audit.log 연동.
filter { mutate { remove_field => ["@timestamp", "@version", "path", "host"] }
kv {}
dissect { mapping => {"msg" => "%{}(%{timestamp}:%{}"} }}{ "family" => "10", "message" => "type=NETFILTER_CFG msg=audit(1745768855.720:63): table=filter family=10 entries=0\r", "type" => "NETFILTER_CFG", "entries" => "0\r", "timestamp" => "1745768855.720", "table" => "filter", "msg" => "audit(1745768855.720:63):"}{ "gid" => "0", "a2" => "41a2d8", "a0" => "1e2da20", "ppid" => "1335", "key" => "(null)\r", "timestamp" => "1745768855.720", "a1" => "1d75", "fsgid" => "0", "tty" => "none", "message" => "type=SYSCALL msg=audit(1745768855.720:63): arch=c000003e syscall=175 success=yes exit=0 a0=1e2da20 a1=1d75 a2=41a2d8 a3=1e2a500 items=0 ppid=1335 pid=1336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)\r", "items" => "0", "suid" => "0", "auid" => "4294967295", "sgid" => "0", "pid" => "1336", "egid" => "0", "exe" => "/usr/bin/kmod", "uid" => "0", "ses" => "4294967295", "a3" => "1e2a500", "euid" => "0", "fsuid" => "0", "comm" => "modprobe", "exit" => "0", "success" => "yes", "msg" => "audit(1745768855.720:63):", "arch" => "c000003e", "subj" => "system_u:system_r:insmod_t:s0", "syscall" => "175", "type" => "SYSCALL"}그런데 시간 정보가 unix time 포맷이다. stackoverflow 형님들이 가르쳐준대로 date 포맷으로 변경.
filter { mutate { remove_field => ["@timestamp", "@version", "path", "host"] }
kv {}
dissect { mapping => {"msg" => "%{}(%{timestamp}:%{}"} }
ruby { code => "event.set('@timestamp', DateTime.strptime(event.get('timestamp'), '%s'))" }}[2025-04-28T17:52:41,760][ERROR][logstash.filters.ruby ][main][7cefa12dcafdc101f42a5bda6812294cab6405d0864ef044fe35a2cc66392ce4] Ruby exception occurred: wrong argument type DateTime (expected LogStash::Timestamp)안 된다. 제미나이한테 물어봄.
[2025-04-28T17:57:02,837][ERROR][logstash.filters.ruby ][main][d35de4494869054b8277f75d5c334da579e561ff0060cc7554ec4beb7dd79661] Ruby exception occurred: wrong argument type DateTime (expected Time)안 되잖아(..)
아무래도 로그스태시 구문이 따로 있는 것 같은데 ruby 구문을 계속 그대로 사용하는 게 이상하다. gpt는 다를까?
filter { mutate { remove_field => ["@timestamp", "@version", "path", "host"] }
kv {}
dissect { mapping => {"msg" => "%{}(%{timestamp}:%{}"} }
ruby { code => "event.set('@timestamp', LogStash::Timestamp.new(Time.at(event.get('timestamp').to_i)))" }}{ "family" => "10", "message" => "type=NETFILTER_CFG msg=audit(1745768855.720:63): table=filter family=10 entries=0\r", "type" => "NETFILTER_CFG", "entries" => "0\r", "timestamp" => "1745768855.720", "@timestamp" => 2025-04-27T15:47:35.000Z, "table" => "filter", "msg" => "audit(1745768855.720:63):"}{ "gid" => "0", "a2" => "41a2d8", "a0" => "1e2da20", "ppid" => "1335", "key" => "(null)\r", "timestamp" => "1745768855.720", "a1" => "1d75", "fsgid" => "0", "tty" => "none", "message" => "type=SYSCALL msg=audit(1745768855.720:63): arch=c000003e syscall=175 success=yes exit=0 a0=1e2da20 a1=1d75 a2=41a2d8 a3=1e2a500 items=0 ppid=1335 pid=1336 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"modprobe\" exe=\"/usr/bin/kmod\" subj=system_u:system_r:insmod_t:s0 key=(null)\r", "items" => "0", "suid" => "0", "auid" => "4294967295", "sgid" => "0", "pid" => "1336", "egid" => "0", "exe" => "/usr/bin/kmod", "uid" => "0", "ses" => "4294967295", "a3" => "1e2a500", "euid" => "0", "fsuid" => "0", "comm" => "modprobe", "@timestamp" => 2025-04-27T15:47:35.000Z, "exit" => "0", "success" => "yes", "msg" => "audit(1745768855.720:63):", "arch" => "c000003e", "subj" => "system_u:system_r:insmod_t:s0", "syscall" => "175", "type" => "SYSCALL"}아이고 구글(..)
관련 글
- Logstash 필터 ruby - 7th
- Logstash 필터 ruby
- Logstash 필터 grok
- Logstash 필터 mutate
- Logstash 필터 geoip
- Logstash 필터 dissect
- Logstash 필터 kv
- Logstash 필터 date
- Logstash 필터 translate
- Logstash 필터 drop
- Logstash 필터 useragent
- Logstash 필터 elapsed
- Logstash 필터 fingerprint
- Logstash 필터 csv
- Logstash 필터 dns
- Logstash 필터 split
- Logstash codec 플러그인 multiline
댓글 없음:
댓글 쓰기