AttackFilter: Logstash 日志安全攻击分析插件
AttackFilter
AttackFilter为Logstash日志分析插件,用于分析日志中存在的攻击信息,安装前需要先安装 logstash
- logstash-filter-attackfilter-1.0.6
- 此插件为 ElasticSearch 导入工具 Logstash 扩展安全分析插件
AttackFilter插件安装
- 下载插件
git clone https://github.com/anbai-inc/AttackFilter
- 在 logstash-X.X.X/Gemfile 加入插件路径信息
mv attackfilter logstash-X.X.X/vendor/bundle/jruby/1.9/gems/
vim logstash-X.X.X/Gemfile
gem "logstash-filter-attackfilter", :path => "./vendor/bundle/jruby/1.9/gems/logstash-filter-attackfilter-1.0.6"
AttackFilter使用
- 配置 Logstash 导入配置文件 test.conf
input {
file {
path => "/web-log-2018-01-01.log"
start_position => "beginning"
}
}filter {
grok {
match => { "message" => "%{日志拆分规则}"
}
} attackfilter {
source => message
}
}output {
elasticsearch {
hosts => ["192.168.1.2:9200"]
index => "test"
} stdout {
codec => rubydebug
}
}
问题反馈
- zdh#anbai.com(#替换成@)
关键词:
