BLOG

BIND9 ELK send LOG

Blokova schema

Schema ELK

Nastavenie BIND9 Logovania:

logging{
        category "notify" { "log_notify"; };
        category "xfer-in" { "log_notify"; };
        category "xfer-out" { "log_notify"; };
        channel "log_notify" {
                file "/var/log/named/named.notify.log" versions 7 size 50m;
                severity debug 1;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

        category "security" { "log_security"; };
        channel "log_security" {
                file "/var/log/named/named.security.log" versions 7 size 50m;
                severity debug 1;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

        category "default" { "log_default"; };
        channel "log_default" {
                file "/var/log/named/named.default.log" versions 7 size 50m;
                severity debug 1;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        category "queries" { "log_default"; };
        channel "log_default" {
                file "/var/log/named/named.queries.log" versions 7 size 350m;
#                severity debug 1;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

    channel security_file {
        file "/var/log/named/security.log" versions 3 size 30m;
        severity dynamic;
        print-time yes;
    };
    category security {
        security_file;
    };


};

Nastavenie FileBeat:

processors:
#  - add_host_metadata: ~
#  - add_cloud_metadata: ~

output.logstash:
  # The Logstash hosts
  hosts: ["192.168.207.13:5001"]



filebeat.inputs:
    - input_type: log
      paths:
        - "/var/log/named/named.queries.log"

      fields:
   
        log_type: bind

Nastavenie Logstash:

filter {
    if [fields][log_type] == "bind" {

          grok {
                patterns_dir => ["/etc/logstash/patern"]
                match => { "message" => "%{BIND9_DATE:EventTime} queries: %{LOGLEVEL:LogLevel}: client %{DATA:ClientID} %{IP:ClientIP}[#]%{NUMBER:ClientPort} \(%{HOSTNAME:Hostname}\)[:] query: %{HOSTNAME:QueryName} %{WORD:QueryClass} %{WORD:QueryType} %{DATA:QueryFlags} \(%{IP:LocalAddress}\)" }

              }
          date {
                match => [ "EventTime", "dd-MMM-yyyy HH:mm:ss.SSS"]
                timezone => "Europe/Bratislava"
            }
          mutate {
                    remove_field => ["path", "host", "@version", "EventTime" ]
            }

    }


    if [fields][log_type] == "bindold" {

          grok {
                patterns_dir => ["/etc/logstash/patern"]
                match => { "message" => "%{BIND9_DATE:EventTime} queries: %{LOGLEVEL:LogLevel}: client %{IP:ClientIP}[#]%{NUMBER:ClientPort} \(%{HOSTNAME:Hostname}\)[:] query: %{HOSTNAME:QueryName} %{WORD:QueryClass} %{WORD:QueryType} %{DATA:QueryFlags} \(%{IP:LocalAddress}\)" }

              }
          date {
                match => [ "EventTime", "dd-MMM-yyyy HH:mm:ss.SSS"]
                timezone => "Europe/Bratislava"
            }
          mutate {
                    remove_field => ["path", "host", "@version", "EventTime" ]
            }

    }



}




output {
        if "_grokparsefailure" not in [tags] {
        # do something

                if [fields][log_type] == "bind" {
                            elasticsearch {
                                hosts => ["147.232.207.2:9200"]
                                index => "dns-%{+YYYY.MM.dd}"


                            }
                }
        }

        if "_grokparsefailure" not in [tags] {
        # do something

                if [fields][log_type] == "bindold" {
                            elasticsearch {
                                hosts => ["147.232.207.2:9200"]
                                index => "dns-%{+YYYY.MM.dd}"


                            }
                }
        }

        if "_grokparsefailure" in [tags] {
                if [fields][log_type] == "bind" {
                            elasticsearch {
                                hosts => ["147.232.207.2:9200"]
                                index => "grokparsefailure-dns-%{+YYYY.MM.dd}"


                            }
                }
        }


}








patern:

BIND9_DATE %{MONTHDAY}[-]%{MONTH}[-]%{YEAR}[ ]*%{TIME}
   Send article as PDF   
18. septembra 2021 Nezaradené
Žiadne komentáre

vmware vcenter show certificate expiration date

How to install MySQL server 5.6 or 5.7

Pridaj komentár Zrušiť odpoveď

  +  77  =  82

Najnovšie články

  • Windows server 2022 printer add 16. septembra 2024
  • Elasticsearch docker ssl 27. júla 2024
  • Azure AuditEnterpriseAppsAzure 7. júla 2024
  • MSSQL server create external account from entra ID 20. marca 2024
  • ubuntu bring up all interface and show actual speed 17. januára 2024
  • RDP password BruteForce 12. decembra 2023
  • CiscoUCS 6XXX reboot 10. júna 2023

Najnovšie komentáre

  • Róbert Čečetka komentoval Zobrazenie všetkých stĺpcov z MYSQL cez PHP a html

Archív

  • september 2024
  • júl 2024
  • marec 2024
  • január 2024
  • december 2023
  • jún 2023
  • máj 2023
  • marec 2023
  • december 2022
  • október 2022
  • august 2022
  • júl 2022
  • máj 2022
  • apríl 2022
  • marec 2022
  • október 2021
  • september 2021
  • august 2021
  • jún 2021
  • máj 2021
  • apríl 2021
  • marec 2021
  • február 2021
  • január 2021
  • december 2020
  • november 2020
  • október 2020
  • september 2020
  • august 2020
  • júl 2020
  • jún 2020
  • máj 2020
  • apríl 2020
  • marec 2020
  • február 2020
  • január 2020
  • december 2019

Kategórie

  • Active Directory (3)
  • Ansible (1)
  • apereo (3)
  • BIaKS (2)
  • checkpoint (4)
  • CISCO (40)
  • docker (4)
  • emby (2)
  • freeradius (7)
  • Lenovo-IBM (1)
  • Linux (79)
  • Mikrotik (2)
  • monitoring (34)
  • Nezaradené (24)
  • PLESK (3)
  • Programovanie (13)
  • VEEAM (2)
  • VMware (38)
  • Windows (17)
  • Zabezpecenie (5)

Meta

  • Prihlásiť sa
  • Feed záznamov
  • RSS feed komentárov
  • WordPress.org
Hrdo poháňa WordPress | Téma: Neblue od NEThemes.