": [
{
"Id": "ClrETWEventSource",
"SourceType": "WindowsETWEventSource",
"ProviderName": "Microsoft-Windows-DotNETRuntime",
"TraceLevel": "Verbose",
"MatchAnyKeyword": "0x00008000, 0x00000400"
}
],
"Sinks": [
{
"Id": "KinesisStreamSink",
"SinkType": "KinesisStream",
"StreamName": "ClrKinesisDataStream",
"Region": "us-east-1",
"Format": "json"
}
],
"Pipes": [
{
"Id": "ETWSourceToKSSink",
"SourceRef": "ClrETWEventSource",
"SinkRef": "KinesisStreamSink"
}
]
}
```
### `WindowsPerformanceCounterSource`
以下檔案會 CloudWatch 開啟檔案總數、重新啟動後嘗試登入總數、磁碟每秒讀取數,以及可用磁碟空間百分比的效能計數器串流至 us-east-1 區域中的區域。您可以在 CloudWatch 中繪製這些指標的圖表、從圖表建置儀表板,以及設定警示以在超過閾值時傳送通知。
```
{
"Sources": [
{
"Id": "PerformanceCounter",
"SourceType": "WindowsPerformanceCounterSource",
"Categories": [
{
"Category": "Server",
"Counters": [
"Files Open",
"Logon Total"
]
},
{
"Category": "LogicalDisk",
"Instances": "*",
"Counters": [
"% Free Space",
{
"Counter": "Disk Reads/sec",
"Unit": "Count/Second"
}
]
}
],
}
],
"Sinks": [
{
"Namespace": "MyServiceMetrics",
"Region": "us-east-1",
"Id": "CloudWatchSink",
"SinkType": "CloudWatch"
}
],
"Pipes": [
{
"Id": "PerformanceCounterToCloudWatch",
"SourceRef": "PerformanceCounter",
"SinkRef": "CloudWatchSink"
}
]
}
```
## 從 Windows 應用程式事件日誌串流到目的地
以下為範例示範:`appsettings.json`組態檔案示範將 Windows 應用程式事件日誌串流到適用於微軟視窗的 Amazon Kinesis 代理程式中的各種目的地。如需使用 `KinesisStream` 和 `CloudWatch` 目的地類型的範例,請參閱[從各種來源串流到 Kinesis Data Streams](#configuring-kaw-examples-sources)。
### `KinesisFirehose`
下列檔案串流`Critical`或`Error`Windows 應用程式記錄檔事件到`WindowsLogFirehoseDeliveryStream`Kinesis Data Firehose 交付串流位於 us-east-1 區域中。如果與 Kinesis Data Firehose 的連線中斷,系統會先將事件排入記憶體佇列。若有必要,系統會接著將它們排入磁碟檔案上的佇列,直到恢復連線。然後,事件即可解除佇列狀態,並後接任何新事件一起傳送。
您可以根據資料管道要求,設定 Kinesis Data Firehose,將串流資料存放到多種不同類型的儲存體與分析服務。
```
{
"Sources": [
{
"Id": "ApplicationLogSource",
"SourceType": "WindowsEventLogSource",
"LogName": "Application",
"Query": "*[System/Level<=2]"
}
],
"Sinks": [
{
"Id": "WindowsLogKinesisFirehoseSink",
"SinkType": "KinesisFirehose",
"StreamName": "WindowsLogFirehoseDeliveryStream",
"Region": "us-east-1",
"QueueType": "file"
}
],
"Pipes": [
{
"Id": "ALSource2ALKFSink",
"SourceRef": "ApplicationLogSource",
"SinkRef": "WindowsLogKinesisFirehoseSink"
}
]
}
```
### `CloudWatchLogs`
下列檔案串流`Critical`或`Error`Windows 應用程式 CloudWatch Logs 事件串流到`MyServiceApplicationLog-Group`日誌群組。每個串流名稱開頭為 `Stream-`。結尾為串流建立時的四位數年份、二位數月份和二位數日期,全部串連在一起 (例如,`Stream-20180501` 是 2018 年 5 月 1 日建立的串流)。
```
{
"Sources": [
{
"Id": "ApplicationLogSource",
"SourceType": "WindowsEventLogSource",
"LogName": "Application",
"Query": "*[System/Level<=2]"
}
],
"Sinks": [
{
"Id": "CloudWatchLogsSink",
"SinkType": "CloudWatchLogs",
"LogGroup": "MyServiceApplicationLog-Group",
"LogStream": "Stream-{timestamp:yyyyMMdd}",
"Region": "us-east-1",
"Format": "json"
}
],
"Pipes": [
{
"Id": "ALSource2CWLSink",
"SourceRef": "ApplicationLogSource",
"SinkRef": "CloudWatchLogsSink"
}
]
}
```
## 使用管道
以下範例 `appsettings.json` 組態檔案示範如何使用管道相關的功能。
此範例會將日誌項目從`c:\LogSource\`到`ApplicationLogFirehoseDeliveryStream`Kinesis Data Firehose 交付串流。它只包含符合 `FilterPattern` 鍵/值對所指定規則表達式的字行。具體來說,日誌檔中只有以`10`或`11`會將其串流到 Kinesis Data Firehose。
```
{
"Sources": [
{
"Id": "ApplicationLogSource",
"SourceType": "DirectorySource",
"Directory": "C:\\LogSource\\",
"FileNameFilter": "*.log",
"RecordParser": "SingleLine"
}
],
"Sinks": [
{
"Id": "ApplicationLogKinesisFirehoseSink",
"SinkType": "KinesisFirehose",
"StreamName": "ApplicationLogFirehoseDeliveryStream",
"Region": "us-east-1"
}
],
"Pipes": [
{
"Id": "ALSourceToALKFSink",
"Type": "RegexFilterPipe",
"SourceRef": "ApplicationLogSource",
"SinkRef": "ApplicationLogKinesisFirehoseSink",
"FilterPattern": "^(10|11),.*"
}
]
}
```
## 使用多個來源和管道
以下範例 `appsettings.json` 組態檔案示範如何使用多個來源和管道。
此範例會將應用程式、安全性和系統 Windows 事件日誌串流到`EventLogStream`Kinesis Data Firehose 交付串流使用三個來源、三個管道和單一目的地。
```
{
"Sources": [
{
"Id": "ApplicationLog",
"SourceType": "WindowsEventLogSource",
"LogName": "Application"
},
{
"Id": "SecurityLog",
"SourceType": "WindowsEventLogSource",
"LogName": "Security"
},
{
"Id": "SystemLog",
"SourceType": "WindowsEventLogSource",
"LogName": "System"
}
],
"Sinks": [
{
"Id": "EventLogSink",
"SinkType": "KinesisFirehose",
"StreamName": "EventLogStream",
"Format": "json"
},
],
"Pipes": [
{
"Id": "ApplicationLogToFirehose",
"SourceRef": "ApplicationLog",
"SinkRef": "EventLogSink"
},
{
"Id": "SecurityLogToFirehose",
"SourceRef": "SecurityLog",
"SinkRef": "EventLogSink"
},
{
"Id": "SystemLogToFirehose",
"SourceRef": "SystemLog",
"SinkRef": "EventLogSink"
}
]
}
```