logstash客户端传送symantec日志到elasticsearch
一、安装相应版本的logstash
wget https://artifacts.elastic.co/downloads/beats/logstash/logstash-7.5.2-x86_64.rpm
rpm -ivh logstash-7.5.2-x86_64.rpm二、配置rsyslog接收Symantec发送的日志
略
三、logstash的相关配置
vim /etc/logstash/conf.d/symantec,conf
# 这里的elasticsearch我是加密了的
input {
file {
path => ["/var/log/symantec/*.log"]
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{TIME:time} %{WORD:server} %{WORD:sevice}\: %{DATA:event}\,IP 地址: %{IP:ip}\,计算机名: %{DATA:computername},源:%{DATA:source},风险名称: %{DATA:riskname},出现次数: %{DATA:existtimes},文件路径: %{DATA:path},应用程序名: %{DATA:appname}," }
remove_field => ["message"]
}
}
output {
elasticsearch {
hosts => ["172.20.0.118:9200"]
user => "elastic"
password => "Spring01"
index => "netsec_symantec-%{+yyyy.MM.dd}"
}
}
systemctl start logstash齐活手机扫一扫
移动阅读更方便
你可能感兴趣的文章