BASH 명령어를 rsyslog를 이용하여 ELK 취합 후 분석하기

(Client)

  1. vi /etc/bash.bashrc
  2. export PROMPT_COMMAND=’RETRN_VAL=$?;logger -p local6.debug “$(whoami) [$$]: $(history 1 | sed “s/^[ ]*[0-9]\+[ ]*//” ) [$RETRN_VAL]”‘

  3. vi /etc/rsyslog.d/bash.conf – rsyslog 추가
  4. local6.* /var/log/commands.log

  5. vi /etc/rsyslog.d/01-json-template.conf – rsyslog 추가
  6. template(name=”json-template”
    type=”list”) {
    constant(value=”{“)
    constant(value=”\”@timestamp\”:\””) property(name=”timereported” dateFormat=”rfc3339″)
    constant(value=”\”,\”@version\”:\”1″)
    constant(value=”\”,\”message\”:\””) property(name=”msg” format=”json”)
    constant(value=”\”,\”sysloghost\”:\””) property(name=”hostname”)
    constant(value=”\”,\”severity\”:\””) property(name=”syslogseverity-text”)
    constant(value=”\”,\”facility\”:\””) property(name=”syslogfacility-text”)
    constant(value=”\”,\”programname\”:\””) property(name=”programname”)
    constant(value=”\”,\”procid\”:\””) property(name=”procid”)
    constant(value=”\”}\n”)
    }

  7. vi /etc/rsyslog.d/60-output.conf
  8. *.* @YOUR_IP_ADDRESS_logstash:10514;json-template

  9. rsyslog restart
  10. systemctl restart rsyslog

  11. vi /etc/logrotate.d/rsyslog – logrotate 수정
  12. /var/log/mail.warn
    /var/log/mail.err
    […] /var/log/message

참고 사이트

https://goo.gl/rnoqje

(Server)

  1. logstash.conf 수정
  2. logstash.conf
    input {
    beats {
    port => “5044”
    type => “tomcat”
    }
    udp {
    host => “YOUR_IP_ADDRESS”
    port => “10514”
    codec => “json”
    type => “rsyslog”
    }
    }

    output {
    elasticsearch { hosts => [“YOUR_IP_ADDRESS:9200”] }
    stdout { codec => rubydebug }
    }

참고 사이트

https://goo.gl/xolGq9