[日志分析篇]ELK日志分割-jumpserver日志拆分

领导下达了一个目标，需要监控堡垒机的使用情况和数据实时展示，考虑后采取ELK架构进行日志处理和消息通知，找了很久的资料，发现网络上没有人有写相关的资料，遂将自己的心得发表出来
通过elk日志分析平台接收jumpserver日志，对日志进行过滤和拆分，并通过Grafana进行企业微信告警推送和大屏展示

1.系统介绍

名称	软件版本
jumpserver	jumpserver-3.10.13-tls
elasticsearch	elasticsearch-8.12.2
kibana	kibana-8.12.2
logstash	logstash-8.12.2
granfa	Grafana v11.0.0

2.jumpserver配置syslog

此处参考飞致云syslog配置文档：https://kb.fit2cloud.com/?p=123#heading-11

在/opt/jumpserver/config/config.txt添加syslog配置

# 加入 syslog 相关设置
SYSLOG_ENABLE=True
SYSLOG_ADDR=10.22.3.12:5149

重启jumpserver

# 重启jumpserver
/opt/jumpserver-offline-release-v3.10.13-amd64/jmsctl.sh restart

3.jumpserver的日志类型

jumpserver日志一共有：登录日志、上传文件日志、下载文件日志、操作日志、改密日志、会话日志、命令日志这几种类型
可参考日志来进行grok规则的编写

4.logstash拆分jumpserver日志

拆分log日志是一个苦活，需要考虑参数的兼容性和匹配性
注意: 堡垒机资产命名上面不能带(),否则自定义获取资产IP和名称的grok规则会解析失败
如果您不会grok的使用，可以查看elastic的文档：https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

# 定义接收jumpserver syslog的端口
input {
  udp {
    port => 5149
  }
}

# 定义拆分jumpserver syslog的规则
filter {
# 判断日志类型是否为session_command_log，特定grok规则来解决linux机器记录w和top等命令日志无法解析情况
# 对于非session_command_log日志，将采用通用grok规则
  if [message] =~ /session_command_log/ {
    grok {
      match => { "message" => "<14>jumpserver: session_command_log - %{GREEDYDATA:reallogs}\u0000" }
      add_field => { "logtype" => "session_command_log" }
    }
   } else {
      grok {
      match => { "message" => "<%{NUMBER:priority}>%{GREEDYDATA:logsouce}: %{GREEDYDATA:logtype} - %{GREEDYDATA:reallogs}\u0000" }
    }
  }

# 利用json拆分实际记录的日志
  json {
    source => "reallogs"
    target => "manage"
  }

# 判断日志类型是否为login_log，用来获取用户账户名和用户账户显示名称
  if [logtype] != "login_log" {
    mutate {
      gsub => ["[manage][user]", "\)$", ""]
      split => { "[manage][user]" => "(" }
    }
    mutate {
      add_field => {
        "[manage][user_name]" => "%{[manage][user][0]}"
        "[manage][user_account]" => "%{[manage][user][1]}"
      }
    }
  }

# 移除不需要的日志
  mutate {
    remove_field => ["reallogs", "@version", "event", "logsouce", "priority", "[manage][user]", "message"]
  }

# 解析login_log日志，用日志内的真实时间来替换@timestamp，保证日志时间的真确性
  if [logtype] == "login_log" {
    date {
      match => ["[manage][datetime]", "yyyy/MM/dd HH:mm:ss Z"]
      target => "@timestamp"
    }

