收集syslog日誌

可將第三方平臺的syslog日誌發送到logstash過濾，然後給es存儲。
一開始建議不要做條件和過濾，直接放通514端口給syslog，然後直接輸出到es，在kibana上獲取到源日誌，再根據源日誌編寫配置。

這裏以某數據庫安全審計平臺的syslog爲例

1 input.conf

input {
  #sangforVPN syslog
  syslog {
    port => 514  #端口可加雙引號，也可以不加
  }
}

2 syslog_out.conf

源日誌
: reqtime: 2020-08-04 03:10:13 engine_name: aefqeg-(oracle-18.111.214.103) hostname: WIN-R241P1N4VV osuser: appname: client_mac: BC-B3-11-F2-62-A0 client_ip: 19.111.228.170 client_port: 28994 db_mac: 00-50-56-A3-4C-7B db_ip: 18.111.214.103 db_port: 1521 dbType: 0 dbname: ora11g dbuser: U0235324 sql_catalog: 12 table: d2_peopleinfo field: sql: truncate table d1_peopleinfo reply: SUCCESS. Affected Rows : 0 rowCount: 0 status: 5 pattern: truncate table d2_peopleinfo policy: ȱʡOracle\xB2\xDF\xC2\xD4 rule: [{"name":"ȱʡOracle\xB2\xDF\xC2\xD4->\xB8\xDFΣ\xB2\xD9\xD7\xF7-TRUNCATE","action":1,"threat":3}] threat: 3 log_level: 4 terminal_ip: url: app_user: \n

配置

filter {

    grok {
            keep_empty_captures => true
                #設置兩個match，上面匹配不成功，就匹配下面這個。
            match => ["message", ":\sreqtime:\s(?<log_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\s+%{TIME})\sengine_name:.*\((?<db_type>.*)\-.*\)\shostname.*client_mac:\s(%{MAC:client_mac}|)\s+client_ip:\s(%{IP:client_ip:}|)\s+client_port:\s(%{NUMBER:client_port}|)\s+db_mac:\s(%{MAC:db_mac}|)\s+db_ip:\s(%{IP:db_ip}|)\s+db_port:\s(%{NUMBER:db_port}|)\s.*\sdbname:\s((?<db_name>.*)|)\s+dbuser:\s((?<db_user>.*)|)\s+sql_catalog.*table:\s((?<table>.*)|)\s+field.*\ssql:\s((?<sql>.*)|)\s+reply:\s(?<reply>.*)\srowCount.*"]
            match => ["message", ":\sreqtime:\s(?<log_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}\s+%{TIME})\sengine_name:\s(?<db_type>.*)_[0-9]{1,3}\s.*\sclient_mac:\s(%{MAC:client_mac}|)\s+client_ip:\s(%{IP:client_ip:}|)\s+client_port:\s(%{NUMBER:client_port}|)\s+db_mac:\s(%{MAC:db_mac}|)\s+db_ip:\s(%{IP:db_ip}|)\s+db_port:\s(%{NUMBER:db_port}|)\s.*\sdbname:\s((?<db_name>.*)|)dbuser:\s((?<db_user>.*)|)sql_catalog.*table:\s((?<table>.*)|)\s+field.*\ssql:\s((?<sql>.*)|)\s+reply:\s(?<reply>.*)\srowCount.*"]
            overwrite => ["timestamp"]
    }

    date {
            match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
            target => "@timestamp"
            remove_field => "timestamp"
    }
}