Linux操作系统安全日志发送到ELK

Linux操作系统安全日志发送到ELK

操作系统版本:
Red Hat Enterprise Linux Server release 6.5 (Santiago)
CentOS release 6.5 (Final)
CentOS Linux release 7.4.1708 (Core)

Elasticsearch版本:6.1.0
Logstash版本:6.1.0
Kibana版本:6.1.0

在Linux操作系统上配置安全日志-操作行为审计策略

vi /etc/bashrc

按Shift+G快速跳到最后o添加如下内容

logger -p local6.info  \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info  \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'

添加syslog输出配置

vi /etc/rsyslog.conf

配置了审计日志保存在本地/var/log/usercommand.log的同时,还配置了remote-host策略
因为ELK日志存储空间有限,不想记录全部的日志,主要保留重要的操作行为1年以上,使用remote-host命令将审计日志发送到ELK时使用UDP514端口仅外发usercocmmand审计日志

local6.info                                             /var/log/usercommand.log
local6.info                                             @10.0.0.1:514

完成配置后,需要使策略生效

source /etc/bashrc
service rsyslog restart

查看一下记录的本地日志

tail -20 /var/log/usercommand.log
Apr 22 01:04:03 localhost user: "====================nowuser:root|loginstatus:user pts/1 2022-04-22 01:03 (192.168.161.1)==================== is login "
Apr 22 01:04:03 localhost user: [nowuser:root] [loginstatus:user pts/1 2022-04-22 01:03 (192.168.161.1)] #command# "tail -20 /var/log/usercommand.log"

可以看到本地已经正常记录了操作行为日志

logstash的conf文件中配置策略

input {
  udp {
    port => 514
  }
}
filter {
  grok {
    match => {
      "message" => [
        "(.*)\[nowuser\:%{DATA:username}\]\ \[loginstatus\:%{DATA:loginuser}\ pts\/%{DATA}\ (?(?%{YEAR}-%{MONTHNUM}-%{MONTHDAY})%{SPACE}(?,
        "(.*)\====================nowuser\:%{DATA:username}\|loginstatus:%{DATA:loginuser}\ pts\/%{DATA}\ (?(?%{YEAR}-%{MONTHNUM}-%{MONTHDAY})%{SPACE}(?
      ]
    }
  }
}
output {
  elasticsearch {
       index => "syslog-device-server-%{+YYYY.MM.dd}"
       hosts => ["10.0.0.1:9200"]
   }
}

其他操作查看:CentOS部署ELK

参考:
https://www.cnblogs.com/bonelee/p/9477494.html
https://www.jianshu.com/p/2cb6e0c18d0a

你可能感兴趣的:(ELK,linux,安全,elk)