一、rsyslog多行处理

命令审核

vi /etc/profile

mkdir -p /usr/lib/cmdlog

chmod -R 777 /usr/lib/cmdlog/

export CMDLOG_FILE="/usr/lib/cmdlog/cmdlog.$(date +%F)"

export PROMPT_COMMAND='{ date "+%F %T ## $(whoami)@${SSH_TTY} ---> $(echo ${SSH_CONNECTION}) ## $(history 1|awk "{\$1=\"\";print}") "; } >>$CMDLOG_FILE'

日志样本：2016-08-04 08:47:28 ## root@/dev/pts/0 ---> 121.33.23.10 49240 120.26.19.94 22 ##  grep oauth *

vi /etc/rsyslog.d/om-commad.conf

module(load="imfile") 加载模块

input(

type="imfile"

File="/usr/lib/cmdlog/cmdlog.*"

addMetadata="off" 关闭元数据

Severity="info"

Facility="user"

tag="commad"

ruleset="commad_ruleset" 调用规则

)

template(name="commad" type="string" string="%msg%\n") 定义输出日志内容的模板

ruleset( name="commad_ruleset" ){ 定义一条规则

action(type="omfwd" Target="10.51.1.1" Port="512" Protocol="tcp" template="commad" ) 规则调用omfwd模块，输出参数，输出内容模版

stop 规则结束

}

-----logstash

input {

tcp {

port => 512

type => commad

}

}

filter {

if [type] == "commad" {

grok {

match => {"message" => "%{NGINXERR_DATE:log_timestamp} %{NOTSPACE:xx} %{USERNAME:user}@%{NOTSPACE:tty} %{NOTSPACE:xxx} %{IPV4:chient_ip} %{NUMBER:client_port} %{IPV4:server_ip} %{NUMBER:server_port} %{NOTSPACE:xxxx} %{GREEDYDATA:command}"}

remove_field => ['xx']

remove_field => ['xxx']

remove_field => ['xxxx']

remove_field => ['message']

}

date {

match => ["log_timestamp" , "yyyy-MM-dd HH:mm:ss"]

}

}

if [host] == "114.215.200.41" { mutate { replace => { "host" => "my_test1" } } }

if [host] == "10.51.8.234" { mutate { replace => { "host" => "监控平台" } } }

}

output {...}

二、多行处理中出现\n情况

template(name="nginx_access" type="string"string="%$.replaced_msg%\n")

ruleset( name="nginx_forward" ){

set $.replaced_msg = replace($msg,"\\n", " ");

action(type="omfwd"Target="10.1.1.86" Port="888" Protocol="tcp"template="nginx_access" )

stop

}