다음은 winlogbeat input 설정. no_more_events: stop 옵션은 더 이상 처리할 이벤트 로그가 없을 때 winlogbeat를 자동으로 종료시켜준다. 편리해서 console 테스트할 때 애용 중.
winlogbeat.event_logs: - name: 'd:\5156.evtx' no_more_events: stop processors: - script: lang: javascript id: security file: ${path.home}/module/security/config/winlogbeat-security.js2022-07-23T15:33:32.612+0900 INFO instance/beat.go:468 winlogbeat start running.2022-07-23T15:33:32.612+0900 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s2022-07-23T15:33:33.624+0900 INFO beater/eventlogger.go:129 EventLog[d:\5156.evtx] Stop processing.2022-07-23T15:33:33.624+0900 INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer2022-07-23T15:33:33.624+0900 INFO [publisher] pipeline/retry.go:223 done2022-07-23T15:33:33.624+0900 INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(http://localhost:9200))2022-07-23T15:33:33.624+0900 INFO [monitoring] log/log.go:152 Total non-zero metrics {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":156,"time":{"ms":156}},"total":{"ticks":218,"time":{"ms":218},"value":0},"user":{"ticks":62,"time":{"ms":62}}},"handles":{"open":211},"info":{"ephemeral_id":"d3c9a24d-a1e0-4804-86fe-fe7a0bb48578","uptime":{"ms":1106}},"memstats":{"gc_next":10962944,"memory_alloc":8837360,"memory_sys":19556944,"memory_total":16670872,"rss":41218048},"runtime":{"goroutines":17}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0},"type":"elasticsearch"},"pipeline":{"clients":0,"events":{"active":1,"published":1,"total":1}}},"msg_file_cache":{"d:\\5156":{"evtxMisses":1,"evtxSize":1}},"system":{"cpu":{"cores":8}}}}}2022-07-23T15:33:33.625+0900 INFO [monitoring] log/log.go:153 Uptime: 1.1077127s2022-07-23T15:33:33.625+0900 INFO [monitoring] log/log.go:130 Stopping metrics logging.2022-07-23T15:33:33.626+0900 INFO instance/beat.go:474 winlogbeat stopped.beat 로그를 보니 send unwait signal to consumer란 메시지가 보임. 대기 신호? beat가 너무 빨리 종료해서 노드와의 통신에 문제가 생겼나? no_more_events 옵션을 지워봤다.
winlogbeat.event_logs: - name: 'd:\5156.evtx' processors: - script: lang: javascript id: security file: ${path.home}/module/security/config/winlogbeat-security.js이제 인덱스가 만들어짐. 로그를 보면 대기 신호를 보낸 후 노드와 통신이 이루어진다.
2022-07-23T16:52:13.110+0900 INFO instance/beat.go:468 winlogbeat start running.2022-07-23T16:52:13.110+0900 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s2022-07-23T16:52:14.128+0900 INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(http://localhost:9200))2022-07-23T16:52:14.128+0900 INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer2022-07-23T16:52:14.128+0900 INFO [publisher] pipeline/retry.go:223 done2022-07-23T16:52:14.142+0900 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.12.02022-07-23T16:52:14.156+0900 INFO [license] licenser/es_callback.go:51 Elasticsearch license: Basic2022-07-23T16:52:14.158+0900 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.12.02022-07-23T16:52:14.220+0900 INFO template/load.go:117 Try loading template evttest to Elasticsearch2022-07-23T16:52:14.383+0900 INFO template/load.go:109 template with name 'evttest' loaded.2022-07-23T16:52:14.383+0900 INFO [index-management] idxmgmt/std.go:298 Loaded index template.2022-07-23T16:52:14.384+0900 INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(http://localhost:9200)) established2022-07-23T16:52:14.676+0900 INFO beater/eventlogger.go:88 EventLog[d:\5156.evtx] successfully published 1 eventsno_more_events 옵션을 꼭 써야겠다면 shutdown_timeout 옵션을 추가하면 됨.
winlogbeat.event_logs: - name: 'd:\5156.evtx' no_more_events: stop processors: - script: lang: javascript id: security file: ${path.home}/module/security/config/winlogbeat-security.js
winlogbeat.shutdown_timeout: 10sShutdown will wait max 10s for the remaining 1 events to publish 메시지가 등장하면서 노드와의 통신이 완료된 후 beat가 종료된다.
