elk分析linux日志,ELK Linux 历史记录日志分析

修改环境配置文件

/etc/bashrc 添加一下内容

HISTFILE='/var/log/history_command.log'

if [ ! -f $HISTFILE ];then

touch $HISTFILE

chmod 666 $HISTFILE

fi

export HISTTIMEFORMAT="%F %T,$HOSTNAME,$(who -u am i 2>/dev/null|awk '{print $NF}'| sed -e 's/[()]//g'),$(who am i|awk '{print $1}'),${USER} "

export PROMPT_COMMAND='history 1|tail -1|sed "s/^[ ]+[0-9]+ //" >> /var/log/history_command.log'

检查是否成功记录历史操作命令

91221.elk.node1.com<2016-12-14 18:41:32> ~

root># tail -10f /var/log/history_command.log

2016-12-14 18:37:57,91221.elk.node1.com,192.168.66.45,root vim /etc/bashrc

2016-12-14 18:37:57,91221.elk.node1.com,192.168.66.45,root vim /etc/bashrc

2016-12-14 18:38:22,91221.elk.node1.com,192.168.66.45,root tail -100f /var/log/history_command.log

2016-12-14 18:38:33,91221.elk.node1.com,192.168.66.45,root vim /etc/bashrc

91221.elk.node1.com<2016-12-14 18:57:14> /opt/logstash-2.4.1

root># cat patterns/syslog

HISTORY_CMD (?\d+.),%{HOSTNAME:hostname},%{IPV4:ip},root,%{WORD:user} (?[\S+]\s.*)

gork正则表达式调试

http://grokdebug.herokuapp.com/

689D5CDF-17CE-4077-BFDB-EEBC42DDC13B.png

创建history_cmd-索引模板

curl -XPUT http://192.168.91.221:9200/_template/template_syslog -d '

{

"order": 0,

"template": "history_cmd-",

"settings": {

"index": {

"refresh_interval": "5s"

}

},

"mappings": {

"default": {

"dynamic_templates": [

{

"string_fields": {

"mapping": {

"index": "analyzed",

"omit_norms": true,

"type": "string",

"fields": {

"raw": {

"ignore_above": 256,

"index": "not_analyzed",

"type": "string",

"doc_values": true

}

}

},

"match_mapping_type": "string",

"match": "*"

}

}

],

"_all": {

"enabled": true

},

"properties": {

"@timestamp": {

"format": "dateOptionalTime",

"index": "not_analyzed",

"type": "date",

"doc_values": true

},

"geoip": {

"dynamic": true,

"type": "object",

"properties": {

"location": {

"type": "geo_point"

}

}

},

"@version": {

"index": "not_analyzed",

"type": "string"

}

}

}

},

"aliases": {}

}'