Linux操作系统安全日志发送到ELK
操作系统版本:
Red Hat Enterprise Linux Server release 6.5 (Santiago)
CentOS release 6.5 (Final)
CentOS Linux release 7.4.1708 (Core)
Elasticsearch版本:6.1.0
Logstash版本:6.1.0
Kibana版本:6.1.0
在Linux操作系统上配置安全日志-操作行为审计策略
vi /etc/bashrc
按Shift+G快速跳到最后o添加如下内容
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
添加syslog输出配置
vi /etc/rsyslog.conf
配置了审计日志保存在本地/var/log/usercommand.log的同时,还配置了remote-host策略
因为ELK日志存储空间有限,不想记录全部的日志,主要保留重要的操作行为1年以上,使用remote-host命令将审计日志发送到ELK时使用UDP514端口仅外发usercocmmand审计日志
local6.info /var/log/usercommand.log
local6.info @10.0.0.1:514
完成配置后,需要使策略生效
source /etc/bashrc
service rsyslog restart
查看一下记录的本地日志
tail -20 /var/log/usercommand.log
Apr 22 01:04:03 localhost user: "====================nowuser:root|loginstatus:user pts/1 2022-04-22 01:03 (192.168.161.1)==================== is login "
Apr 22 01:04:03 localhost user: [nowuser:root] [loginstatus:user pts/1 2022-04-22 01:03 (192.168.161.1)] #command# "tail -20 /var/log/usercommand.log"
可以看到本地已经正常记录了操作行为日志
logstash的conf文件中配置策略
input {
udp {
port => 514
}
}
filter {
grok {
match => {
"message" => [
"(.*)\[nowuser\:%{DATA:username}\]\ \[loginstatus\:%{DATA:loginuser}\ pts\/%{DATA}\ (?<Log_Local_time>(?<Date>%{YEAR}-%{MONTHNUM}-%{MONTHDAY})%{SPACE}(?<Time>%{HOUR}:%{MINUTE}))\ \(%{IP:addr_src}\)\]\ \#command\#\ \"(?<command>.*)\"",
"(.*)\====================nowuser\:%{DATA:username}\|loginstatus:%{DATA:loginuser}\ pts\/%{DATA}\ (?<Log_Local_time>(?<Date>%{YEAR}-%{MONTHNUM}-%{MONTHDAY})%{SPACE}(?<Time>%{HOUR}:%{MINUTE}))\ \(%{IP:addr_src}\)==================== (?<command>.*)\ \""
]
}
}
}
output {
elasticsearch {
index => "syslog-device-server-%{+YYYY.MM.dd}"
hosts => ["10.0.0.1:9200"]
}
}
其他操作查看:CentOS部署ELK
参考:
https://www.cnblogs.com/bonelee/p/9477494.html
https://www.jianshu.com/p/2cb6e0c18d0a