一、filebeat配置
- type: log
enabled: true
paths:
- /var/log/secure
include_lines: [".*Failed.*",".*Accepted.*"]
tags: ["secure"]
二、logstash过滤配置
################ input ################## input { beats { port => 5044 codec => "json" } } ############ 登陆日志过滤 ################## filter { if "secure" in [tags] { grok { match => { "message" => ".* sshd[d+]: (?<status>S+) .* (?<ClientIP>(?:d{1,3}.d{1,3}.d{1,3}.d{1,3})?) .*" } overwrite => ["message"] } } }
output {
if "comm" in [tags] {
elasticsearch {
hosts => "http://10.0.0.78:9200"
index => "comm-%{+YYYY.MM}"
user => "elastic"
password => "123456"
}
}
}
三、kibanna查看