  }

# 解析ftp_log，拆分资产名字和资产IP，拆分资产连接账号和资产账户显示名称，用日志内的真实时间来替换@timestamp，保证日志时间的真确性
  if [logtype] == "ftp_log" {
    mutate {
      gsub => [
        "[manage][asset]", "\)$", "",
        "[manage][account]", "\)$", ""
      ]
      split => {
        "[manage][asset]" => "("
        "[manage][account]" => "("
      }
    }

    mutate {
      add_field => {
        "[manage][asset_name]" => "%{[manage][asset][0]}"
        "[manage][asset_ip]" => "%{[manage][asset][1]}"
        "[manage][asset_account_name]" => "%{[manage][account][0]}"
        "[manage][asset_account_user]" => "%{[manage][account][1]}"
      }
      remove_field => [ "[manage][asset]","[manage][account]" ]
    }

    date {
      match => ["[manage][date_start]", "yyyy/MM/dd HH:mm:ss Z"]
      target => "@timestamp"
    }

  }

# 解析operation_log日志，用日志内的真实时间来替换@timestamp，保证日志时间的真确性
  if [logtype] == "operation_log" {
    date {
      match => ["[manage][datetime]", "yyyy/MM/dd HH:mm:ss Z"]
      target => "@timestamp"
    }

  }

# 解析password_change_log，操作人员名称和显示名，用日志内的真实时间来替换@timestamp，保证日志时间的真确性
  if [logtype] == "password_change_log" {
    mutate {
      gsub => [ "[manage][change_by]", "\)$", "" ]
      split => { "[manage][change_by]" => "(" }
    }

    mutate {
      add_field => {
        "[manage][changeby_user]" => "%{[manage][change_by][0]}"
        "[manage][changeby_account]" => "%{[manage][change_by][1]}"
      }
      remove_field => [ "[manage][change_by]" ]
    }

    date {
      match => ["[manage][datetime]", "yyyy/MM/dd HH:mm:ss Z"]
      target => "@timestamp"
    }

  }


# 解析host_session_log，拆分资产名字和资产IP，拆分资产连接账号和资产账户显示名称，用日志内的真实时间来替换@timestamp，保证日志时间的真确性
  if [logtype] == "host_session_log" {
    mutate {
      gsub => [
        "[manage][asset]", "\)$", "",
        "[manage][account]", "\)$", ""
      ]
      split => {
        "[manage][asset]" => "("
        "[manage][account]" => "("
      }
    }

    mutate {
      add_field => {
        "[manage][asset_name]" => "%{[manage][asset][0]}"
        "[manage][asset_ip]" => "%{[manage][asset][1]}"
        "[manage][asset_account_name]" => "%{[manage][account][0]}"
        "[manage][asset_account_user]" => "%{[manage][account][1]}"
      }
      remove_field => [ "[manage][asset]","[manage][account]" ]
    }

    if [manage][date_end] {
      mutate {
        add_field => { "connect-time" => "%{[manage][duration]}" }
      }

      date {
        match => ["[manage][date_end]", "yyyy/MM/dd HH:mm:ss Z"]
        target => "@timestamp"
      }
    } else if [manage][date_start] {
      date {
        match => ["[manage][date_start]", "yyyy/MM/dd HH:mm:ss Z"]
        target => "@timestamp"
      }
    }

  }

# 解析session_command_log，拆分资产名字和资产IP，拆分资产连接账号和资产账户显示名称，用日志内的真实时间来替换@timestamp，保证日志时间的真确性

  if [logtype] == "session_command_log" {
    mutate {
      gsub => [
        "[manage][asset]", "\)$", "",
        "[manage][account]", "\)$", ""
      ]
      split => {
        "[manage][asset]" => "("
        "[manage][account]" => "("
      }
    }

    mutate {
      add_field => {
        "[manage][asset_name]" => "%{[manage][asset][0]}"
        "[manage][asset_ip]" => "%{[manage][asset][1]}"
        "[manage][asset_account_name]" => "%{[manage][account][0]}"
        "[manage][asset_account_user]" => "%{[manage][account][1]}"
      }
      remove_field => [ "[manage][asset]","[manage][account]" ]
    }

    date {
      match => ["[manage][timestamp_display]", "yyyy/MM/dd HH:mm:ss Z"]
      target => "@timestamp"
    }

