修改环境配置文件
#/etc/bashrc
添加以下内容:
HISTFILE=‘/var/log/history_command.log‘if [ ! -f $HISTFILE ];thentouch $HISTFILEchmod 666 $HISTFILEfiexport HISTTIMEFORMAT="%F %T,$HOSTNAME,$(who -u am i 2>/dev/null| \
awk ‘{print $NF}‘| sed -e ‘s/[()]//g‘),$(who am i|awk ‘{print $1}‘),${USER},"
export PROMPT_COMMAND=‘history 1|tail -1|sed "s/^[ ]\+[0-9]\+ //"|sed "s/$//">> $HISTFILE‘PS:将历史命令格式化,并写入/var/log/history_command.log文件
logstash配置文件
#hiscmd_log.conf
input { file { type => "history_cmd" path => "/var/log/history_command.log" }}filter { if [type] == "history_cmd" { grok { match => { "message" => "%{HISTORY_CMD}" } } } geoip { source => "ip" fields => ["city_name"] database => "/opt/logstash-2.0.0/conf/GeoLiteCity.dat" }}output { stdout { codec => rubydebug } elasticsearch { hosts => "www.elk.com:9200" index => "history_cmd-%{+YYYY.MM}" }}
匹配规则可写在patterns/linux-syslog 文件里
HISTORY_CMD (?<time>\d+.*),%{HOSTNAME:hostname},%{IPV4:ip},root,%{WORD:user},(?<cmd>[\S+]\s*.*)
Kibana 图形展示
原文:http://cqfish.blog.51cto.com/622299/1789827