auditbeat
使用
sudo ./auditbeat -e -c auditbeat.yml
#配置
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
output.file:
path: "/opt/auditbeat/output"
filename: auditbeat
在windows將auditbeat添加成系统服务
命令
使用管理员身份运行powershell或者是cmd
.\install-service-auditbeat.ps1
如果提示改脚本已被本系统禁用,执行
set-ExecutionPolicy RemoteSigned
auditbeat采集系统审计日志
- module: auditd
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
#-a always,exit -F arch=b64 -S execve,execveat -k exec
审计规则文件
#不记录pid为19714的所有系统调用事件,备注:自动根据auditbeat PID定义此规则
-a never,exit -S all -F pid=19714
#记录CPU为32位所有系统调用事件
-a always,exit -F arch=b32 -S all -F key=32bit-abi
#记录CPU为64位"程序执行"相关系统调用事件
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
#记录CPU为64位"远程连接"相关系统调用事件
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
#对/etc/group、/etc/passwd、/etc/gshadow文件做审计,记录用户身份验证的变化
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
#记录文件打开、修改等因没有权限或不被允许的事件
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access
filebeat
sudo ./filebeat -e -c filebeat.yml
#配置
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
enabled: true
paths:
# - /var/log/*.log
- /opt/systemlog/192.168.43.86/*.log
fields:
log_type: systemlog
output.kafka:
hosts: ["192.168.122.137:9092"]
topic: '%{[fields][log_type]}'
enabled: true
logstash配置
input{
kafka{
bootstrap_servers => "192.168.122.137:9092"
topics => ["systemlog"]
consumer_threads => 10
decorate_events => true
codec => json {
charset => "UTF-8"
}
}
}
filter {
# 将message转为json格式
json {
source => "message"
target => "message"
}
mutate {
remove_field => ["agent.id","agent.ephemeral_id","agent.version"]
}
}
output {
elasticsearch {
hosts => ["192.168.122.138:9200"]
index => "%{[fields][log_type]}"
}
stdout {
codec => rubydebug
}
}