我尝试配置logstash以在有人登录我的服务器时发送邮件。但它似乎不起作用。这是/etc/logstash/conf.d/email.conf
我的档案:
input {
file {
type => "syslog"
path => "/var/log/auth.log"
}
}
filter {
if [type] == "syslog" {
grok {
pattern => [ "%{SYSLOGBASE} Failed password for %{USERNAME:user} from % {IPORHOST:host} port %{POSINT:port} %{WORD:protocol}" ]
add_tag => [ "auth_failure" ]
}
}
}
output {
email {
tags => [ "auth_failure" ]
to => "<admin@gmail.com>"
from => "<alert@abc.com>"
options => [ "smtpIporHost", "smtp.abc.com",
"port", "25",
"domail", "abc.com",
"userName", "alert@abc.com",
"password", "mypassword",
"authenticationType", "plain",
"debug", "true"
]
subject => "Error"
via => "smtp"
body => "Here is the event line %{@message}"
htmlbody => "<h2>%{matchName}</h2><br/><br/><h3>Full Event</h3><br/><br/><div align='center'>%{@message}</div>"
}
}
/var/log/logstash/logstash.log {:timestamp=>"2015-03-10T11:46:41.152000+0700", :message=>"Using milestone 1 output plugin 'email'. This plugin should work, but would benefit from use by folks like you. Please let us know if you find bugs or have suggestions on how to improve this plugin. For more information on plugin milestones, see http://logstash.net/docs/1.4.1/plugin-milestones", :level=>:warn}
任何身体请帮忙!
答案 0 :(得分:0)
您在grok filter中没有使用正确的语法。它应该是这样的:
grok {
match => ["message", "..."]
}
其他次要评论:
tags => ["auth_failure"]条件过滤。首选if "auth_failture" in [tags]。@message的邮件。这也被弃用了,字段名为plain message。