Logstash 安装忽略

添加ossec报警日志logstash配置

#mkdir /opt/logstash-1.4.2/etc
#vi /opt/logstash-1.4.2/etc/ossec.conf
# original idea by Joshua Garnett
input {
  file {
    type => "ossec"
    path => "/var/ossec/logs/alerts/alerts.log"
    codec => multiline {
      pattern => "^\*\*"
      negate => true
      what => "previous"
    }
  }
}
filter {
  if [type] == "ossec" {
# Parse the header of the alert
    grok {
      match => ["message""(?m)\*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n%{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} \(%{DATA:reporting_host}\) %{IP:reporting_ip}\-\>%{DATA:reporting_source}\nRule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
      match => ["message""(?m)\*\* Alert %{DATA:timestamp_seconds}:%{SPACE}%{WORD}?%{SPACE}\- %{DATA:ossec_group}\n%{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:reporting_host}\-\>%{DATA:reporting_source}\nRule: %{NONNEGINT:rule_number} \(level %{NONNEGINT:severity}\) \-\> '%{DATA:signature}'\n%{GREEDYDATA:remaining_message}"]
    }
    # Attempt to parse additional data from the alert
    grok {
      match => ["remaining_message""(?m)(Src IP: %{IP:src_ip}%{SPACE})?(Src Port: %{NONNEGINT:src_port}%{SPACE})?(Dst IP: %{IP:dst_ip}%{SPACE})?(Dst Port: %{NONNEGINT:dst_port}%{SPACE})?(User: %{USER:acct}%{SPACE})?%{GREEDYDATA:real_message}"]
    }
    geoip {
      source => "src_ip"
    }
    mutate {
      convert      => [ "severity""integer"]
      replace      => [ "@message""%{real_message}" ]
      replace      => [ "@fields.hostname""%{reporting_host}"]
      add_field    => [ "@fields.product""ossec"]
      add_field    => [ "raw_message""%{message}"]
      add_field    => [ "ossec_server""%{host}"]
      remove_field => [ "type""syslog_program""syslog_timestamp""reporting_host""message""timestamp_seconds""real_message""remaining_message""path""host""tags"]
    }
  }
}
output {
        stdout { codec => rubydebug }
        elasticsearch_http {
                host => "127.0.0.1"
                port => "9200"
                   index => "osseclog-%{+YYYY.MM.dd}"
        }
}