logstash配置文件

# sys_log.conf

input {
    file {
        type => "vsftpd_log"
        path => "/var/log/vsftpd.log"
    }
}
filter {
    if [type] == "vsftpd_log" {
        grok {
            match => { "message" => "%{VSFTPDACTION}" }
            match => { "message" => "%{VSFTPDLOGIN}" }
            match => { "message" => "%{VSFTPDCONNECT}" }
        }
    }
}
output {
    stdout { codec => rubydebug }
    elasticsearch {
        hosts => "192.168.0.100:9200"
        index => "vsftpd_log-%{+YYYY.MM}"
    }
}


VSFTPD 匹配规则可写在patterns/linux-syslog 文件里

VSFTPDCONNECT \[pid %{WORD:pid}\] %{WORD:action}: Client \"%{DATA:IP}\"

VSFTPDLOGIN \[pid %{WORD:pid}\] \[%{WORD:user}\] %{WORD:status} %{WORD:action}: Client \"%{DATA:IP}\"

VSFTPDACTION \[pid %{DATA:pid}\] \[%{DATA:user}\] %{WORD:status} %{WORD:action}: Client \"%{DATA:IP}\", \"%{DATA:file}\", %{DATA:bytes} bytes, %{DATA:Kbyte_sec}Kbyte/sec 

 

Kibana 图形展示