添加如下配置到 /etc/bashrc 文件末尾
up_client_ip=`(who am i|cut -d\( -f2|cut -d\) -f1)`
logger -p local5.info -- $up_client_ip,$(whoami),$$
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger -p user.notice "[euid=$(whoami)]",$(who am i),`pwd`",$msg"; }'
readonly PROMPT_COMMAND重新登錄生效
添加如下配置到 /etc/rsyslog.conf 文件末尾
$template StdLOGFormat,"%fromhost%||%syslogfacility-text%||%syslogpriority-text%||%timereported:::date-mysql%||%timegenerated:::date-mysql%||%msg%||%iut%||%programname%||%syslogtag%" *.* @@10.120.1.234:60514;StdLOGFormat
安裝logstash 步驟省略
logstash 配置文件 /etc/logstash/conf.d/sys.conf 內容如下:
input {
syslog {
port => 60514
type => "rsyslog"
}
}
filter {
if [type] == 'rsyslog' {
urldecode { # 編碼轉換
all_fields=>true
}
mutate {
split => ["message","||"] # 拆分日誌
add_field => {"HostName" => "%{message[0]}"}
add_field => {"Facility" => "%{message[1]}"}
add_field => {"Mes" => "%{message[5]}"}
remove_field => ["message","facility_label","facility","severity_label","severity","priority","timestamp","program"]
}
if [Facility] == "local5" {
mutate {
split => ["Mes",","] # 拆分日誌
add_field => {"ClientIp" => "%{Mes[0]}"}
add_field => {"LoginUserName" => "%{Mes[1]}"}
add_field => {"SessionId" => "%{Mes[2]}"}
remove_field => ["Mes"]
}
}
if [Facility] == "user" {
mutate {
split => ["Mes",","] # 拆分日誌
add_field => {"Euid" => "%{Mes[0]}"}
add_field => {"WhoInfo" => "%{Mes[1]}"}
add_field => {"ExecPath" => "%{Mes[2]}"}
add_field => {"ExecCmd" => "%{Mes[3]}"}
remove_field => ["Mes"]
}
}
}
}
output {
if [type] == 'rsyslog' and [Facility] == "local5" {
elasticsearch {
hosts => "10.120.1.234:9200"
index => "logstash-login-%{+YYYY.MM.dd}"
}
}else if [type] == 'rsyslog' and [Facility] == "user" {
elasticsearch {
hosts => "10.120.1.234:9200"
index => "logstash-user-%{+YYYY.MM.dd}"
}
}
}
