filebeat收集系統登陸日誌
阿新 • • 發佈:2020-09-16
一、filebeat配置
- type: log
enabled: true
paths:
- /var/log/secure
include_lines: [".*Failed.*",".*Accepted.*"]
tags: ["secure"]
二、logstash過濾配置
################ input ################## input { beats { port => 5044 codec => "json" } } ############ 登陸日誌過濾 ################## filter {if "secure" in [tags] { grok { match => { "message" => ".* sshd\[\d+\]: (?<status>\S+) .* (?<ClientIP>(?:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})?) .*" } overwrite => ["message"] } } }
output {
if "comm" in [tags] {
elasticsearch {
index => "comm-%{+YYYY.MM}"
user => "elastic"
password => "123456"
}
}
}
三、kibanna檢視