logstash配置文件

# sys_log.conf

input {
    file {
        type => "seclog"
        path => "/var/log/secure"
   }
}
filter {
if [type] == "seclog" {
    grok {
        match => { "message" => "%{SYSLOGPAMSESSION}" }
        match => { "message" => "%{SECURELOG}" }
        match => { "message" => "%{SYSLOGBASE2}" }
    }
    geoip {
        source => "IP"
        fields => ["city_name"]
        database => "/opt/logstash-2.0.0/conf/GeoLiteCity.dat"
    }
    if ([status] == "Accepted") {
        mutate {
        add_tag => ["Success"]
        }
    }
    else if ([status] == "Failed") {
        mutate {
        add_tag => ["Failed"]
        }
    }

  }

}

output {
    stdout { codec => rubydebug }
    elasticsearch {
        hosts => "192.168.0.100:9200"
        index => "sshd_log-%{+YYYY.MM}"
    }
}


SECURELOG 匹配规则可写在patterns/linux-syslog 文件里

SECURELOG %{WORD:program}\[%{DATA:pid}\]: %{WORD:status} password for ?(invalid user)? %{WORD:USER} from %{DATA:IP} port


Kibana 图形展示