命令实时记录和上传elk
1、编写命令实时记录脚本
vim /etc/profile.d/history.sh
export PROMPT_COMMAND='RETRN_VAL=$?; SSH_CLIENT_IP=${SSH_CLIENT%% *}; logger -p local6.debug "$(whoami) [$$]: [$SSH_CLIENT_IP] $(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//") [$RETRN_VAL]"'
readonly PROMPT_COMMAND2、利用rsyslog debug到users-command.log文件
vim /etc/rsyslog.d/history.conf
local6.debug /var/log/users-command.log
3、重启rsyslog
systemctl restart rsyslog
4、安装filebeat
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.17.0-x86_64.rpm
rpm -ivh filebeat-8.17.0-x86_64.rpm
5、编写filebeat配置文件
filebeat.inputs:
- type: log
enabled: false
paths:
- /var/log/cron
exclude_lines: ['fileserver filebeat','filebeat']
fields:
filetype: log_info
fields_under_root: true
- type: log
enabled: true
paths:
- /var/log/users-command.log
fields:
filetype: log_cmd
fields_under_root: true
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
output.logstash:
hosts: ["172.30.7.110:5044"]