配置logstash以禁止IP地址(如果它在日志中多次匹配)

时间:2015-11-19 12:22:12

标签: logstash

我想配置我的logstash以禁止IP地址,如果它在日志文件中匹配5次,但我不知道如何计算IP被发现的次数,我的实际配置文件看起来像这样:

input {
  file {
    path => "/home/myuser/mygameserver/server_log.txt"
    start_position => "beginning"
  }
}

filter {
  grok {
    match => { "message" => "[(?<date>[.*?])] BAD RCON ATTEMPT BY: %{IP:clientip}" }
  }
}

output {
  exec {
    type => abuse
    command => "iptables -A INPUT -s %{clientip} -j DROP"
  }
}

日志输出如下:

[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81

我认为配置文件是正确的,我只想在其上设置一个计数器,只有在日志中找到5次IP地址时才执行防火墙禁令。

0 个答案:

没有答案