beats使用

auditbeat
使用

sudo ./auditbeat -e -c auditbeat.yml
#配置
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
output.file:
    path: "/opt/auditbeat/output"
    filename: auditbeat

在windows將auditbeat添加成系统服务
命令
使用管理员身份运行powershell或者是cmd

.\install-service-auditbeat.ps1

如果提示改脚本已被本系统禁用,执行

set-ExecutionPolicy RemoteSigned

auditbeat采集系统审计日志

- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
#-a always,exit -F arch=b64 -S execve,execveat -k exec

审计规则文件

#不记录pid为19714的所有系统调用事件,备注:自动根据auditbeat PID定义此规则
-a never,exit -S all -F pid=19714
#记录CPU为32位所有系统调用事件
-a always,exit -F arch=b32 -S all -F key=32bit-abi
#记录CPU为64"程序执行"相关系统调用事件
-a always,exit -F arch=b64 -S execve,execveat -F key=exec
#记录CPU为64"远程连接"相关系统调用事件
-a always,exit -F arch=b64 -S connect,accept,bind -F key=external-access
#对/etc/group、/etc/passwd、/etc/gshadow文件做审计,记录用户身份验证的变化
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
#记录文件打开、修改等因没有权限或不被允许的事件
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F key=access

filebeat

sudo ./filebeat -e -c filebeat.yml
#配置
filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: log
  enabled: true
  paths:
#    - /var/log/*.log
    - /opt/systemlog/192.168.43.86/*.log
  fields:
    log_type: systemlog
output.kafka:
  hosts: ["192.168.122.137:9092"]
  topic: '%{[fields][log_type]}'
  enabled: true

logstash配置

input{
  kafka{
    bootstrap_servers => "192.168.122.137:9092"
    topics => ["systemlog"]
    consumer_threads => 10
    decorate_events => true
    codec => json {
        charset => "UTF-8"
}
}
}
filter {
    # 将message转为json格式
    json {
        source => "message"
        target => "message"
    }
    mutate {
        remove_field => ["agent.id","agent.ephemeral_id","agent.version"]
    }
}
output {

    elasticsearch {
        hosts => ["192.168.122.138:9200"]
        index => "%{[fields][log_type]}"
  }
        stdout {
        codec => rubydebug
    }
}
        

你可能感兴趣的:(Elasticsearch)