ssh登录日志收集
16lz
2021-04-18
一 创建logstash grok 过滤规则
cd /usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-4.1.2/patterns#cat sshSECURELOG %{WORD:program}\[%{DATA:pid}\]: %{WORD:status} password for ?(invalid user)? %{WORD:USER} from %{DATA:IP} portSYSLOGPAMSESSION %{SYSLOGBASE} (?=%{GREEDYDATA:message})%{WORD:pam_module}\(%{DATA:pam_caller}\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?SYSLOGBASE2 (?:%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp8601}) (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
二 配置logstash配置文件
input { file { type => "seclog" path => "/var/log/secure" }}filter {if [type] == "seclog" { grok { match => { "message" => "%{SYSLOGPAMSESSION}" } match => { "message" => "%{SECURELOG}" } match => { "message" => "%{SYSLOGBASE2}" } } } if ([status] == "Accepted") { mutate { add_tag => ["Success"] } } else if ([status] == "Failed") { mutate { add_tag => ["Failed"] } }}output { stdout { codec => rubydebug } elasticsearch { hosts => "elk.test.com:9200" index => "sshd_log-%{+YYYY.MM}" }}
三 输出的日志格式
"path" => "/var/log/secure","@timestamp" => 2017-12-04T06:15:14.038Z,"@version" => "1","host" => "elk.test.com","pid" => "12095","program" => "sshd","message" => "Dec 4 14:15:13 elk sshd[12095]: Address 192.168.216.1 maps to localhost, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!","type" => "seclog","logsource" => "elk","timestamp" => "Dec 4 14:15:13"}
四 添加图像
设置收集的关键字
很直观的看到登录成功或者失败的次数
更多相关文章
- Servlet过滤器使用实例(防止用户恶意登录)
- PuTTY中目录的蓝色高亮效果太暗的处理
- HTTP状态码及说明
- Python:字符串输出三种格式
- Windows下实现mysql定时备份
- 第3部分- Linux ARM汇编 引言
- 第7部分- Linux ARM汇编 X86和ARM64部分汇编差异
- 如何实现一个简单好用的思维笔记工具
- 如何在TypeScript中的window上显式设置新属性?