logstash plugin을 이용하여 logstash-filter-bytes 설치

[root@tmplogsvr bin]# /usr/share/logstash/bin/logstash-plugin install logstash-filter-bytes
Using bundled JDK: /usr/share/logstash/jdk
Validating logstash-filter-bytes
Resolving mixin dependencies
Installing logstash-filter-bytes
Installation successful
[root@tmplogsvr bin]#

 

fortigate를 위한 logstash 패턴

####################################
###Fortinet Syslog Pattern Types:###
####################################

FORTILOG (?<TIMESTAMP>^\w+\s+\d+\s+\d+\:\d+\:\d+)\s(?<Client>\d+.\d+.\d+.\d+)\sdate=(?<DAY>\w+\-\w+\-\w+)\stime=(?<HOUR>\d+)\:(?<MINUTE>\d+)\:(?<SECOND>\d+)\sdevname="(?<Device_Name>.*)"\sdevid="(?<DEV_ID>\w+)"\slogid="(?<LOG_ID>\d+)"\stype="(?<LOG_TYPE>\w+)"\ssubtype="(?<SUB_LOG_TYPE>\w+)"

※ 기본 grok.pattern의 설정과 연계되어 있어 grok.pattern도 함께 작성 필요

 

fortigate를 위한 logstash 설정

[root@tmplogsvr bin]# cat /etc/logstash/conf.d/logstash.conf
input {
        file {
                path => "/var/log/rsyslog/192.168.10.14/*.log"
                start_position => "beginning"
                tags => ["fortigate"]
        }
}

filter {
        if "fortigate" in [tags] {
                grok {
                        patterns_dir => ["/etc/logstash/pattern.d"]
                        match => { "message" => [ "%{FORTILOG} %{GREEDYDATA:sub_message}" ] }
                }
                kv {
                        source => "sub_message"
                        value_split => "="
                }
                mutate { remove_field => [ "sub_message" ] }
                if "wan" in [srcintfrole] {
                        geoip {
                                source => "srcip"
                                target => "geoip_src"
                        }
                }
                if [sentbyte] != "" and [rcvdbyte] != "" {
                        bytes {
                                source => "rcvdbyte"
                                target => "receivedbyte"
                        }
                        bytes {
                                source => "sentbyte"
                                target => "sentedbyte"
                        }
                }
                mutate {
                        convert => {
                                "rcvdpkt" => "integer"
                                "sentpkt" => "integer"
                                "proto" => "integer"
                                "srcserver" => "integer"
                                "sessionid" => "integer"
                                "duration" => "integer"
                                "policyid" => "integer"
                                "HOUR" => "integer"
                                "MINUTE" => "integer"
                                "SECOND" => "integer"
                        }
                }
        }
}

output {
        if "fortigate" in [tags] {
                if "traffic" in [LOG_TYPE] {
                        elasticsearch {
                                hosts => ["http://192.168.0.17:9200"]
                                index => "logstash-fortigate-traffic-index-%{+YYYY.MM.dd}"
                        }
                }
                else if "event" in [LOG_TYPE] {
                        elasticsearch {
                                hosts => ["http://192.168.0.17:9200"]
                                index => "logstash-fortigate-event-index-%{+YYYY.MM.dd}"
                        }
                }
                else if "utm" in [LOG_TYPE] {
                        elasticsearch {
                                hosts => ["http://192.168.0.17:9200"]
                                index => "logstash-fortigate-utm-index-%{+YYYY.MM.dd}"
                        }
                }
        }
}
저작자표시 비영리 변경금지

'기술 노트 > fortigate' 카테고리의 다른 글

웹 페이지 접근 보호  (0) 2023.05.23
로그인 알람 설정  (0) 2023.04.06
interface https http ssh 접속 허용 cli  (0) 2023.03.24
interface status cli  (0) 2023.03.24
system shutdown cli  (0) 2023.03.24

+ Recent posts

티스토리툴바