BASH 명령어를 rsyslog 를 이용하여 ELK 취합 후 분석하기
(Client)
- vi /etc/bash.bashrc
-
export PROMPT_COMMAND=’RETRN_VAL=$?;logger -p local6.debug “$(whoami) [$$]: $(history 1 | sed “s/^[ ]*[0-9]\+[ ]*//” ) [$RETRN_VAL]”‘
- vi /etc/rsyslog.d/bash.conf – rsyslog 추가
-
local6.* /var/log/commands.log
- vi /etc/rsyslog.d/01-json-template.conf – rsyslog 추가
-
template(name=”json-template”
type=”list”) {
constant(value=”{“)
constant(value=”\”@timestamp\”:\””) property(name=”timereported” dateFormat=”rfc3339″)
constant(value=”\”,\”@version\”:\”1″)
constant(value=”\”,\”message\”:\””) property(name=”msg” format=”json”)
constant(value=”\”,\”sysloghost\”:\””) property(name=”hostname”)
constant(value=”\”,\”severity\”:\””) property(name=”syslogseverity-text”)
constant(value=”\”,\”facility\”:\””) property(name=”syslogfacility-text”)
constant(value=”\”,\”programname\”:\””) property(name=”programname”)
constant(value=”\”,\”procid\”:\””) property(name=”procid”)
constant(value=”\”}\n”)
} - vi /etc/rsyslog.d/60-output.conf
-
*.* @YOUR_IP_ADDRESS_logstash:10514;json-template
- rsyslog restart
-
systemctl restart rsyslog
- vi /etc/logrotate.d/rsyslog – logrotate 수정
-
/var/log/mail.warn
/var/log/mail.err
[…]
/var/log/message
참고 사이트
(Server)
- logstash.conf 수정
-
logstash.conf
input {
beats {
port => “5044”
type => “tomcat”
}
udp {
host => “YOUR_IP_ADDRESS”
port => “10514”
codec => “json”
type => “rsyslog”
}
}output {
elasticsearch { hosts => [“YOUR_IP_ADDRESS:9200”] }
stdout { codec => rubydebug }
}
참고 사이트