ELK-Logstash Linux 歷史記錄日誌分析

時間 2020-03-20

原文原文鏈接

修改環境配置文件linux

#/etc/bashrcruby

添加如下內容:bash

 
  HISTFILE= 
  '/var/log/history_command.log'

 
  if 
    
  [ ! -f $HISTFILE ]; 
  then

 
  touch 
    
  $HISTFILE

 
  chmod 
    
  666 $HISTFILE

fi

export HISTTIMEFORMAT="%F %T,$HOSTNAME,$(who -u am i 2>/dev/null| \elasticsearch

awk '{print $NF}'| sed -e 's/[()]//g'),$(who am i|awk '{print $1}'),${USER},"ide

 
  export 
    
  PROMPT_COMMAND= 
  'history 1|tail -1|sed "s/^[ ]\+[0-9]\+ //"|sed "s/$//">> $HISTFILE'

PS:將歷史命令格式化，並寫入/var/log/history_command.log文件spa

logstash配置文件.net

#hiscmd_log.confdebug

 
  input { 
 

 
  file 
    
  {

 
  type 
    
  =>  
  "history_cmd"

 
  path =>  
  "/var/log/history_command.log"

}

}

 
  filter { 
 

 
  if 
    
  [ 
  type 
  ] ==  
  "history_cmd" 
    
  {

 
  grok {

 
  match => {  
  "message" 
    
  =>  
  "%{HISTORY_CMD}" 
    
  }

}

}

 
  geoip {

 
  source 
    
  =>  
  "ip"

 
  fields => [ 
  "city_name" 
  ]

 
  database =>  
  "/opt/logstash-2.0.0/conf/GeoLiteCity.dat"

}

}

 
  output { 
 

 
  stdout { codec => rubydebug }

 
  elasticsearch {

 
  hosts =>  
  "www.elk.com:9200"

 
  index =>  
  "history_cmd-%{+YYYY.MM}"

}

}

匹配規則可寫在patterns/linux-syslog 文件裏code

HISTORY_CMD (?<time>\d+.*),%{HOSTNAME:hostname},%{IPV4:ip},root,%{WORD:user},(?<cmd>[\S+]\s*.*)

Kibana 圖形展現

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。