添加如下配置到 /etc/bashrc 文件末尾
up_client_ip=`(who am i|cut -d\( -f2|cut -d\) -f1)` logger -p local5.info -- $up_client_ip,$(whoami),$$ export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger -p user.notice "[euid=$(whoami)]",$(who am i),`pwd`",$msg"; }' readonly PROMPT_COMMAND
重新登录生效
添加如下配置到 /etc/rsyslog.conf 文件末尾
$template StdLOGFormat,"%fromhost%||%syslogfacility-text%||%syslogpriority-text%||%timereported:::date-mysql%||%timegenerated:::date-mysql%||%msg%||%iut%||%programname%||%syslogtag%" *.* @@10.120.1.234:60514;StdLOGFormat
安装logstash 步骤省略
logstash 配置文件 /etc/logstash/conf.d/sys.conf 内容如下:
input { syslog { port => 60514 type => "rsyslog" } } filter { if [type] == 'rsyslog' { urldecode { # 编码转换 all_fields=>true } mutate { split => ["message","||"] # 拆分日志 add_field => {"HostName" => "%{message[0]}"} add_field => {"Facility" => "%{message[1]}"} add_field => {"Mes" => "%{message[5]}"} remove_field => ["message","facility_label","facility","severity_label","severity","priority","timestamp","program"] } if [Facility] == "local5" { mutate { split => ["Mes",","] # 拆分日志 add_field => {"ClientIp" => "%{Mes[0]}"} add_field => {"LoginUserName" => "%{Mes[1]}"} add_field => {"SessionId" => "%{Mes[2]}"} remove_field => ["Mes"] } } if [Facility] == "user" { mutate { split => ["Mes",","] # 拆分日志 add_field => {"Euid" => "%{Mes[0]}"} add_field => {"WhoInfo" => "%{Mes[1]}"} add_field => {"ExecPath" => "%{Mes[2]}"} add_field => {"ExecCmd" => "%{Mes[3]}"} remove_field => ["Mes"] } } } } output { if [type] == 'rsyslog' and [Facility] == "local5" { elasticsearch { hosts => "10.120.1.234:9200" index => "logstash-login-%{+YYYY.MM.dd}" } }else if [type] == 'rsyslog' and [Facility] == "user" { elasticsearch { hosts => "10.120.1.234:9200" index => "logstash-user-%{+YYYY.MM.dd}" } } }