[root@c7-44 filebeat]# cat modules.d/system.yml# Module: system# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.8/filebeat-module-system.html- module: system
# Syslog
syslog:
enabled: true
# Set custom paths for the log files. If left empty,# Filebeat will choose the paths depending on your OS.var.paths: ["/var/log/*.log"]# Authorization logs
auth:
enabled: true
# Set custom paths for the log files. If left empty,# Filebeat will choose the paths depending on your OS.#var.paths:
[root@c7-42 conf.d]# cat system.conf
input {
beats {
port => 5044
host => "0.0.0.0"}}filter{if[fileset][module] == "system"{if[fileset][name] == "auth"{
grok {
match => {"message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][useradd][name]}, UID=%{NUMBER:[system][auth][useradd][uid]}, GID=%{NUMBER:[system][auth][useradd][gid]}, home=%{DATA:[system][auth][useradd][home]}, shell=%{DATA:[system][auth][useradd][shell]}$","%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"]}
pattern_definitions => {"GREEDYMULTILINE"=> "(.|\n)*"}
remove_field => "message"}
date {
match => ["[system][auth][timestamp]","MMM d HH:mm:ss","MMM dd HH:mm:ss"]}
geoip {
source => "[system][auth][ssh][ip]"
target => "[system][auth][ssh][geoip]"}}elseif[fileset][name] == "syslog"{
grok {
match => {"message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"]}
pattern_definitions => {"GREEDYMULTILINE" => "(.|\n)*"}
remove_field => "message"}
date {
match => ["[system][syslog][timestamp]","MMM d HH:mm:ss","MMM dd HH:mm:ss"]}}}}
output {
elasticsearch {
hosts => "10.0.0.41:9200"
manage_template => false
index => "system-%{+YYYY.MM.dd}"}
stdout { codec => rubydebug }}[root@c7-42 conf.d]#
3.编辑pipeline.yml
[root@c7-42 logstash]# cat pipelines.yml# This file is where you define your pipelines. You can define multiple.# For more information on multiple pipelines, see the documentation:# https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html- pipeline.id: system
path.config: "/etc/logstash/conf.d/system.conf"- pipeline.id: nginx
path.config: "/etc/logstash/conf.d/nginx.conf"
4.检查配置文件的错误
/usr/share/logstash/bin/logstash -f nginx.conf -t
5.重启Logstash
systemctl restart logstash.service
6.查看端口是否启动
netstat -ntlp |grep 5044
netstat -ntlp |grep 5045
7.检查日志
tailf /var/log/logstash/logstash-plain.log
8.查看是否有索引
[root@c7-43 ~]# curl -X GET http://10.0.0.41:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open system-2020.07.24 3aHfOSh-QNynA3Qw1b3vaQ 1 1 4010 0 612.5kb 612.5kb
yellow open nginx-2020.07.24 yKmQcZZjS0uXkzIbKrae3w 1 1 72 0 116.9kb 116.9kb
green open .kibana_task_manager vZNqes1_R0G6J-NX5NGisg 1 0 2 0 29.6kb 29.6kb
yellow open system-2020.07.23 mDnEtb8PSeOekvITDJjRoQ 1 1 1452 0 378.2kb 378.2kb
green open .kibana_1 Mt_DF1yjQGa18Owx2J1IEg 1 0 6 1 49.4kb 49.4kb