ELK-Logstash Linux 历史记录日志分析

详细内容见:
https://www.chinasa.net

修改环境配置文件

#/etc/bashrc

添加以下内容:

HISTFILE= '/var/log/history_command.log'

if   [ ! -f $HISTFILE ]; then

touch   $HISTFILE

chmod   666 $HISTFILE

fi

export HISTTIMEFORMAT="%F %T,$HOSTNAME,$(who -u am i 2>/dev/null| \

awk '{print $NF}'| sed -e 's/[()]//g'),$(who am i|awk '{print $1}'),${USER},"

export   PROMPT_COMMAND= 'history 1|tail -1|sed "s/^[ ]\+[0-9]\+ //"|sed "s/$//">> $HISTFILE'

PS:将历史命令格式化，并写入/var/log/history_command.log文件

 

logstash配置文件

#hiscmd_log.conf

input {

     file   {

         type   =>  "history_cmd"

         path =>  "/var/log/history_command.log"

     }

}

filter {

     if   [ type ] ==  "history_cmd"   {

         grok {

         match => {  "message"   =>  "%{HISTORY_CMD}"   }

         }

     }

     geoip {

         source   =>  "ip"

         fields => [ "city_name" ]

         database =>  "/opt/logstash-2.0.0/conf/GeoLiteCity.dat"

     }

}

output {

     stdout { codec => rubydebug }

     elasticsearch {

         hosts =>  "www.elk.com:9200"

         index =>  "history_cmd-%{+YYYY.MM}"

     }

}

 

匹配规则可写在patterns/linux-syslog 文件里

HISTORY_CMD (?<time>\d+.*),%{HOSTNAME:hostname},%{IPV4:ip},root,%{WORD:user},(?<cmd>[\S+]\s*.*)

Kibana 图形展示

转载于:https://blog.51cto.com/cqfish/1789827