修改环境配置文件

#/etc/bashrc

添加以下内容:


HISTFILE='/var/log/history_command.log'
if [ ! -f $HISTFILE ];then
touch $HISTFILE
chmod 666 $HISTFILE
fi

export HISTTIMEFORMAT="%F %T,$HOSTNAME,$(who -u am i 2>/dev/null| \

awk '{print $NF}'| sed -e 's/[()]//g'),$(who am i|awk '{print $1}'),${USER},"

export PROMPT_COMMAND='history 1|tail -1|sed "s/^[ ]\+[0-9]\+ //"|sed "s/$//">> $HISTFILE'

PS:将历史命令格式化,并写入/var/log/history_command.log文件

 

logstash配置文件

#hiscmd_log.conf


input {
    file {
        type => "history_cmd"
        path => "/var/log/history_command.log"
    }
}
filter {
    if [type] == "history_cmd" {
        grok {
        match => { "message" => "%{HISTORY_CMD}" }
        }
    }
    geoip {
        source => "ip"
        fields => ["city_name"]
        database => "/opt/logstash-2.0.0/conf/GeoLiteCity.dat"
    }
}
output {
    stdout { codec => rubydebug }
    elasticsearch {
        hosts => "www.elk.com:9200"
        index => "history_cmd-%{+YYYY.MM}"
    }
}

 

匹配规则可写在patterns/linux-syslog 文件里

HISTORY_CMD (?<time>\d+.*),%{HOSTNAME:hostname},%{IPV4:ip},root,%{WORD:user},(?<cmd>[\S+]\s*.*)


Kibana 图形展示