  }

# 日志拆分完毕后，删除不需要的日志
  mutate {
    remove_field => ["[manage][id]","[manage][asset_id]","[manage][account_id]","[manage][org_id]","[manage][terminal_display]","[manage][terminal][id]","[manage][terminal][name]","[manage][user_id]","[manage][timestamp]", "[manage][session]"]
  }

}

# 创建索引
output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "sh-blj-%{+YYYY.MM.dd}"
    action => "create"
    user => "elastic"
    password => "password"
  }
  stdout {
    codec => "rubydebug"
  }
}

5.创建日志索引模板

创建日志索引模板，方便granafa的调用

PUT /_template/sh-blj-template
{

    "index_patterns": [
      "sh-blj-*"
    ],
    "settings": {},
    "mappings": {
      "properties": {
        "logtype": {
          "type": "text",
          "fields": {
            "keyword": {
              "ignore_above": 256,
              "type": "keyword"
            }
          }
        },
        "@timestamp": {
          "type": "date"
        },
        "connect-time": {
          "type": "text",
          "fields": {
            "keyword": {
              "ignore_above": 256,
              "type": "keyword"
            }
          }
        },
        "host": {
          "type": "object",
          "properties": {
            "ip": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            }
          }
        },
        "manage": {
          "type": "object",
          "properties": {
            "is_locked": {
              "type": "boolean"
            },
            "reason": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "city": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "user_name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "has_command": {
              "type": "boolean"
            },
            "can_join": {
              "type": "boolean"
            },
            "has_replay": {
              "type": "boolean"
            },
            "is_success": {
              "type": "boolean"
            },
            "type": {
              "type": "object",
              "properties": {
                "label": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                },
                "value": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "login_from": {
              "type": "object",
              "properties": {
                "label": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                },
                "value": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "duration": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "output": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "datetime": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "error_reason": {
              "type": "object",
              "properties": {
                "label": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                },
                "value": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "protocol": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "asset_name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "asset_account_user": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "asset_ip": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "action": {
              "type": "object",
              "properties": {
                "label": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                },
                "value": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "asset_account_name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "backend": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "changeby_account": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "org_name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "user_agent": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "has_file": {
              "type": "boolean"
            },
            "remote_addr": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "can_replay": {
              "type": "boolean"
            },
            "resource": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "ip": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "resource_type": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "can_terminate": {
              "type": "boolean"
            },
            "mfa": {
              "type": "object",
              "properties": {
                "label": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                },
                "value": {
                  "type": "long"
                }
              }
            },
            "date_end": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "terminal": {
              "type": "object"
            },
            "is_finished": {
              "type": "boolean"
            },
            "input": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "risk_level": {
              "type": "object",
              "properties": {
                "label": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                },
                "value": {
                  "type": "long"
                }
              }
            },
            "date_start": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "reason_display": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "filename": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "operate": {
              "type": "object",
              "properties": {
                "label": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                },
                "value": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "changeby_user": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "user_account": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "backend_display": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "command_amount": {
              "type": "long"
            },
            "status": {
              "type": "object",
              "properties": {
                "label": {
                  "type": "text",
                  "fields": {
                    "keyword": {
                      "ignore_above": 256,
                      "type": "keyword"
                    }
                  }
                },
                "value": {
                  "type": "boolean"
                }
              }
            },
            "timestamp_display": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            },
            "username": {
              "type": "text",
              "fields": {
                "keyword": {
                  "ignore_above": 256,
                  "type": "keyword"
                }
              }
            }
          }
        }
      }
    },
    "aliases": {}
}

6.解析后日志的显示

posted @ 2024-10-24 17:35 二乘八是十六阅读(38) 评论(0) 编辑收藏举报

刷新页面返回顶部

十六的博客

[日志分析篇]ELK日志分割-jumpserver日志拆分

1.系统介绍

2.jumpserver配置syslog

3.jumpserver的日志类型

4.logstash拆分jumpserver日志

5.创建日志索引模板

6.解析后日志的显示

公告