input {
file {
#ModSecurity审计日志的存放位置,请根据实际情况进行修改
path => ["/var/log/modsec_audit.log"]
start_position => "beginning"
}
}
filter{
json{
source => "message"
remove_field => ["message"]
}
#以下到filter节点结束的内容,是为了将ModSecurity记录的日期转换为数据库可存放的datetime格式
mutate{
split => ["[transaction][time_stamp]"," "]
add_field => { "date" => "yyyy-MM-dd HH:mm:ss" }
add_field => { "month" => "%{[transaction][time_stamp][1]}" }
add_field => { "day" => "%{[transaction][time_stamp][2]}" }
add_field => { "time" => "%{[transaction][time_stamp][3]}" }
add_field => { "year" => "%{[transaction][time_stamp][4]}" }
}
if [month] == "Jan" {
mutate {
gsub =>["month","Jan",'01']
}
} else if [month] == "Feb" {
mutate {
gsub =>["month","Feb",'02']
}
} else if [month] == "Mar"{
mutate {
gsub =>["month","Mar",'03']
}
} else if [month] == "Apr"{
mutate {
gsub =>["month","Apr",'04']
}
} else if [month] == "May"{
mutate {
gsub =>["month","May",'05']
}
} else if [month] == "Jun"{
mutate {
gsub =>["month","Jun",'06']
}
} else if [month] == "Jul"{
mutate {
gsub =>["month","Jul",'07']
}
} else if [month] == "Aug"{
mutate {
gsub =>["month","Aug",'08']
}
} else if [month] == "Sep"{
mutate {
gsub =>["month","Sep",'09']
}
} else if [month] == "Oct"{
mutate {
gsub =>["month","Oct",'10']
}
} else if [month] == "Nov"{
mutate {
gsub =>["month","Nov",'11']
}
} else if [month] == "Dec"{
mutate {
gsub =>["month","Dec",'12']
}
}
mutate {
gsub =>["date","yyyy",'%{[year]}']
gsub =>["date","MM",'%{[month]}']
gsub =>["date","dd",'%{[day]}']
gsub =>["date","HH:mm:ss",'%{[time]}']
}
}
output {
#该节点会将最终日志数据以JSON格式打印到控制台中,便于观测进行调试,测试无问题后可将此节点删除
stdout {
codec => json {
charset => "UTF-8"
}
}
elasticsearch {
host => "10.27.106.193:9200"
index => "modsec_audit"
user => "elastic"
password => "elastic"
workers=>5
template_overwrite =>true
}
}