Skip to content

lctrcl/logstash-linux

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
conf.d
conf.d
 
 
ext
ext
 
 
images
images
 
 
kibana
kibana
 
 
patterns.d
patterns.d
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Linux Logstash Config

This is a Logstash configuration for Linux systems. It includes configuration and patterns provided by other projects in addition to custom created patterns/configs. This configuration was tested on a Ubuntu Server 16.04 LTS and includes patterns and configuration for the following log files and services:

  • Apache access logs (/var/log/apache2/*-access.log)
    • Usage of default Logstash COMBINEDAPACHELOG pattern.
    • The vhost attribute is aquired from the beginning of the file name until the first -. Example: patzke.org-access.log sets vhost to patzke.org.
    • The filter geoip and useragent are applied to the corresponding fields.
  • Authentication logs (/var/log/auth.log)
    • Generic parsing of PAM log records
    • OpenSSH sshd:
      • Successful and failed authentication
      • Disconnect event
    • sudo
    • su
    • systemd-logind
    • Account management tools:
      • useradd
      • groupadd
      • usermod
      • userdel
      • groupdel
  • Mailserver logs (/var/log/mail.log)

Default output is a local Elasticsearch instance. Indices are created per log file (apache, auth and mail) and month.

Searches, visualizations and dashboards for Kibana are included for the areas mentioned above:

Authentication Dashboard: Authentication

Failed SSH Authentication Dashboard: Failed SSH Authentication

Mail Dashboard: Mail

Web Dashboard: Web

Usage

Logstash Configuration

Initial

Clone this repository and initialize the submodules with git submodule update --init. Copy or link the directories conf.d, patterns.d and ext into /etc/logstash or merge their content into your existing directories and restart logstash.

The user logstash has to be member of the adm group or the permissions of the above mentioned files must be changed appropriately that Logstash is able to access them. Only read access is required!

The configuration contains an import input configuration (conf.d/10-import.conf) that reads the above mentioned logs from the directory /var/log/import and keeps the state in separate sincedb filtes. The intention of this config is the processing of rotated logs. The logs have to be unpacked before. After the import is finished the content of the import directory and the associated sincedb files can be removed.

Updating

This project includes dependency projects as submodules. Updating requires the following steps:

  1. git pull
  2. git submodule update

Kibana

Setting up Indices

Click on the Add New button in the area Management, Index Patterns and create the following patterns:

  • logstash-auth-*
  • logstash-mail-*
  • logstash-web-*

Time-field is always @timestamp, changing defaults is not required.

Importing Searches, Visualizations and Dashboards

Navigate into the area Management, Saved Objects and import the JSON files from the kibana/ directory in following order:

  1. searches.json
  2. visualizations.json
  3. dashboards.json

About

Logstash Configuration for Linux Logs (Authentication, Apache, Mail)

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published