{"id":1977,"date":"2021-09-18T19:12:25","date_gmt":"2021-09-18T17:12:25","guid":{"rendered":"https:\/\/blog.mhasin.eu\/?p=1977"},"modified":"2021-09-19T08:54:02","modified_gmt":"2021-09-19T06:54:02","slug":"bind9-elk-send-log","status":"publish","type":"post","link":"https:\/\/blog.mhasin.eu\/?p=1977","title":{"rendered":"BIND9 ELK send LOG"},"content":{"rendered":"\n

Blokova schema<\/p>\n\n\n\n

\"\"
Schema ELK<\/figcaption><\/figure>\n\n\n\n

Nastavenie BIND9 Logovania:<\/strong><\/p>\n\n\n\n

logging{\n        category \"notify\" { \"log_notify\"; };\n        category \"xfer-in\" { \"log_notify\"; };\n        category \"xfer-out\" { \"log_notify\"; };\n        channel \"log_notify\" {\n                file \"\/var\/log\/named\/named.notify.log\" versions 7 size 50m;\n                severity debug 1;\n                print-time yes;\n                print-severity yes;\n                print-category yes;\n        };\n\n        category \"security\" { \"log_security\"; };\n        channel \"log_security\" {\n                file \"\/var\/log\/named\/named.security.log\" versions 7 size 50m;\n                severity debug 1;\n                print-time yes;\n                print-severity yes;\n                print-category yes;\n        };\n\n        category \"default\" { \"log_default\"; };\n        channel \"log_default\" {\n                file \"\/var\/log\/named\/named.default.log\" versions 7 size 50m;\n                severity debug 1;\n                print-time yes;\n                print-severity yes;\n                print-category yes;\n        };\n        category \"queries\" { \"log_default\"; };\n        channel \"log_default\" {\n                file \"\/var\/log\/named\/named.queries.log\" versions 7 size 350m;\n#                severity debug 1;\n                print-time yes;\n                print-severity yes;\n                print-category yes;\n        };\n\n    channel security_file {\n        file \"\/var\/log\/named\/security.log\" versions 3 size 30m;\n        severity dynamic;\n        print-time yes;\n    };\n    category security {\n        security_file;\n    };\n\n\n};\n<\/code><\/pre>\n\n\n\n
Nastavenie FileBeat:<\/strong><\/p>\n\n\n\n
processors:\n#  - add_host_metadata: ~\n#  - add_cloud_metadata: ~\n\noutput.logstash:\n  # The Logstash hosts\n  hosts: [\"192.168.207.13:5001\"]\n\n\n\nfilebeat.inputs:\n    - input_type: log\n      paths:\n        - \"\/var\/log\/named\/named.queries.log\"\n\n      fields:\n   \n        log_type: bind\n\n<\/code><\/pre>\n\n\n\n
Nastavenie Logstash:<\/strong><\/p>\n\n\n\n
filter {\n    if [fields][log_type] == \"bind\" {\n\n          grok {\n                patterns_dir => [\"\/etc\/logstash\/patern\"]\n                match => { \"message\" => \"%{BIND9_DATE:EventTime} queries: %{LOGLEVEL:LogLevel}: client %{DATA:ClientID} %{IP:ClientIP}[#]%{NUMBER:ClientPort} \\(%{HOSTNAME:Hostname}\\)[:] query: %{HOSTNAME:QueryName} %{WORD:QueryClass} %{WORD:QueryType} %{DATA:QueryFlags} \\(%{IP:LocalAddress}\\)\" }\n\n              }\n          date {\n                match => [ \"EventTime\", \"dd-MMM-yyyy HH:mm:ss.SSS\"]\n                timezone => \"Europe\/Bratislava\"\n            }\n          mutate {\n                    remove_field => [\"path\", \"host\", \"@version\", \"EventTime\" ]\n            }\n\n    }\n\n\n    if [fields][log_type] == \"bindold\" {\n\n          grok {\n                patterns_dir => [\"\/etc\/logstash\/patern\"]\n                match => { \"message\" => \"%{BIND9_DATE:EventTime} queries: %{LOGLEVEL:LogLevel}: client %{IP:ClientIP}[#]%{NUMBER:ClientPort} \\(%{HOSTNAME:Hostname}\\)[:] query: %{HOSTNAME:QueryName} %{WORD:QueryClass} %{WORD:QueryType} %{DATA:QueryFlags} \\(%{IP:LocalAddress}\\)\" }\n\n              }\n          date {\n                match => [ \"EventTime\", \"dd-MMM-yyyy HH:mm:ss.SSS\"]\n                timezone => \"Europe\/Bratislava\"\n            }\n          mutate {\n                    remove_field => [\"path\", \"host\", \"@version\", \"EventTime\" ]\n            }\n\n    }\n\n\n\n}\n\n\n\n\noutput {\n        if \"_grokparsefailure\" not in [tags] {\n        # do something\n\n                if [fields][log_type] == \"bind\" {\n                            elasticsearch {\n                                hosts => [\"147.232.207.2:9200\"]\n                                index => \"dns-%{+YYYY.MM.dd}\"\n\n\n                            }\n                }\n        }\n\n        if \"_grokparsefailure\" not in [tags] {\n        # do something\n\n                if [fields][log_type] == \"bindold\" {\n                            elasticsearch {\n                                hosts => [\"147.232.207.2:9200\"]\n                                index => \"dns-%{+YYYY.MM.dd}\"\n\n\n                            }\n                }\n        }\n\n        if \"_grokparsefailure\" in [tags] {\n                if [fields][log_type] == \"bind\" {\n                            elasticsearch {\n                                hosts => [\"147.232.207.2:9200\"]\n                                index => \"grokparsefailure-dns-%{+YYYY.MM.dd}\"\n\n\n                            }\n                }\n        }\n\n\n}\n\n\n\n\n\n\n\n\n<\/code><\/pre>\n\n\n\n
patern:<\/p>\n\n\n\n
BIND9_DATE %{MONTHDAY}[-]%{MONTH}[-]%{YEAR}[ ]*%{TIME}\n<\/code><\/pre>\n
 \t
 \t\t \t\t\"\"<\/a> \t\t\u00a0\u00a0<\/span> \t\tSend article as PDF<\/span> \t\t\u00a0\u00a0<\/span> \t\t \t\t \t<\/form> <\/div>","protected":false},"excerpt":{"rendered":"Blokova schema Nastavenie BIND9 Logovania: Nastavenie FileBeat: Nastavenie Logstash: patern: \u00a0\u00a0 Send article as PDF \u00a0\u00a0\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"arc_restricted_post":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1977","post","type-post","status-publish","format-standard","hentry","category-nezaradene"],"_links":{"self":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/1977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1977"}],"version-history":[{"count":6,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/1977\/revisions"}],"predecessor-version":[{"id":1986,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=\/wp\/v2\/posts\/1977\/revisions\/1986"}],"wp:attachment":[{"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mhasin.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}