修改环境配置文件

/etc/bashrc 添加一下内容

HISTFILE='/var/log/history_command.log'
if [ ! -f $HISTFILE ];then
touch $HISTFILE
chmod 666 $HISTFILE
fi
export HISTTIMEFORMAT="%F %T,$HOSTNAME,$(who -u am i 2>/dev/null|awk '{print $NF}'| sed -e 's/[()]//g'),$(who am i|awk '{print $1}'),${USER} "
export PROMPT_COMMAND='history 1|tail -1|sed "s/^[ ]+[0-9]+ //" >> /var/log/history_command.log'

检查是否成功记录历史操作命令
91221.elk.node1.com<2016-12-14 18:41:32> ~
root># tail -10f /var/log/history_command.log
2016-12-14 18:37:57,91221.elk.node1.com,192.168.66.45,root vim /etc/bashrc
2016-12-14 18:37:57,91221.elk.node1.com,192.168.66.45,root vim /etc/bashrc
2016-12-14 18:38:22,91221.elk.node1.com,192.168.66.45,root tail -100f /var/log/history_command.log
2016-12-14 18:38:33,91221.elk.node1.com,192.168.66.45,root vim /etc/bashrc

91221.elk.node1.com<2016-12-14 18:57:14> /opt/logstash-2.4.1
root># cat patterns/syslog
HISTORY_CMD (?<time>\d+.),%{HOSTNAME:hostname},%{IPV4:ip},root,%{WORD:user} (?<cmd>[\S+]\s.*)

gork正则表达式调试
http://grokdebug.herokuapp.com/

689D5CDF-17CE-4077-BFDB-EEBC42DDC13B.png

创建history_cmd-索引模板
curl -XPUT http://192.168.91.221:9200/_template/template_syslog -d '
{
"order": 0,
"template": "history_cmd-",
"settings": {
"index": {
"refresh_interval": "5s"
}
},
"mappings": {
"default": {
"dynamic_templates": [
{
"string_fields": {
"mapping": {
"index": "analyzed",
"omit_norms": true,
"type": "string",
"fields": {
"raw": {
"ignore_above": 256,
"index": "not_analyzed",
"type": "string",
"doc_values": true
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"_all": {
"enabled": true
},
"properties": {
"@timestamp": {
"format": "dateOptionalTime",
"index": "not_analyzed",
"type": "date",
"doc_values": true
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"location": {
"type": "geo_point"
}
}
},
"@version": {
"index": "not_analyzed",
"type": "string"
}
}
}
},
"aliases": {}
}'