我想配置我的logstash以禁止IP地址,如果它在日志文件中匹配5次,但我不知道如何计算IP被发现的次数,我的实际配置文件看起来像这样:
input {
file {
path => "/home/myuser/mygameserver/server_log.txt"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "[(?<date>[.*?])] BAD RCON ATTEMPT BY: %{IP:clientip}" }
}
}
output {
exec {
type => abuse
command => "iptables -A INPUT -s %{clientip} -j DROP"
}
}
日志输出如下:
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
[17/11/2015 22:38:02] BAD RCON ATTEMPT BY: 179.214.221.81
我认为配置文件是正确的,我只想在其上设置一个计数器,只有在日志中找到5次IP地址时才执行防火墙禁令。