上QQ阅读APP看书,第一时间看更新
3.5 Windows系统日志
Logstash社区有众多的Windows用户,本节单独介绍一下对Windows平台系统日志的收集处理。之前介绍过Linux上的系统日志,即syslog的处理。事实上,对于Windows平台,也有类似syslog的设计,叫eventlog。本节介绍如何处理Windows eventlog。
3.5.1 采集端配置
由于Logstash作者出身Linux运维,早期版本中出了不少Windows平台上独有的bug。所以,目前对Windows上的日志,推荐大家在尝试Logstash的同时,也可以试用更稳定的nxlog软件。nxlog更详细的介绍,请阅读本书稍后章节。
这里先介绍Logstash和nxlog在处理Windows的eventlog时的配置方法。
Logstash配置如下:
input {
eventlog {
#logfile => [“Application”, “Security”, “System”]
logfile => [“Security”]
type =>“winevent”
tags => [ “caen” ]
}
}
nxlog配置中有如下几个要点:
1)ROOT位置必须是nxlog的实际安装路径。
2)输入模块,在Windows 2003及之前版本上,不叫im_msvistalog而叫im_mseventlog。
下面是一段完整的nxlog配置示例:
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
Module xm_json
</Extension>
<Input in>
Module im_msvistalog
Exec to_json();
</Input>
<Output out>
Module om_tcp
Host 10.66.66.66
Port 5140
</Output>
<Route 1>
Path in => out
</Route>
3.5.2 接收解析端配置
在中心的接收端,统一采用Logstash来完成解析入库操作。如果采集端也是Logstash,主要字段都已经生成,接收端配置也就没什么特别的了。如果采集端是nxlog,那么我们还需要把一些nxlog生成的字段转换成Logstash更通用的风格设计。
在之前插件介绍章节我们已经讲过,因为在Elasticsearch中默认按小写来检索,所以需要尽量把数据小写化。不巧的是,nxlog中,不单数据内容,字段名称也是大小写混用的,所以,我们只能通过logstash-filter-mutate的rename功能来完成对字段名称的小写化重命名。
配置示例如下:
input {
tcp {
codec =>“json”
port => 5140
tags => [“windows”,“nxlog”]
type =>“nxlog-json”
}
} # end input
filter {
if [type] == “nxlog-json” {
date {
match => [“[EventTime]”, “YYYY-MM-dd HH:mm:ss”]
timezone =>“Europe/London”
}
mutate {
rename => [ “AccountName”, “user” ]
rename => [ “AccountType”, “[eventlog][account_type]” ]
rename => [ “ActivityId”, “[eventlog][activity_id]” ]
rename => [ “Address”, “ip6” ]
rename => [ “ApplicationPath”, “[eventlog][application_path]” ]
rename => [ “AuthenticationPackageName”, “[eventlog][authentication_package_
name]” ]
rename => [ “Category”, “[eventlog][category]” ]
rename => [ “Channel”, “[eventlog][channel]” ]
rename => [ “Domain”, “domain” ]
rename => [ “EventID”, “[eventlog][event_id]” ]
rename => [ “EventType”, “[eventlog][event_type]” ]
rename => [ “File”, “[eventlog][file_path]” ]
rename => [ “Guid”, “[eventlog][guid]” ]
rename => [ “Hostname”, “hostname” ]
rename => [ “Interface”, “[eventlog][interface]” ]
rename => [ “InterfaceGuid”, “[eventlog][interface_guid]” ]
rename => [ “InterfaceName”, “[eventlog][interface_name]” ]
rename => [ “IpAddress”, “ip” ]
rename => [ “IpPort”, “port” ]
rename => [ “Key”, “[eventlog][key]” ]
rename => [ “LogonGuid”, “[eventlog][logon_guid]” ]
rename => [ “Message”, “message” ]
rename => [ “ModifyingUser”, “[eventlog][modifying_user]” ]
rename => [ “NewProfile”, “[eventlog][new_profile]” ]
rename => [ “OldProfile”, “[eventlog][old_profile]” ]
rename => [ “Port”, “port” ]
rename => [ “PrivilegeList”, “[eventlog][privilege_list]” ]
rename => [ “ProcessID”, “pid” ]
rename => [ “ProcessName”, “[eventlog][process_name]” ]
rename => [ “ProviderGuid”, “[eventlog][provider_guid]” ]
rename => [ “ReasonCode”, “[eventlog][reason_code]” ]
rename => [ “RecordNumber”, “[eventlog][record_number]” ]
rename => [ “ScenarioId”, “[eventlog][scenario_id]” ]
rename => [ “Severity”, “level” ]
rename => [ “SeverityValue”, “[eventlog][severity_code]” ]
rename => [ “SourceModuleName”, “nxlog_input” ]
rename => [ “SourceName”, “[eventlog][program]” ]
rename => [ “SubjectDomainName”, “[eventlog][subject_domain_name]” ]
rename => [ “SubjectLogonId”, “[eventlog][subject_logonid]” ]
rename => [ “SubjectUserName”, “[eventlog][subject_user_name]” ]
rename => [ “SubjectUserSid”, “[eventlog][subject_user_sid]” ]
rename => [ “System”, “[eventlog][system]” ]
rename => [ “TargetDomainName”, “[eventlog][target_domain_name]” ]
rename => [ “TargetLogonId”, “[eventlog][target_logonid]” ]
rename => [ “TargetUserName”, “[eventlog][target_user_name]” ]
rename => [ “TargetUserSid”, “[eventlog][target_user_sid]” ]
rename => [ “ThreadID”, “thread” ]
}
mutate {
remove_field => [“CurrentOrNextState”,“Description”,“EventReceivedTime”,“EventTime”,“EventTimeWr
itten”,“IPVersion”,“KeyLength”,“Keywords”,“LmPackageName”,“LogonProcessName
”,“LogonType”,“Name”,“Opcode”,“OpcodeValue”,“PolicyProcessingMode”,“Protocol”,
“ProtocolType”,“SourceModuleType”,“State”,“Task”,“TransmittedServices”,“Type”,
“UserID”,“Version”
]
}
}
}