BIND9 ELK send LOG
Blokova schema
Nastavenie BIND9 Logovania:
logging{
category "notify" { "log_notify"; };
category "xfer-in" { "log_notify"; };
category "xfer-out" { "log_notify"; };
channel "log_notify" {
file "/var/log/named/named.notify.log" versions 7 size 50m;
severity debug 1;
print-time yes;
print-severity yes;
print-category yes;
};
category "security" { "log_security"; };
channel "log_security" {
file "/var/log/named/named.security.log" versions 7 size 50m;
severity debug 1;
print-time yes;
print-severity yes;
print-category yes;
};
category "default" { "log_default"; };
channel "log_default" {
file "/var/log/named/named.default.log" versions 7 size 50m;
severity debug 1;
print-time yes;
print-severity yes;
print-category yes;
};
category "queries" { "log_default"; };
channel "log_default" {
file "/var/log/named/named.queries.log" versions 7 size 350m;
# severity debug 1;
print-time yes;
print-severity yes;
print-category yes;
};
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
};
Nastavenie FileBeat:
processors:
# - add_host_metadata: ~
# - add_cloud_metadata: ~
output.logstash:
# The Logstash hosts
hosts: ["192.168.207.13:5001"]
filebeat.inputs:
- input_type: log
paths:
- "/var/log/named/named.queries.log"
fields:
log_type: bind
Nastavenie Logstash:
filter {
if [fields][log_type] == "bind" {
grok {
patterns_dir => ["/etc/logstash/patern"]
match => { "message" => "%{BIND9_DATE:EventTime} queries: %{LOGLEVEL:LogLevel}: client %{DATA:ClientID} %{IP:ClientIP}[#]%{NUMBER:ClientPort} \(%{HOSTNAME:Hostname}\)[:] query: %{HOSTNAME:QueryName} %{WORD:QueryClass} %{WORD:QueryType} %{DATA:QueryFlags} \(%{IP:LocalAddress}\)" }
}
date {
match => [ "EventTime", "dd-MMM-yyyy HH:mm:ss.SSS"]
timezone => "Europe/Bratislava"
}
mutate {
remove_field => ["path", "host", "@version", "EventTime" ]
}
}
if [fields][log_type] == "bindold" {
grok {
patterns_dir => ["/etc/logstash/patern"]
match => { "message" => "%{BIND9_DATE:EventTime} queries: %{LOGLEVEL:LogLevel}: client %{IP:ClientIP}[#]%{NUMBER:ClientPort} \(%{HOSTNAME:Hostname}\)[:] query: %{HOSTNAME:QueryName} %{WORD:QueryClass} %{WORD:QueryType} %{DATA:QueryFlags} \(%{IP:LocalAddress}\)" }
}
date {
match => [ "EventTime", "dd-MMM-yyyy HH:mm:ss.SSS"]
timezone => "Europe/Bratislava"
}
mutate {
remove_field => ["path", "host", "@version", "EventTime" ]
}
}
}
output {
if "_grokparsefailure" not in [tags] {
# do something
if [fields][log_type] == "bind" {
elasticsearch {
hosts => ["147.232.207.2:9200"]
index => "dns-%{+YYYY.MM.dd}"
}
}
}
if "_grokparsefailure" not in [tags] {
# do something
if [fields][log_type] == "bindold" {
elasticsearch {
hosts => ["147.232.207.2:9200"]
index => "dns-%{+YYYY.MM.dd}"
}
}
}
if "_grokparsefailure" in [tags] {
if [fields][log_type] == "bind" {
elasticsearch {
hosts => ["147.232.207.2:9200"]
index => "grokparsefailure-dns-%{+YYYY.MM.dd}"
}
}
}
}
patern:
BIND9_DATE %{MONTHDAY}[-]%{MONTH}[-]%{YEAR}[ ]*%{TIME}