2022-07-23T17:44:59.279+0900 INFO instance/beat.go:468 winlogbeat start running.2022-07-23T17:44:59.279+0900 INFO [monitoring] log/log.go:117 Starting metrics logging every 30s2022-07-23T17:45:00.299+0900 INFO beater/eventlogger.go:129 EventLog[d:\5156.evtx] Stop processing.2022-07-23T17:45:00.299+0900 INFO [publisher] pipeline/retry.go:219 retryer: send unwait signal to consumer2022-07-23T17:45:00.299+0900 INFO [publisher_pipeline_output] pipeline/output.go:143 Connecting to backoff(elasticsearch(http://localhost:9200))2022-07-23T17:45:00.299+0900 INFO [publisher] pipeline/retry.go:223 done2022-07-23T17:45:00.299+0900 INFO beater/winlogbeat.go:149 Shutdown will wait max 10s for the remaining 1 events to publish.2022-07-23T17:45:00.304+0900 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.12.02022-07-23T17:45:00.319+0900 INFO [license] licenser/es_callback.go:51 Elasticsearch license: Basic2022-07-23T17:45:00.320+0900 INFO [esclientleg] eslegclient/connection.go:314 Attempting to connect to Elasticsearch version 7.12.02022-07-23T17:45:00.335+0900 INFO [index-management] idxmgmt/std.go:261 Auto ILM enable success.2022-07-23T17:45:00.335+0900 INFO [index-management.ilm] ilm/std.go:139 do not generate ilm policy: exists=true, overwrite=false2022-07-23T17:45:00.335+0900 INFO [index-management] idxmgmt/std.go:274 ILM policy successfully loaded.2022-07-23T17:45:00.335+0900 INFO [index-management] idxmgmt/std.go:407 Set setup.template.name to '{winlogbeat-7.12.0 {now/d}-000001}' as ILM is enabled.2022-07-23T17:45:00.335+0900 INFO [index-management] idxmgmt/std.go:412 Set setup.template.pattern to 'winlogbeat-7.12.0-*' as ILM is enabled.2022-07-23T17:45:00.335+0900 INFO [index-management] idxmgmt/std.go:446 Set settings.index.lifecycle.rollover_alias in template to {winlogbeat-7.12.0 {now/d}-000001} as ILM is enabled.2022-07-23T17:45:00.335+0900 INFO [index-management] idxmgmt/std.go:450 Set settings.index.lifecycle.name in template to {winlogbeat {"policy":{"phases":{"hot":{"actions":{"rollover":{"max_age":"30d","max_size":"50gb"}}}}}}} as ILM is enabled.2022-07-23T17:45:00.336+0900 INFO template/load.go:97 Template winlogbeat-7.12.0 already exists and will not be overwritten.2022-07-23T17:45:00.336+0900 INFO [index-management] idxmgmt/std.go:298 Loaded index template.2022-07-23T17:45:00.485+0900 INFO [index-management] idxmgmt/std.go:309 Write alias successfully generated.2022-07-23T17:45:00.486+0900 INFO [publisher_pipeline_output] pipeline/output.go:151 Connection to backoff(elasticsearch(http://localhost:9200)) established2022-07-23T17:45:00.617+0900 INFO beater/eventlogger.go:88 EventLog[d:\5156.evtx] successfully published 1 events2022-07-23T17:45:00.622+0900 INFO [monitoring] log/log.go:152 Total non-zero metrics {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":78,"time":{"ms":78}},"total":{"ticks":109,"time":{"ms":109},"value":109},"user":{"ticks":31,"time":{"ms":31}}},"handles":{"open":224},"info":{"ephemeral_id":"28462686-f680-4038-a2a3-3dbe12ef0af8","uptime":{"ms":1434}},"memstats":{"gc_next":11411168,"memory_alloc":9180824,"memory_sys":24410904,"memory_total":17282600,"rss":42369024},"runtime":{"goroutines":16}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":1,"active":0,"batches":1,"total":1},"read":{"bytes":3586},"type":"elasticsearch","write":{"bytes":3651}},"pipeline":{"clients":0,"events":{"active":0,"published":1,"retry":1,"total":1},"queue":{"acked":1}}},"msg_file_cache":{"d:\\5156":{"evtxMisses":1,"evtxSize":1}},"published_events":{"d:\\5156":{"evtx":1},"total":1},"system":{"cpu":{"cores":8}}}}}
2022-07-23T17:45:00.622+0900 INFO [monitoring] log/log.go:153 Uptime: 1.4357842s
2022-07-23T17:45:00.622+0900 INFO [monitoring] log/log.go:130 Stopping metrics logging.
2022-07-23T17:45:00.623+0900 INFO instance/beat.go:474 winlogbeat stopped.관련 글
댓글 없음:
댓글 쓰기