一、rsyslog多行處理
命令審核
vi /etc/profile
mkdir -p /usr/lib/cmdlog
chmod -R 777 /usr/lib/cmdlog/
export CMDLOG_FILE="/usr/lib/cmdlog/cmdlog.$(date +%F)"
export PROMPT_COMMAND='{ date "+%F %T ## $(whoami)@${SSH_TTY} ---> $(echo ${SSH_CONNECTION}) ## $(history 1|awk "{\$1=\"\";print}") "; } >>$CMDLOG_FILE'
日志樣本:2016-08-04 08:47:28 ## root@/dev/pts/0 ---> 121.33.23.10 49240 120.26.19.94 22 ##? grep oauth *
vi /etc/rsyslog.d/om-commad.conf
module(load="imfile") 加載模塊
input(
type="imfile"
File="/usr/lib/cmdlog/cmdlog.*"
addMetadata="off" 關(guān)閉元數(shù)據(jù)
Severity="info"
Facility="user"
tag="commad"
ruleset="commad_ruleset" 調(diào)用規(guī)則
)
template(name="commad" type="string" string="%msg%\n") 定義輸出日志內(nèi)容的模板
ruleset( name="commad_ruleset" ){ 定義一條規(guī)則
action(type="omfwd" Target="10.51.1.1" Port="512" Protocol="tcp" template="commad" ) 規(guī)則調(diào)用omfwd模塊讨惩,輸出參數(shù)寝受,輸出內(nèi)容模版
stop 規(guī)則結(jié)束
}
-----logstash
input {
tcp {
port => 512
type => commad
}
}
filter {
if [type] == "commad" {
grok {
match => {"message" => "%{NGINXERR_DATE:log_timestamp} %{NOTSPACE:xx} %{USERNAME:user}@%{NOTSPACE:tty} %{NOTSPACE:xxx} %{IPV4:chient_ip} %{NUMBER:client_port} %{IPV4:server_ip} %{NUMBER:server_port} %{NOTSPACE:xxxx} %{GREEDYDATA:command}"}
remove_field => ['xx']
remove_field => ['xxx']
remove_field => ['xxxx']
remove_field => ['message']
}
date {
match => ["log_timestamp" , "yyyy-MM-dd HH:mm:ss"]
}
}
if [host] == "114.215.200.41" { mutate { replace => { "host" => "my_test1" } } }
if [host] == "10.51.8.234" { mutate { replace => { "host" => "監(jiān)控平臺(tái)" } } }
}
output {...}
二译隘、多行處理中出現(xiàn)\n情況
template(name="nginx_access" type="string"string="%$.replaced_msg%\n")
ruleset( name="nginx_forward" ){
set $.replaced_msg = replace($msg,"\\n", " ");
action(type="omfwd"Target="10.1.1.86" Port="888" Protocol="tcp"template="nginx_access" )
stop
}
