filebeat配置:
filebeat.prospectors:
- input_type: log
paths:- /var/log/secure
exclude_lines: ["nagios"]
output.logstash:
# The Logstash hosts
hosts: ["10.0.1.1:5050"]
logstash配置:
beats {
port => 5050
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:a_time} %{USERNAME:a_hostname} sshd\[%{WORD:a_jinchen}\]: %{WORD:a_leixing}\s%{WORD:a_fangshi}\sfor\s%{WORD:a_user}\sfrom\s%{IPV4:a_ip}\sport\s%{INT:a_port}\s%{WORD:a_xieyi}"}
}
}
output {
elasticsearch{
hosts => [ "10.0.1.2:9200","10.0.1.3:9200","10.0.1.4:9200" ]
index=> "logstash-fangwen-%{+YYYY.MM}"
}
if [a_leixing] == "Failed" {
file {
path => "/mapbar/app/elk/logstash-5.0.0/logs/elk_ssh_failed.log"
codec => line { format => "custom format: %{message}"}
}
}
}
python脚本:
import os
if os.path.exists('/mapbar/app/elk/logstash-5.0.0/logs/elk_ssh_failed.log'):
file_dict = {}
input_file = open('/mapbar/app/elk/logstash-5.0.0/logs/elk_ssh_failed.log')
line_file = input_file.readlines()
file_number = len(line_file)
for i in line_file:
file_list = i.split()
file_key = file_list[5]+','+file_list[7]+','+file_list[8]+','+file_list[10]+','+file_list[12]
if file_key in file_dict.keys():
number = file_dict[file_key]
number += 1
file_dict[file_key] = number
else:
file_dict[file_key]=1
echo_content = ''
for k,v in file_dict.items():
if int(v) > 2:
k_info = k.split(',')
echo_content += "User: %s \n From: %s\n Land: %s \n State: failed \n Failure Times: %s \n %s \n" % (k_info[3],k_info[4],k_info[0],v,'-'*50)
if echo_content:
os.system('echo "'+echo_content+'"| mail -s "ssh_failed:warning!" wzz@csdn.com')
input_file.close()
os.system('rm -rf /mapbar/app/elk/logstash-5.0.0/logs/elk_ssh_failed.log')
cronteb:
*/5 * * * * /mapbar/app/tools/anaconda2/bin/python /mapbar/app/elk/logstash-5.0.0/sh/elk_ssh_failed.py 2>&1
原理:
当出现Failed失败时logstash会输出这个消息给elk_ssh_failed.log文件,每五分钟通过python脚本检测文件,如果超过3次发送邮件告警
邮件格式: