Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Ежу, я думаю, понятно, что это только ознакомительная версия. Или - концепт, если хотите. Здесь еще пилить и пилить.
- # Вместо считывания файлов - нормальный прием логов и многе
- # Это просто для себя, чтоб не забыть
- input {
- file {
- path => [ "/tmp/cisco/%3SWCOS-I-LOGACLINETPORTS.log" ]
- sincedb_path => "/dev/null"
- start_position => "beginning"
- tags => ["acl"]
- }
- file {
- path => [ "/tmp/cisco/%DHCPSNOOP-E-HDRMAC.log"]
- sincedb_path => "/dev/null"
- start_position => "beginning"
- tags => ["dhcp.snooping"]
- }
- file {
- path => [ "/tmp/cisco/%DHCPSNOOP-E-FILEENTRYREMD.log"]
- sincedb_path => "/dev/null"
- start_position => "beginning"
- tags => ["dhcp.snoo.lease"]
- }
- file {
- path => [ "/tmp/cisco/%LINK-I-Up.log" ]
- sincedb_path => "/dev/null"
- start_position => "beginning"
- tags => ["ifup"]
- }
- file {
- path => [ "/tmp/cisco/%LINK-W-Down.log" ]
- sincedb_path => "/dev/null"
- start_position => "beginning"
- tags => ["ifdown"]
- }
- file {
- path => [ "/tmp/cisco/%STP-W-PORTSTATUS.log" ]
- sincedb_path => "/dev/null"
- start_position => "beginning"
- tags => ["stp"]
- }
- }
- filter {
- if "acl" in [tags] {
- grok {
- match => {
- "message" => "%{GREEDYDATA:timestamp}-%{HOUR}:%{MINUTE} %{IP:cisco.ip} %{GREEDYDATA}: %{HOSTNAME:cisco.interface}: %{WORD:acl.action} %{WORD:acl.type} %{HOSTNAME:ip.protocol}?\(%{WORD:protocol}?\) %{IP:acl.source.ip}?\(%{NUMBER:acl.source.port}?\) %{GREEDYDATA} %{IP:acl.destination.ip}?\(%{NUMBER:acl.destination.port}"
- }
- }
- if "_grokparcefailure" in [tags] {
- drop { }
- }
- geoip {
- source => ["acl.source.ip"]
- }
- date {
- match => ["timestamp", "ISO8601"]
- timezone => "America/Toronto"
- target => ["@timestamp"]
- }
- }
- else if "dhcp.snooping" in [tags] {
- grok {
- match => {
- "message" => "%{GREEDYDATA:timestamp}-%{HOUR}:%{MINUTE} %{IP:cisco.ip} %{GREEDYDATA}: %{GREEDYDATA:snooping.event}: %{HOSTNAME} - %{NUMBER:snooping.vlan.id}, %{GREEDYDATA} - %{HOSTNAME:cisco.interface}, %{GREEDYDATA} - %{MAC:source.mac}, %{GREEDYDATA} - %{MAC:destination.mac}, %{GREEDYDATA} - %{MAC:client.mac}, %{GREEDYDATA} - %{GREEDYDATA:snooping.error.message}"
- }
- }
- if "_grokparcefailure" in [tags] {
- drop { }
- }
- date {
- match => ["timestamp", "ISO8601"]
- timezone => "America/Toronto"
- target => ["@timestamp"]
- }
- }
- else if "dhcp.snoo.lease" in [tags] {
- grok {
- match => {
- "message" => "%{GREEDYDATA:timestamp}-%{HOUR}:%{MINUTE} %{IP:cisco.ip} %{GREEDYDATA}: %{GREEDYDATA:snooping.event}: %{WORD} - %{NUMBER:vlan.id}, %{WORD} - %{MAC:client.mac}, %{WORD} - %{IP:client.ip}, %{WORD} - %{DATA:interface}, %{WORD} - %{NUMBER:type}, %{WORD} - %{GREEDYDATA:snooping.error.message}"
- }
- }
- if "_grokparcefailure" in [tags] {
- drop { }
- }
- date {
- match => ["timestamp", "ISO8601"]
- timezone => "America/Toronto"
- target => ["@timestamp"]
- }
- }
- else if "ifup" in [tags] {
- grok {
- match => {
- "message" => "%{GREEDYDATA:timestamp}-%{HOUR}:%{MINUTE} %{IP:cisco.ip} %{GREEDYDATA}: %{HOSTNAME:cisco.interface}"
- }
- }
- if "_grokparcefailure" in [tags] {
- drop { }
- }
- date {
- match => ["timestamp", "ISO8601"]
- timezone => "America/Toronto"
- target => ["@timestamp"]
- }
- }
- else if "ifdown" in [tags] {
- grok {
- match => {
- "message" => "%{GREEDYDATA:timestamp}-%{HOUR}:%{MINUTE} %{IP:cisco.ip} %{GREEDYDATA}: %{HOSTNAME:cisco.interface}"
- }
- }
- if "_grokparcefailure" in [tags] {
- drop { }
- }
- date {
- match => ["timestamp", "ISO8601"]
- timezone => "America/Toronto"
- target => ["@timestamp"]
- }
- }
- else if "stp" in [tags] {
- grok {
- match => {
- "message" => "%{GREEDYDATA:timestamp}-%{HOUR}:%{MINUTE} %{IP:cisco.ip} %{GREEDYDATA}: %{HOSTNAME:cisco.interface}: %{GREEDYDATA:stp.event}"
- }
- }
- if "_grokparcefailure" in [tags] {
- drop { }
- }
- date {
- match => ["timestamp", "ISO8601"]
- timezone => "America/Toronto"
- target => ["@timestamp"]
- }
- }
- else {
- drop { }
- }
- }
- output {
- elasticsearch {
- hosts => ['192.168.15.77:9200']
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement