yum -y install java-1.8.0-openjdk-devel.x86_64
cat > /etc/yum.repos.d/elasticsearch.repo <<EOF
[elasticsearch-7.x]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF
dnf -y install logstash
/usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/std.conf
chgrp logstash /var/log/secure
chmod 640 /var/log/secure
logstash의 권한을 줘야한다.
설정
# 누가 접속을 잘못했는지 확인해 보는 코드
input {
file {
type => "seucure_log"
path => "/var/log/secure"
}
}
filter {
grok {
add_tag => [ "sshd_fail" ]
match => { "message" => "Failed %{WORD:sshd_auth_type} for %{USERNAME:sshd_invalid_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{GREEDYDATA:sshd_protocol}" } # 이런 것들만 뽑아내는것
}
}
output {
elasticsearch {
hosts => ["http://200.200.200.70:9200"] # 엘라스틱에 저장
index => "sshd_fail-%{+YYYY.MM}" # 이러한 인덱스로 저장!
}
}
systemctl restart logstash
# 재실행 할떄는 그냥 restart만 해주면 된다.