我正在将syslog数据发送到LogZilla服务器,并且无法使用
重写数据Event message:
{"event_type":"Threat_Event","ipv4":"172.31.100.13","hostname":"server1.something.net","source_uuid":"df4df304c3-93f2a-41f89-8dfefd-7f54bdsf5e429f","occured":"06-Aug-2019 02:38:44","severity":"Warning","threat_type":"test file","threat_name":"Eicar","scanner_id":"Real-time file system protection","engine_version":"1498036 (20190805)","object_type":"file","object_uri":"file:///home/admin/g4.txt","action_taken":"cleaned by deleting","threat_handled":true,"need_restart":false,"username":"root","processname":"/usr/bin/vi","circumstances":"Event occurred on a newly created file.","firstseen":"06-Aug-2019 02:38:44","hash":"CF8BD9DFDDFF007F75ADF4C2BE48005CEA317C62"}
用于自动键值检测的代码以重写上面的消息:
{
"rewrite_rules": [
{
"match": {
"field": "program",
"value": "ESServer"
},
"update": {
"message": "${event_type}, ${ipv4}"
},
"kv": {"separator": ":", "delimiter": ","
}
}
]
}
'''
我希望对消息进行解析,以便可以基于消息中的各个字段来设置仪表板。
答案 0 :(得分:1)
LogZilla不会解析引号内的kv对,因此首先您需要将其删除。这是将执行此操作的syslog-ng规则:
filter f_program {program("ESServer")};
rewrite r_quotes { subst("\"", "", value("MESSAGE") flags("global") condition( filter(f_program))); };
log {
source(s_logzilla);
rewrite (r_quotes);
#filter(f_fwdrops);
destination(d_logzilla_network);
# Uncomment line below for debug/testing of incoming events
#destination(df_debug);
#destination(d_unix_stream);
flags(flow-control,final);
};
您应该创建一个“ rules”目录来存储所有自定义配置。将以上内容保存为syslog.conf(或您喜欢的任何名称)。将其复制到conainer并重新启动syslog-ng:
docker cp syslog.conf lz_syslog:/etc/logzilla/syslog-ng
docker restart lz_syslog
现在这些事件在进入时应删除引号。接下来,使用以下命令创建LogZilla解析器规则:
first_match_only: true
rewrite_rules:
- comment:
- 'Name: ESET Security Manager KV'
- 'Sample: "event_type":"Threat_Event","ipv4":"172.31.100.13","hostname":"server1.something.net","source_uuid":"df4df304c3-93f2a-41f89-8dfefd-7f54bdsf5e429f","occured":"06-Aug-2019 02:38:44","severity":"Warning","threat_type":"test file","threat_name":"Eicar","scanner_id":"Real-time file system protection","engine_version":"1498036 (20190805)","object_type":"file","object_uri":"file:///home/admin/g4.txt","action_taken":"cleaned by deleting","threat_handled":true,"need_restart":false,"username":"root","processname":"/usr/bin/vi","circumstances":"Event occurred on a newly created file.","firstseen":"06-Aug-2019 02:38:44","hash":"CF8BD9DFDDFF007F75ADF4C2BE48005CEA317C62"'
- 'Description: ESET K/V Detection and User Tag creation'
match:
field: program
op: =~
value: 'lzadmin'
kv:
delimiter: ""
separator: ":"
pair_separator: ","
tag:
ut_event_type: ${event_type}
ut_ipv4: ${ipv4}
ut_hostname: ${hostname}
然后添加规则:
logzilla rules add kv.json