Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Content of the file /etc/logstash/conf.d/auditd.conf
- # Tested on the CentOS 7 auditspd logs forwarded to logstash via rsyslog
- input {
- syslog {
- type => AUDITD
- port => xxxx
- host => "xxx.xxx.xxx.xxx"
- }
- }
- filter {
- if [type] == "AUDITD" {
- if [program] == "audispd" {
- grok {
- match => [ "message", "%{AUDITDTRIAL}%{GREEDYDATA:msg}" ]
- }
- grok {
- match => [
- "msg", "%{AUDITD_1}",
- "msg", "%{AUDITD_2}",
- "msg", "%{AUDITD_3}",
- "msg", "%{AUDITD_4}",
- "msg", "%{AUDITD_5}",
- "msg", "%{AUDITD_6}",
- "msg", "%{AUDITD_7}",
- "msg", "%{AUDITD_8}",
- "msg", "%{AUDITD_9}",
- "msg", "%{AUDITD_10}",
- "msg", "%{AUDITD_11}",
- "msg", "%{AUDITD_12}",
- "msg", "%{AUDITD_13}",
- "msg", "%{AUDITD_14}",
- "msg", "%{AUDITD_15}",
- "msg", "%{AUDITD_16}",
- "msg", "%{AUDITD_17}",
- "msg", "%{AUDITD_18}",
- "msg", "%{AUDITD_19}",
- "msg", "%{AUDITD_20}",
- "msg", "%{AUDITD_21}",
- "msg", "%{AUDITD_22}",
- "msg", "%{AUDITD_23}",
- "msg", "%{AUDITD_24}",
- "msg", "%{AUDITD_25}",
- "msg", "%{AUDITD_26}"
- ]
- }
- mutate {
- remove_field => [ "msg" ]
- }
- }
- }
- }
- output {
- if [type] == "AUDITD" {
- elasticsearch {
- flush_size => 2000
- protocol => "transport"
- cluster => "xxxxxxxx"
- host => "xxx.xxx.xxx.xxx"
- index => "logstash-syslog-%{+YYYY.MM.dd}"
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement