![\"ES2-1.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d464c37434c4406ca4b8d\/2-0.png\" "\\"\\"")
<\/div>\n\u7ed3\u675f\u540e<\/h1>\n![\"ES2.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d464c37434c4406ca4b8d\/4-1.png\" "\\"\\"")
<\/div>\n\u73af\u5883\u548c\u524d\u63d0\u6761\u4ef6<\/h1>\n\n- \n
AlmaLinux release 8.5 (Arctic Sphynx)<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
\u4e0b\u8a18\u306e\u8a2d\u5b9a\u306f\u8a2d\u5b9a\u6e08\u307f<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
CloudTrail,VPCFlowlogs,CloudWatch\u306e\u8a2d\u5b9a<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
Logstash\u304b\u3089CloudWatch\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308bIAM\u30e6\u30fc\u30b6\u306e\u4f5c\u6210\u53ca\u3073IAM\u30ed\u30fc\u30eb\u306e\u8a2d\u5b9a<\/ul>\n\u8bf7\u63d0\u4f9b\u5177\u4f53\u7684\u53e5\u5b50\u6216\u5185\u5bb9\uff0c\u6211\u5c06\u4e3a\u60a8\u63d0\u4f9b\u4e2d\u6587\u7684\u540c\u4e49\u8f6c\u8ff0\u3002<\/h1>\n\n- \n
Logstash\u306efilter\u7b87\u6240\u306e\u8a18\u8f09\u65b9\u6cd5\uff08CloudTrail\u3001VPCFlowlogs\uff09\u306f\u4e0b\u8a18\u30b5\u30a4\u30c8\u3092\u53c2\u8003\u306b\u3055\u305b\u3066\u9802\u304d\u307e\u3057\u305f\u3002<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
VPC FlowLogs\u3092Logstash\u3067\u6b63\u898f\u5316\u3057\u3066\u307f\u305f<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
CloudTrail\u3092Elasticsearch\u306b\u53d6\u308a\u8fbc\u3093\u3067\u307f\u305f<\/ul>\n\u5efa\u7acb\u6b65\u9a5f\uff08On-premise\u7aef\u7684\u65e5\u8a8c\u6536\u96c6\uff09<\/h1>\n\u642d\u5efaElasticsearch\u670d\u52a1\u5668<\/h2>\nElasticsearch\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
wget https:\/\/artifacts.elastic.co\/downloads\/elasticsearch\/elasticsearch-7.10.1-x86_64.rpm\r\nrpm --install<\/span> elasticsearch-7.10.1-x86_64.rpm\r\n<\/code><\/pre>\nElasticsearch\u8a2d\u5b9a<\/ul>\n
vim elasticsearch.yml\r\nnetwork.host: 0.0.0.0\r\nnode.name: node-1\r\ncluster.initial_master_nodes: [<\/span>\"node-1\"<\/span>]<\/span>\r\n<\/code><\/pre>\nvm.max_map_count\u30d1\u30e9\u30e1\u30fc\u30bf\u8a2d\u5b9a<\/ul>\n
vm.max_map_count=<\/span>262144\r\n<\/code><\/pre>\nsysctl -q<\/span> -w<\/span> vm.max_map_count=<\/span>262144\r\nsystemctl enable <\/span>elasticsearch\r\nsystemctl start elasticsearch\r\n<\/code><\/pre>\n\u5c06Kibana\u4e5f\u5b89\u88c5\u5728\u540c\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\u3002<\/p>\n
Kibana\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
wget https:\/\/artifacts.elastic.co\/downloads\/kibana\/kibana-7.10.1-x86_64.rpm\r\nrpm --install<\/span> kibana-7.10.1-x86_64.rpm\r\n\r\n<\/code><\/pre>\nKibana\u8a2d\u5b9a<\/ul>\n
server.host: \"0.0.0.0\"<\/span>\r\n<\/code><\/pre>\nKibana\u8d77\u52d5<\/ul>\n
systemctl enable <\/span>kibana\r\nsystemctl start kibana\r\n<\/code><\/pre>\nKibana\u52d5\u4f5c\u78ba\u8a8d<\/ul>\n\u8bbf\u95ee http:\/\/xx.xx.xx.xx:5601\/<\/p>\n
\u642d\u5efaLogstash\u670d\u52a1\u5668<\/h2>\nOpenJDK\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
yum -y<\/span> install <\/span>java-1.8.0-openjdk\r\n<\/code><\/pre>\nLogstash\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
rpm --import<\/span> https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch\r\n<\/code><\/pre>\n[<\/span>logstash-7.x]\r\nname<\/span>=<\/span>Elastic repository for <\/span>7.x packages\r\nbaseurl<\/span>=<\/span>https:\/\/artifacts.elastic.co\/packages\/7.x\/yum\r\ngpgcheck<\/span>=<\/span>1\r\ngpgkey<\/span>=<\/span>https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch\r\nenabled<\/span>=<\/span>1\r\nautorefresh<\/span>=<\/span>1\r\ntype<\/span>=<\/span>rpm-md\r\n<\/code><\/pre>\nyum -y<\/span> install <\/span>logstash-7.10.1\r\n<\/code><\/pre>\nLogstash\u8d77\u52d5<\/ul>\n
systemctl enable <\/span>logstash\r\nsystemctl restart logstash\r\n<\/code><\/pre>\n\u5efa\u7acbSyslog\u670d\u52a1\u5668<\/h2>\nSyslog\u8a2d\u5b9a<\/ul>\n\u4f7f\u7528IP\u5730\u5740\u5c06\u65e5\u5fd7\u6587\u4ef6\u5206\u79bb\u7684\u8bbe\u7f6e<\/p>\n
module(<\/span>load<\/span>=<\/span>\"imudp\"<\/span>)<\/span> # needs to be done just once<\/span>\r\ninput(<\/span>type<\/span>=<\/span>\"imudp\"<\/span> port<\/span>=<\/span>\"514\"<\/span>)<\/span>\r\n\r\nmodule(<\/span>load<\/span>=<\/span>\"imtcp\"<\/span>)<\/span> # needs to be done just once<\/span>\r\ninput(<\/span>type<\/span>=<\/span>\"imtcp\"<\/span> port<\/span>=<\/span>\"514\"<\/span>)<\/span>\r\n\r\n#### RULES ####<\/span>\r\n:fromhost-ip, isequal, \"xxx.xxx.xxx.xxx\"<\/span> -\/var\/log\/server\/pst.log\r\n& ~\r\n:fromhost-ip, isequal, \"xxx.xxx.xxx.xxx\"<\/span> -\/var\/log\/server\/redmine.log\r\n& ~\r\n:fromhost-ip, isequal, \"xxx.xxx.xxx.xxx\"<\/span> -\/var\/log\/server\/ciscosw.log\r\n& ~\r\n<\/code><\/pre>\n\/var\/log\/server\/*<\/span>.log {<\/span>\r\nweekly\r\nrotate 54\r\ncompress\r\ncreate 0664 root root\r\npostrotate\r\n\/bin\/systemctl restart rsyslog\r\nendscript\r\n}<\/span>\r\n<\/code><\/pre>\nsystemctl restart rsyslog\r\n<\/code><\/pre>\nSyslog\u8f6c\u53d1\u7aef\u8bbe\u7f6e<\/h2>\n\u30b5\u30fc\u30d0\u8a2d\u5b9a<\/ul>\n
*<\/span>.*<\/span> @@xxx.xxx.xxx.xxx:514\r\n<\/code><\/pre>\nsystemctl restart rsyslog\r\n<\/code><\/pre>\n\u30b9\u30a4\u30c3\u30c1\u8a2d\u5b9a<\/ul>\n\u4e3a\u4e86\u6d4b\u8bd5\u76ee\u7684\uff0c\u5728\u8c03\u8bd5\u4e2d\u8bbe\u7f6e\u7ea7\u522b\u3002<\/p>\n
logging host xxx.xxx.xxx.xxx\r\nlogging trap <\/span>debugging\r\n<\/code><\/pre>\nNFS\u914d\u7f6e<\/h2>\n
\u4f7fLogstash\u670d\u52a1\u5668\u80fd\u591f\u770b\u5230Syslog\u670d\u52a1\u5668\u3002<\/p>\n
Syslog\u30b5\u30fc\u30d0\u5074\u8a2d\u5b9a<\/ul>\n
yum -y<\/span> install <\/span>nfs-utils\r\nsystemctl enable <\/span>nfs-server\r\nsystemctl start nfs-server\r\n<\/code><\/pre>\n\/var\/log xxx.xxx.xxx.xxx\/xx(<\/span>rw,no_root_squash)<\/span>\r\n<\/code><\/pre>\nLogstash\u30b5\u30fc\u30d0\u5074\u8a2d\u5b9a<\/ul>\n
yum -y<\/span> install <\/span>nfs-utils\r\nsystemctl enable <\/span>nfs-server\r\nsystemctl start nfs-server\r\nmount -t<\/span> nfs xxx.xxx.xxx.xxx:\/var\/log \/mnt\r\n<\/code><\/pre>\nxxx.xxx.xxx.xxx:\/var\/log \/mnt nfs defaults 0 0\r\n<\/code><\/pre>\nLogstash\u914d\u7f6e<\/h2>\n
\u53c2\u8003\u8d44\u6599\uff1alogstash\u6a21\u5f0f<\/p>\n
Conf\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210<\/ul>\n
input {<\/span>\r\n file {<\/span>\r\n path =><\/span> \"\/mnt\/server\/redmine.log\"<\/span>\r\n path =><\/span> \"\/mnt\/server\/pst.log\"<\/span>\r\n path =><\/span> \"\/mnt\/server\/ciscosw.log\"<\/span>\r\n start_position =><\/span> \"beginning\"<\/span>\r\n }<\/span>\r\n}<\/span>\r\nfilter {<\/span>\r\n grok {<\/span>\r\n match =><\/span> {<\/span>\r\n \"message\"<\/span> =><\/span> \"%{SYSLOGBASE}%{SPACE}%{GREEDYDATA:SYSLOGMESSAGE}\"<\/span>\r\n }<\/span>\r\n }<\/span>\r\n}<\/span>\r\noutput {<\/span>\r\n elasticsearch {<\/span>\r\n hosts =><\/span> [<\/span>\"xxx.xxx.xxx.xxx:9200\"<\/span>]<\/span>\r\n index =><\/span> \"syslog-%{+YYYY-MM-dd}\"<\/span>\r\n }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\nLogstash\u518d\u8d77\u52d5<\/ul>\n
systemctl restart logstash\r\n<\/code><\/pre>\nKibana\u914d\u7f6e<\/h2>\nDevelper Tool\u306e\u753b\u9762\u306b\u30a2\u30af\u30bb\u30b9<\/ul>\n\u8bf7\u7528\u4e2d\u6587\u5c06\u4ee5\u4e0b\u5185\u5bb9\u8fdb\u884c\u6539\u8ff0\uff0c\u53ea\u9700\u63d0\u4f9b\u4e00\u79cd\u9009\u9879\uff1a
\nhttp:\/\/xx.xx.xx.xx:5601\/app\/dev_tools#\/console<\/p>\n
\u8fd9\u662f\u63a7\u5236\u53f0\u7684\u7f51\u5740\uff1ahttp:\/\/xx.xx.xx.xx:5601\/app\/dev_tools#\/console\u3002<\/p>\n
Index\u304c\u767b\u9332\u3055\u308c\u3066\u3044\u308b\u304b\u78ba\u8a8d<\/ul>\n
GET \/_cat\/indices?v\r\n\r\nhealth status index uuid pri rep docs.count docs.deleted store.size pri.store.size\r\nyellow open syslog-2022-02-21 KfyhDKVjRwGGVk2TWuGD1A 1 1 407 0 145.2kb 145.2kb\r\nyellow open syslog-2022-02-22 lmZFW50vTveDW2wriHFW_w 1 1 381\r\n<\/code><\/pre>\nDocument\u60c5\u5831\u78ba\u8a8d<\/ul>\n
GET \/syslog-2022-02-*<\/span> \/_search\r\n{<\/span>\r\n \"query\"<\/span>: {<\/span> \"match_all\"<\/span>: {}<\/span> }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\nIndex Patterns\u767b\u9332<\/ul>\n\u6309\u7167\u4ee5\u4e0b\u987a\u5e8f\u9009\u62e9\uff1aStack Management -> Index Patterns<\/p>\n
![\"kibana1.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d464c37434c4406ca4b8d\/72-0.png\" "\\"\\"")
<\/div>\n\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u5e76\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u5728\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u7136\u540e\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002<\/p>\n
![\"kibana2.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d464c37434c4406ca4b8d\/74-0.png\" "\\"\\"")
<\/div>\n\u9009\u62e9\u65f6\u95f4\u6233\u540e\uff0c\u70b9\u51fb”\u521b\u5efa\u7d22\u5f15\u6a21\u5f0f”\u3002<\/p>\n
![\"kibana3.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d464c37434c4406ca4b8d\/76-0.png\" "\\"\\"")
<\/div>\nSyslog\u78ba\u8a8d<\/ul>\n\u70b9\u51fb\u201cDiscover\u201d\u6309\u94ae<\/p>\n
![\"kibana4.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d464c37434c4406ca4b8d\/79-0.png\" "\\"\\"")
<\/div>\n\u786e\u8ba4\u662f\u5426\u663e\u793a\u4e86Syslog\u7684\u5185\u5bb9\u3002<\/p>\n
![\"ES3.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d464c37434c4406ca4b8d\/81-0.png\" "\\"\\"")
<\/div>\n\u30b0\u30e9\u30d5\u4f5c\u6210<\/ul>\n\u9009\u62e9Visualize\u540e\uff0c\u521b\u5efa\u559c\u6b22\u7684\u56fe\u8868\u3002<\/p>\n
![\"kibana5.png\"](\"https:\/\/cdn.silicloud.com\/blog-img\/blog\/img\/657d464c37434c4406ca4b8d\/84-0.png\" "\\"\\"")
<\/div>\nAWS\u5074\u306e\u30ed\u30b0\u53d6\u8fbc\u307f\u306e\u624b\u9806\u3092\u69cb\u7bc9\u3059\u308b\u3002<\/h1>\nLogstash\u914d\u7f6e<\/h2>\nCloudWatch\u30d7\u30e9\u30b0\u30a4\u30f3\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
\/usr\/share\/logstash\/bin\/logstash-plugin install <\/span>logstash-input-cloudwatch_logs\r\n<\/code><\/pre>\nFlowlogs\u306egrok\u30d1\u30bf\u30fc\u30f3\u4f5c\u6210<\/ul>\n
VPCFLOWLOG %{<\/span>NUMBER:version}<\/span> %{<\/span>NOTSPACE:account-id}<\/span> %{<\/span>NOTSPACE:interface-id}<\/span> %{<\/span>IP:srcaddr}<\/span> %{<\/span>IP:dstaddr}<\/span> %{<\/span>NOTSPACE:srcport}<\/span> %{<\/span>NOTSPACE:dstport}<\/span> %{<\/span>NOTSPACE:protocol}<\/span> %{<\/span>NUMBER:packets:float}<\/span> %{<\/span>NUMBER:bytes:float}<\/span> %{<\/span>NOTSPACE:start}<\/span> %{<\/span>NOTSPACE:end}<\/span> %{<\/span>NOTSPACE:action}<\/span> %{<\/span>NOTSPACE:log-status}<\/span>\r\n<\/code><\/pre>\nConf\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\uff08VPC Flowlogs\uff09<\/ul>\n
input {<\/span>\r\n cloudwatch_logs {<\/span>\r\n region =><\/span> \"ap-northeast-1\"<\/span>\r\n log_group =><\/span> [<\/span>
<\/div>\n\u73af\u5883\u548c\u524d\u63d0\u6761\u4ef6<\/h1>\n\n- \n
AlmaLinux release 8.5 (Arctic Sphynx)<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
\u4e0b\u8a18\u306e\u8a2d\u5b9a\u306f\u8a2d\u5b9a\u6e08\u307f<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
CloudTrail,VPCFlowlogs,CloudWatch\u306e\u8a2d\u5b9a<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
Logstash\u304b\u3089CloudWatch\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308bIAM\u30e6\u30fc\u30b6\u306e\u4f5c\u6210\u53ca\u3073IAM\u30ed\u30fc\u30eb\u306e\u8a2d\u5b9a<\/ul>\n\u8bf7\u63d0\u4f9b\u5177\u4f53\u7684\u53e5\u5b50\u6216\u5185\u5bb9\uff0c\u6211\u5c06\u4e3a\u60a8\u63d0\u4f9b\u4e2d\u6587\u7684\u540c\u4e49\u8f6c\u8ff0\u3002<\/h1>\n\n- \n
Logstash\u306efilter\u7b87\u6240\u306e\u8a18\u8f09\u65b9\u6cd5\uff08CloudTrail\u3001VPCFlowlogs\uff09\u306f\u4e0b\u8a18\u30b5\u30a4\u30c8\u3092\u53c2\u8003\u306b\u3055\u305b\u3066\u9802\u304d\u307e\u3057\u305f\u3002<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
\n- \n
VPC FlowLogs\u3092Logstash\u3067\u6b63\u898f\u5316\u3057\u3066\u307f\u305f<\/ul>\n<\/li>\n<\/ul>\n <\/p>\n
CloudTrail\u3092Elasticsearch\u306b\u53d6\u308a\u8fbc\u3093\u3067\u307f\u305f<\/ul>\n\u5efa\u7acb\u6b65\u9a5f\uff08On-premise\u7aef\u7684\u65e5\u8a8c\u6536\u96c6\uff09<\/h1>\n\u642d\u5efaElasticsearch\u670d\u52a1\u5668<\/h2>\nElasticsearch\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
wget https:\/\/artifacts.elastic.co\/downloads\/elasticsearch\/elasticsearch-7.10.1-x86_64.rpm\r\nrpm --install<\/span> elasticsearch-7.10.1-x86_64.rpm\r\n<\/code><\/pre>\nElasticsearch\u8a2d\u5b9a<\/ul>\n
vim elasticsearch.yml\r\nnetwork.host: 0.0.0.0\r\nnode.name: node-1\r\ncluster.initial_master_nodes: [<\/span>\"node-1\"<\/span>]<\/span>\r\n<\/code><\/pre>\nvm.max_map_count\u30d1\u30e9\u30e1\u30fc\u30bf\u8a2d\u5b9a<\/ul>\n
vm.max_map_count=<\/span>262144\r\n<\/code><\/pre>\nsysctl -q<\/span> -w<\/span> vm.max_map_count=<\/span>262144\r\nsystemctl enable <\/span>elasticsearch\r\nsystemctl start elasticsearch\r\n<\/code><\/pre>\n\u5c06Kibana\u4e5f\u5b89\u88c5\u5728\u540c\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\u3002<\/p>\n
Kibana\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
wget https:\/\/artifacts.elastic.co\/downloads\/kibana\/kibana-7.10.1-x86_64.rpm\r\nrpm --install<\/span> kibana-7.10.1-x86_64.rpm\r\n\r\n<\/code><\/pre>\nKibana\u8a2d\u5b9a<\/ul>\n
server.host: \"0.0.0.0\"<\/span>\r\n<\/code><\/pre>\nKibana\u8d77\u52d5<\/ul>\n
systemctl enable <\/span>kibana\r\nsystemctl start kibana\r\n<\/code><\/pre>\nKibana\u52d5\u4f5c\u78ba\u8a8d<\/ul>\n\u8bbf\u95ee http:\/\/xx.xx.xx.xx:5601\/<\/p>\n
\u642d\u5efaLogstash\u670d\u52a1\u5668<\/h2>\nOpenJDK\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
yum -y<\/span> install <\/span>java-1.8.0-openjdk\r\n<\/code><\/pre>\nLogstash\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
rpm --import<\/span> https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch\r\n<\/code><\/pre>\n[<\/span>logstash-7.x]\r\nname<\/span>=<\/span>Elastic repository for <\/span>7.x packages\r\nbaseurl<\/span>=<\/span>https:\/\/artifacts.elastic.co\/packages\/7.x\/yum\r\ngpgcheck<\/span>=<\/span>1\r\ngpgkey<\/span>=<\/span>https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch\r\nenabled<\/span>=<\/span>1\r\nautorefresh<\/span>=<\/span>1\r\ntype<\/span>=<\/span>rpm-md\r\n<\/code><\/pre>\nyum -y<\/span> install <\/span>logstash-7.10.1\r\n<\/code><\/pre>\nLogstash\u8d77\u52d5<\/ul>\n
systemctl enable <\/span>logstash\r\nsystemctl restart logstash\r\n<\/code><\/pre>\n\u5efa\u7acbSyslog\u670d\u52a1\u5668<\/h2>\nSyslog\u8a2d\u5b9a<\/ul>\n\u4f7f\u7528IP\u5730\u5740\u5c06\u65e5\u5fd7\u6587\u4ef6\u5206\u79bb\u7684\u8bbe\u7f6e<\/p>\n
module(<\/span>load<\/span>=<\/span>\"imudp\"<\/span>)<\/span> # needs to be done just once<\/span>\r\ninput(<\/span>type<\/span>=<\/span>\"imudp\"<\/span> port<\/span>=<\/span>\"514\"<\/span>)<\/span>\r\n\r\nmodule(<\/span>load<\/span>=<\/span>\"imtcp\"<\/span>)<\/span> # needs to be done just once<\/span>\r\ninput(<\/span>type<\/span>=<\/span>\"imtcp\"<\/span> port<\/span>=<\/span>\"514\"<\/span>)<\/span>\r\n\r\n#### RULES ####<\/span>\r\n:fromhost-ip, isequal, \"xxx.xxx.xxx.xxx\"<\/span> -\/var\/log\/server\/pst.log\r\n& ~\r\n:fromhost-ip, isequal, \"xxx.xxx.xxx.xxx\"<\/span> -\/var\/log\/server\/redmine.log\r\n& ~\r\n:fromhost-ip, isequal, \"xxx.xxx.xxx.xxx\"<\/span> -\/var\/log\/server\/ciscosw.log\r\n& ~\r\n<\/code><\/pre>\n\/var\/log\/server\/*<\/span>.log {<\/span>\r\nweekly\r\nrotate 54\r\ncompress\r\ncreate 0664 root root\r\npostrotate\r\n\/bin\/systemctl restart rsyslog\r\nendscript\r\n}<\/span>\r\n<\/code><\/pre>\nsystemctl restart rsyslog\r\n<\/code><\/pre>\nSyslog\u8f6c\u53d1\u7aef\u8bbe\u7f6e<\/h2>\n\u30b5\u30fc\u30d0\u8a2d\u5b9a<\/ul>\n
*<\/span>.*<\/span> @@xxx.xxx.xxx.xxx:514\r\n<\/code><\/pre>\nsystemctl restart rsyslog\r\n<\/code><\/pre>\n\u30b9\u30a4\u30c3\u30c1\u8a2d\u5b9a<\/ul>\n\u4e3a\u4e86\u6d4b\u8bd5\u76ee\u7684\uff0c\u5728\u8c03\u8bd5\u4e2d\u8bbe\u7f6e\u7ea7\u522b\u3002<\/p>\n
logging host xxx.xxx.xxx.xxx\r\nlogging trap <\/span>debugging\r\n<\/code><\/pre>\nNFS\u914d\u7f6e<\/h2>\n
\u4f7fLogstash\u670d\u52a1\u5668\u80fd\u591f\u770b\u5230Syslog\u670d\u52a1\u5668\u3002<\/p>\n
Syslog\u30b5\u30fc\u30d0\u5074\u8a2d\u5b9a<\/ul>\n
yum -y<\/span> install <\/span>nfs-utils\r\nsystemctl enable <\/span>nfs-server\r\nsystemctl start nfs-server\r\n<\/code><\/pre>\n\/var\/log xxx.xxx.xxx.xxx\/xx(<\/span>rw,no_root_squash)<\/span>\r\n<\/code><\/pre>\nLogstash\u30b5\u30fc\u30d0\u5074\u8a2d\u5b9a<\/ul>\n
yum -y<\/span> install <\/span>nfs-utils\r\nsystemctl enable <\/span>nfs-server\r\nsystemctl start nfs-server\r\nmount -t<\/span> nfs xxx.xxx.xxx.xxx:\/var\/log \/mnt\r\n<\/code><\/pre>\nxxx.xxx.xxx.xxx:\/var\/log \/mnt nfs defaults 0 0\r\n<\/code><\/pre>\nLogstash\u914d\u7f6e<\/h2>\n
\u53c2\u8003\u8d44\u6599\uff1alogstash\u6a21\u5f0f<\/p>\n
Conf\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210<\/ul>\n
input {<\/span>\r\n file {<\/span>\r\n path =><\/span> \"\/mnt\/server\/redmine.log\"<\/span>\r\n path =><\/span> \"\/mnt\/server\/pst.log\"<\/span>\r\n path =><\/span> \"\/mnt\/server\/ciscosw.log\"<\/span>\r\n start_position =><\/span> \"beginning\"<\/span>\r\n }<\/span>\r\n}<\/span>\r\nfilter {<\/span>\r\n grok {<\/span>\r\n match =><\/span> {<\/span>\r\n \"message\"<\/span> =><\/span> \"%{SYSLOGBASE}%{SPACE}%{GREEDYDATA:SYSLOGMESSAGE}\"<\/span>\r\n }<\/span>\r\n }<\/span>\r\n}<\/span>\r\noutput {<\/span>\r\n elasticsearch {<\/span>\r\n hosts =><\/span> [<\/span>\"xxx.xxx.xxx.xxx:9200\"<\/span>]<\/span>\r\n index =><\/span> \"syslog-%{+YYYY-MM-dd}\"<\/span>\r\n }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\nLogstash\u518d\u8d77\u52d5<\/ul>\n
systemctl restart logstash\r\n<\/code><\/pre>\nKibana\u914d\u7f6e<\/h2>\nDevelper Tool\u306e\u753b\u9762\u306b\u30a2\u30af\u30bb\u30b9<\/ul>\n\u8bf7\u7528\u4e2d\u6587\u5c06\u4ee5\u4e0b\u5185\u5bb9\u8fdb\u884c\u6539\u8ff0\uff0c\u53ea\u9700\u63d0\u4f9b\u4e00\u79cd\u9009\u9879\uff1a
\nhttp:\/\/xx.xx.xx.xx:5601\/app\/dev_tools#\/console<\/p>\n
\u8fd9\u662f\u63a7\u5236\u53f0\u7684\u7f51\u5740\uff1ahttp:\/\/xx.xx.xx.xx:5601\/app\/dev_tools#\/console\u3002<\/p>\n
Index\u304c\u767b\u9332\u3055\u308c\u3066\u3044\u308b\u304b\u78ba\u8a8d<\/ul>\n
GET \/_cat\/indices?v\r\n\r\nhealth status index uuid pri rep docs.count docs.deleted store.size pri.store.size\r\nyellow open syslog-2022-02-21 KfyhDKVjRwGGVk2TWuGD1A 1 1 407 0 145.2kb 145.2kb\r\nyellow open syslog-2022-02-22 lmZFW50vTveDW2wriHFW_w 1 1 381\r\n<\/code><\/pre>\nDocument\u60c5\u5831\u78ba\u8a8d<\/ul>\n
GET \/syslog-2022-02-*<\/span> \/_search\r\n{<\/span>\r\n \"query\"<\/span>: {<\/span> \"match_all\"<\/span>: {}<\/span> }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\nIndex Patterns\u767b\u9332<\/ul>\n\u6309\u7167\u4ee5\u4e0b\u987a\u5e8f\u9009\u62e9\uff1aStack Management -> Index Patterns<\/p>\n
<\/div>\n\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u5e76\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u5728\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u7136\u540e\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002<\/p>\n
<\/div>\n\u9009\u62e9\u65f6\u95f4\u6233\u540e\uff0c\u70b9\u51fb”\u521b\u5efa\u7d22\u5f15\u6a21\u5f0f”\u3002<\/p>\n
<\/div>\nSyslog\u78ba\u8a8d<\/ul>\n\u70b9\u51fb\u201cDiscover\u201d\u6309\u94ae<\/p>\n
<\/div>\n\u786e\u8ba4\u662f\u5426\u663e\u793a\u4e86Syslog\u7684\u5185\u5bb9\u3002<\/p>\n
<\/div>\n\u30b0\u30e9\u30d5\u4f5c\u6210<\/ul>\n\u9009\u62e9Visualize\u540e\uff0c\u521b\u5efa\u559c\u6b22\u7684\u56fe\u8868\u3002<\/p>\n
<\/div>\nAWS\u5074\u306e\u30ed\u30b0\u53d6\u8fbc\u307f\u306e\u624b\u9806\u3092\u69cb\u7bc9\u3059\u308b\u3002<\/h1>\nLogstash\u914d\u7f6e<\/h2>\nCloudWatch\u30d7\u30e9\u30b0\u30a4\u30f3\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
\/usr\/share\/logstash\/bin\/logstash-plugin install <\/span>logstash-input-cloudwatch_logs\r\n<\/code><\/pre>\nFlowlogs\u306egrok\u30d1\u30bf\u30fc\u30f3\u4f5c\u6210<\/ul>\n
VPCFLOWLOG %{<\/span>NUMBER:version}<\/span> %{<\/span>NOTSPACE:account-id}<\/span> %{<\/span>NOTSPACE:interface-id}<\/span> %{<\/span>IP:srcaddr}<\/span> %{<\/span>IP:dstaddr}<\/span> %{<\/span>NOTSPACE:srcport}<\/span> %{<\/span>NOTSPACE:dstport}<\/span> %{<\/span>NOTSPACE:protocol}<\/span> %{<\/span>NUMBER:packets:float}<\/span> %{<\/span>NUMBER:bytes:float}<\/span> %{<\/span>NOTSPACE:start}<\/span> %{<\/span>NOTSPACE:end}<\/span> %{<\/span>NOTSPACE:action}<\/span> %{<\/span>NOTSPACE:log-status}<\/span>\r\n<\/code><\/pre>\nConf\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\uff08VPC Flowlogs\uff09<\/ul>\n
input {<\/span>\r\n cloudwatch_logs {<\/span>\r\n region =><\/span> \"ap-northeast-1\"<\/span>\r\n log_group =><\/span> [<\/span>
- AlmaLinux release 8.5 (Arctic Sphynx)<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u4e0b\u8a18\u306e\u8a2d\u5b9a\u306f\u8a2d\u5b9a\u6e08\u307f<\/ul>\n<\/li>\n<\/ul>\n
- \n
- CloudTrail,VPCFlowlogs,CloudWatch\u306e\u8a2d\u5b9a<\/ul>\n<\/li>\n<\/ul>\n
- \n
- Logstash\u306efilter\u7b87\u6240\u306e\u8a18\u8f09\u65b9\u6cd5\uff08CloudTrail\u3001VPCFlowlogs\uff09\u306f\u4e0b\u8a18\u30b5\u30a4\u30c8\u3092\u53c2\u8003\u306b\u3055\u305b\u3066\u9802\u304d\u307e\u3057\u305f\u3002<\/ul>\n<\/li>\n<\/ul>\n
- \n
- VPC FlowLogs\u3092Logstash\u3067\u6b63\u898f\u5316\u3057\u3066\u307f\u305f<\/ul>\n<\/li>\n<\/ul>\n
<\/p>\n
- CloudTrail\u3092Elasticsearch\u306b\u53d6\u308a\u8fbc\u3093\u3067\u307f\u305f<\/ul>\n
\u5efa\u7acb\u6b65\u9a5f\uff08On-premise\u7aef\u7684\u65e5\u8a8c\u6536\u96c6\uff09<\/h1>\n
\u642d\u5efaElasticsearch\u670d\u52a1\u5668<\/h2>\n
- Elasticsearch\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
wget https:\/\/artifacts.elastic.co\/downloads\/elasticsearch\/elasticsearch-7.10.1-x86_64.rpm\r\nrpm --install<\/span> elasticsearch-7.10.1-x86_64.rpm\r\n<\/code><\/pre>\n- Elasticsearch\u8a2d\u5b9a<\/ul>\n
vim elasticsearch.yml\r\nnetwork.host: 0.0.0.0\r\nnode.name: node-1\r\ncluster.initial_master_nodes: [<\/span>\"node-1\"<\/span>]<\/span>\r\n<\/code><\/pre>\n- vm.max_map_count\u30d1\u30e9\u30e1\u30fc\u30bf\u8a2d\u5b9a<\/ul>\n
vm.max_map_count=<\/span>262144\r\n<\/code><\/pre>\nsysctl -q<\/span> -w<\/span> vm.max_map_count=<\/span>262144\r\nsystemctl enable <\/span>elasticsearch\r\nsystemctl start elasticsearch\r\n<\/code><\/pre>\n\u5c06Kibana\u4e5f\u5b89\u88c5\u5728\u540c\u4e00\u53f0\u670d\u52a1\u5668\u4e0a\u3002<\/p>\n
- Kibana\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
wget https:\/\/artifacts.elastic.co\/downloads\/kibana\/kibana-7.10.1-x86_64.rpm\r\nrpm --install<\/span> kibana-7.10.1-x86_64.rpm\r\n\r\n<\/code><\/pre>\n- Kibana\u8a2d\u5b9a<\/ul>\n
server.host: \"0.0.0.0\"<\/span>\r\n<\/code><\/pre>\n- Kibana\u8d77\u52d5<\/ul>\n
systemctl enable <\/span>kibana\r\nsystemctl start kibana\r\n<\/code><\/pre>\n- Kibana\u52d5\u4f5c\u78ba\u8a8d<\/ul>\n
\u8bbf\u95ee http:\/\/xx.xx.xx.xx:5601\/<\/p>\n
\u642d\u5efaLogstash\u670d\u52a1\u5668<\/h2>\n
- OpenJDK\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
yum -y<\/span> install <\/span>java-1.8.0-openjdk\r\n<\/code><\/pre>\n- Logstash\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
rpm --import<\/span> https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch\r\n<\/code><\/pre>\n[<\/span>logstash-7.x]\r\nname<\/span>=<\/span>Elastic repository for <\/span>7.x packages\r\nbaseurl<\/span>=<\/span>https:\/\/artifacts.elastic.co\/packages\/7.x\/yum\r\ngpgcheck<\/span>=<\/span>1\r\ngpgkey<\/span>=<\/span>https:\/\/artifacts.elastic.co\/GPG-KEY-elasticsearch\r\nenabled<\/span>=<\/span>1\r\nautorefresh<\/span>=<\/span>1\r\ntype<\/span>=<\/span>rpm-md\r\n<\/code><\/pre>\nyum -y<\/span> install <\/span>logstash-7.10.1\r\n<\/code><\/pre>\n- Logstash\u8d77\u52d5<\/ul>\n
systemctl enable <\/span>logstash\r\nsystemctl restart logstash\r\n<\/code><\/pre>\n\u5efa\u7acbSyslog\u670d\u52a1\u5668<\/h2>\n
- Syslog\u8a2d\u5b9a<\/ul>\n
\u4f7f\u7528IP\u5730\u5740\u5c06\u65e5\u5fd7\u6587\u4ef6\u5206\u79bb\u7684\u8bbe\u7f6e<\/p>\n
module(<\/span>load<\/span>=<\/span>\"imudp\"<\/span>)<\/span> # needs to be done just once<\/span>\r\ninput(<\/span>type<\/span>=<\/span>\"imudp\"<\/span> port<\/span>=<\/span>\"514\"<\/span>)<\/span>\r\n\r\nmodule(<\/span>load<\/span>=<\/span>\"imtcp\"<\/span>)<\/span> # needs to be done just once<\/span>\r\ninput(<\/span>type<\/span>=<\/span>\"imtcp\"<\/span> port<\/span>=<\/span>\"514\"<\/span>)<\/span>\r\n\r\n#### RULES ####<\/span>\r\n:fromhost-ip, isequal, \"xxx.xxx.xxx.xxx\"<\/span> -\/var\/log\/server\/pst.log\r\n& ~\r\n:fromhost-ip, isequal, \"xxx.xxx.xxx.xxx\"<\/span> -\/var\/log\/server\/redmine.log\r\n& ~\r\n:fromhost-ip, isequal, \"xxx.xxx.xxx.xxx\"<\/span> -\/var\/log\/server\/ciscosw.log\r\n& ~\r\n<\/code><\/pre>\n\/var\/log\/server\/*<\/span>.log {<\/span>\r\nweekly\r\nrotate 54\r\ncompress\r\ncreate 0664 root root\r\npostrotate\r\n\/bin\/systemctl restart rsyslog\r\nendscript\r\n}<\/span>\r\n<\/code><\/pre>\nsystemctl restart rsyslog\r\n<\/code><\/pre>\nSyslog\u8f6c\u53d1\u7aef\u8bbe\u7f6e<\/h2>\n
- \u30b5\u30fc\u30d0\u8a2d\u5b9a<\/ul>\n
*<\/span>.*<\/span> @@xxx.xxx.xxx.xxx:514\r\n<\/code><\/pre>\nsystemctl restart rsyslog\r\n<\/code><\/pre>\n- \u30b9\u30a4\u30c3\u30c1\u8a2d\u5b9a<\/ul>\n
\u4e3a\u4e86\u6d4b\u8bd5\u76ee\u7684\uff0c\u5728\u8c03\u8bd5\u4e2d\u8bbe\u7f6e\u7ea7\u522b\u3002<\/p>\n
logging host xxx.xxx.xxx.xxx\r\nlogging trap <\/span>debugging\r\n<\/code><\/pre>\nNFS\u914d\u7f6e<\/h2>\n
\u4f7fLogstash\u670d\u52a1\u5668\u80fd\u591f\u770b\u5230Syslog\u670d\u52a1\u5668\u3002<\/p>\n
- Syslog\u30b5\u30fc\u30d0\u5074\u8a2d\u5b9a<\/ul>\n
yum -y<\/span> install <\/span>nfs-utils\r\nsystemctl enable <\/span>nfs-server\r\nsystemctl start nfs-server\r\n<\/code><\/pre>\n\/var\/log xxx.xxx.xxx.xxx\/xx(<\/span>rw,no_root_squash)<\/span>\r\n<\/code><\/pre>\n- Logstash\u30b5\u30fc\u30d0\u5074\u8a2d\u5b9a<\/ul>\n
yum -y<\/span> install <\/span>nfs-utils\r\nsystemctl enable <\/span>nfs-server\r\nsystemctl start nfs-server\r\nmount -t<\/span> nfs xxx.xxx.xxx.xxx:\/var\/log \/mnt\r\n<\/code><\/pre>\nxxx.xxx.xxx.xxx:\/var\/log \/mnt nfs defaults 0 0\r\n<\/code><\/pre>\nLogstash\u914d\u7f6e<\/h2>\n
\u53c2\u8003\u8d44\u6599\uff1alogstash\u6a21\u5f0f<\/p>\n
- Conf\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210<\/ul>\n
input {<\/span>\r\n file {<\/span>\r\n path =><\/span> \"\/mnt\/server\/redmine.log\"<\/span>\r\n path =><\/span> \"\/mnt\/server\/pst.log\"<\/span>\r\n path =><\/span> \"\/mnt\/server\/ciscosw.log\"<\/span>\r\n start_position =><\/span> \"beginning\"<\/span>\r\n }<\/span>\r\n}<\/span>\r\nfilter {<\/span>\r\n grok {<\/span>\r\n match =><\/span> {<\/span>\r\n \"message\"<\/span> =><\/span> \"%{SYSLOGBASE}%{SPACE}%{GREEDYDATA:SYSLOGMESSAGE}\"<\/span>\r\n }<\/span>\r\n }<\/span>\r\n}<\/span>\r\noutput {<\/span>\r\n elasticsearch {<\/span>\r\n hosts =><\/span> [<\/span>\"xxx.xxx.xxx.xxx:9200\"<\/span>]<\/span>\r\n index =><\/span> \"syslog-%{+YYYY-MM-dd}\"<\/span>\r\n }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n- Logstash\u518d\u8d77\u52d5<\/ul>\n
systemctl restart logstash\r\n<\/code><\/pre>\nKibana\u914d\u7f6e<\/h2>\n
- Develper Tool\u306e\u753b\u9762\u306b\u30a2\u30af\u30bb\u30b9<\/ul>\n
\u8bf7\u7528\u4e2d\u6587\u5c06\u4ee5\u4e0b\u5185\u5bb9\u8fdb\u884c\u6539\u8ff0\uff0c\u53ea\u9700\u63d0\u4f9b\u4e00\u79cd\u9009\u9879\uff1a
\nhttp:\/\/xx.xx.xx.xx:5601\/app\/dev_tools#\/console<\/p>\n\u8fd9\u662f\u63a7\u5236\u53f0\u7684\u7f51\u5740\uff1ahttp:\/\/xx.xx.xx.xx:5601\/app\/dev_tools#\/console\u3002<\/p>\n
- Index\u304c\u767b\u9332\u3055\u308c\u3066\u3044\u308b\u304b\u78ba\u8a8d<\/ul>\n
GET \/_cat\/indices?v\r\n\r\nhealth status index uuid pri rep docs.count docs.deleted store.size pri.store.size\r\nyellow open syslog-2022-02-21 KfyhDKVjRwGGVk2TWuGD1A 1 1 407 0 145.2kb 145.2kb\r\nyellow open syslog-2022-02-22 lmZFW50vTveDW2wriHFW_w 1 1 381\r\n<\/code><\/pre>\n- Document\u60c5\u5831\u78ba\u8a8d<\/ul>\n
GET \/syslog-2022-02-*<\/span> \/_search\r\n{<\/span>\r\n \"query\"<\/span>: {<\/span> \"match_all\"<\/span>: {}<\/span> }<\/span>\r\n}<\/span>\r\n<\/code><\/pre>\n- Index Patterns\u767b\u9332<\/ul>\n
\u6309\u7167\u4ee5\u4e0b\u987a\u5e8f\u9009\u62e9\uff1aStack Management -> Index Patterns<\/p>\n
<\/div>\n\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u5e76\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u5728\u8f93\u5165Syslog-*\u540e\uff0c\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002
\n\u8f93\u5165Syslog-*\u7136\u540e\u70b9\u51fb\u4e0b\u4e00\u6b65\u3002<\/p>\n<\/div>\n\u9009\u62e9\u65f6\u95f4\u6233\u540e\uff0c\u70b9\u51fb”\u521b\u5efa\u7d22\u5f15\u6a21\u5f0f”\u3002<\/p>\n
<\/div>\n- Syslog\u78ba\u8a8d<\/ul>\n
\u70b9\u51fb\u201cDiscover\u201d\u6309\u94ae<\/p>\n
<\/div>\n\u786e\u8ba4\u662f\u5426\u663e\u793a\u4e86Syslog\u7684\u5185\u5bb9\u3002<\/p>\n
<\/div>\n- \u30b0\u30e9\u30d5\u4f5c\u6210<\/ul>\n
\u9009\u62e9Visualize\u540e\uff0c\u521b\u5efa\u559c\u6b22\u7684\u56fe\u8868\u3002<\/p>\n
<\/div>\nAWS\u5074\u306e\u30ed\u30b0\u53d6\u8fbc\u307f\u306e\u624b\u9806\u3092\u69cb\u7bc9\u3059\u308b\u3002<\/h1>\n
Logstash\u914d\u7f6e<\/h2>\n
- CloudWatch\u30d7\u30e9\u30b0\u30a4\u30f3\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb<\/ul>\n
\/usr\/share\/logstash\/bin\/logstash-plugin install <\/span>logstash-input-cloudwatch_logs\r\n<\/code><\/pre>\n- Flowlogs\u306egrok\u30d1\u30bf\u30fc\u30f3\u4f5c\u6210<\/ul>\n
VPCFLOWLOG %{<\/span>NUMBER:version}<\/span> %{<\/span>NOTSPACE:account-id}<\/span> %{<\/span>NOTSPACE:interface-id}<\/span> %{<\/span>IP:srcaddr}<\/span> %{<\/span>IP:dstaddr}<\/span> %{<\/span>NOTSPACE:srcport}<\/span> %{<\/span>NOTSPACE:dstport}<\/span> %{<\/span>NOTSPACE:protocol}<\/span> %{<\/span>NUMBER:packets:float}<\/span> %{<\/span>NUMBER:bytes:float}<\/span> %{<\/span>NOTSPACE:start}<\/span> %{<\/span>NOTSPACE:end}<\/span> %{<\/span>NOTSPACE:action}<\/span> %{<\/span>NOTSPACE:log-status}<\/span>\r\n<\/code><\/pre>\n- Conf\u30d5\u30a1\u30a4\u30eb\u4f5c\u6210\uff08VPC Flowlogs\uff09<\/ul>\n
input {<\/span>\r\n cloudwatch_logs {<\/span>\r\n region =><\/span> \"ap-northeast-1\"<\/span>\r\n log_group =><\/span> [<\/span>
<\/p>\n
- \n
- \n
<\/p>\n
- Logstash\u304b\u3089CloudWatch\u306b\u30a2\u30af\u30bb\u30b9\u3059\u308bIAM\u30e6\u30fc\u30b6\u306e\u4f5c\u6210\u53ca\u3073IAM\u30ed\u30fc\u30eb\u306e\u8a2d\u5b9a<\/ul>\n
\u8bf7\u63d0\u4f9b\u5177\u4f53\u7684\u53e5\u5b50\u6216\u5185\u5bb9\uff0c\u6211\u5c06\u4e3a\u60a8\u63d0\u4f9b\u4e2d\u6587\u7684\u540c\u4e49\u8f6c\u8ff0\u3002<\/h1>\n
- \n
- \n
<\/p>\n
- \n
- \n
<\/p>\n
- \n