环境准备和说明:
Logstatsh版本: 7.10.1 日志解析和过滤,收集客户端主机filebeat发过来的日志信息并做处理,然后转发给zabbix server
Zabbix 版本: 4.4(默认使用MySQL做数据库)
主机环境说明: CentOS7.x
Filbeat 版本: 7.10.1, 收集客户端主机的登录日志信息,主要是这个文件/var/log/secure
效果展示
部署和配置
这里不演示如何安装Zabbix Server安装部署过程,如有需要自行参考其他文档
1. Zabbix server所在主机安装Logstatsh (过程略,着重讲配置)
2. 配置Logstatsh和安装Zabbix 输入插件
#在线安装如果安装比较慢,可以考虑用离线安装的方式,下面附有离线包
$ bin/logstash-plugin install logstash-output-zabbix
#插件离线安装
$ bin/logstash-plugin install file:///root/logstash-output-zabbix.zip
离线包链接:https://share.weiyun.com/5cBP60be 密码:xet8eq
$ cat /etc/logstash/conf.d/host-login-log.conf
input {
beats {
host => "0.0.0.0"
port => "5044"
#codec => "json"
}
}
#定义过滤模块
filter {
#定义zabbix_key ,需与zabbix中监控项的键值一致
#定义zabbix_host,zabbix server name
mutate {
#host-login 是logstatsh处理完数据后添加的一个key,这个key在下面Zabbix配置需要用到
add_field => ["[@metadata][zabbix_key]","host-login"]
add_field => ["[@metadata][zabbix_host]","zabbix-ops"]
#引用字段合并成新字段
add_field => ["new_message","主机信息: %{[host][hostname]}(%{[host][ip]}) - 登录日志: %{message}"]
}
}
output {
#stdout { codec => rubydebug }
#输出插件为zabbix
# zabbix_host 引用filter模块定义的zabbix_host值
# zabbix_server_host zabbix_server服务的host
# zabbix_server_port zabbix_server服务的端口,默认10051
# zabbix_key 引用filter模块定义的zabbix_key值
# zabbix_value 输出zabbix数据字段的名称,默认message
zabbix {
zabbix_host => "[@metadata][zabbix_host]"
zabbix_server_host => "10.2.6.204"
zabbix_server_port => "10051"
zabbix_key => "[@metadata][zabbix_key]"
zabbix_value => "new_message"
}
}
3. 客户端主机安装Filebeat客户端 (过程略,着重讲配置)
其实可以是 Zabbix Agent所在主机,也可以是 一台只部署了Filebeat的机器
4. 配置Filebeat
$ vim filebeat.yml
filebeat.inputs:
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
- /var/log/secure #CentOS7登录会话日志在这个文件下,CentOS6 也适用
#- c:\programdata\elasticsearch\logs\*
# Exclude lines. A list of regular expressions to match. It drops the lines that are
# matching any regular expression from the list.
#exclude_lines: ['^DBG']
# Include lines. A list of regular expressions to match. It exports the lines that are
# matching any regular expression from the list.
include_lines: ['Failed password'] #只收集登录错误的日志
....
5. 启动Logstatsh和Filebeat(略...)
6. 配置Zabbix
- 新建一个监控项
- 配置触发器