标签:last app start 发送 log elastic remove output cse
wget https://artifacts.elastic.co/downloads/beats/logstash/logstash-7.5.2-x86_64.rpm
rpm -ivh logstash-7.5.2-x86_64.rpm
略
vim /etc/logstash/conf.d/symantec,conf
# 这里的elasticsearch我是加密了的
input {
file {
path => ["/var/log/symantec/*.log"]
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{TIME:time} %{WORD:server} %{WORD:sevice}\: %{DATA:event}\,IP 地址: %{IP:ip}\,计算机名: %{DATA:computername},源:%{DATA:source},风险名称: %{DATA:riskname},出现次数: %{DATA:existtimes},文件路径: %{DATA:path},应用程序名: %{DATA:appname}," }
remove_field => ["message"]
}
}
output {
elasticsearch {
hosts => ["172.20.0.118:9200"]
user => "elastic"
password => "Spring01"
index => "netsec_symantec-%{+yyyy.MM.dd}"
}
}
systemctl start logstash齐活
logstash客户端传送symantec日志到elasticsearch
标签:last app start 发送 log elastic remove output cse
原文地址:https://www.cnblogs.com/obitoma/p/14166363.html