GrayLog配置OSSEC

ossec server 输出格式设置 ossec.conf

#开启json格式输出
<ossec_config>  
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
  </global>
</ossec_config>  

filebet配置output到graylog

filebeat:  
  prospectors:
  - encoding: plain
    fields:
      collector_node_id: name
      gl2_source_collector: b9eb664a-b2fe-44fb-a798-caafc6ef7b8d
      type: log
    ignore_older: 0
    paths:
    - /var/ossec/logs/alerts/alerts.json
    scan_frequency: 10s
    tail_files: true
    type: log
output:  
  logstash:
    hosts:
    - server:port
path:  
  data: /var/cache/graylog/collector-sidecar/filebeat/data
  logs: /var/log/graylog/collector-sidecar
tags:  
- linux
- ossec

graylog配置

输入inpurt

下辈子想做头猪的博客

json解析

下辈子想做头猪的博客

grafana展示

{
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": "-- Grafana --",
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "gnetId": null,
  "graphTooltip": 2,
  "hideControls": false,
  "id": 4,
  "links": [],
  "refresh": "1m",
  "rows": [
    {
      "collapse": false,
      "height": 240,
      "panels": [
        {
          "cacheTimeout": null,
          "colorBackground": false,
          "colorValue": false,
          "colors": [
            "#299c46",
            "rgba(237, 129, 40, 0.89)",
            "#d44a3a"
          ],
          "datasource": "OSSEC",
          "format": "none",
          "gauge": {
            "maxValue": 100,
            "minValue": 0,
            "show": false,
            "thresholdLabels": false,
            "thresholdMarkers": true
          },
          "id": 3,
          "interval": null,
          "links": [],
          "mappingType": 1,
          "mappingTypes": [
            {
              "name": "value to text",
              "value": 1
            },
            {
              "name": "range to text",
              "value": 2
            }
          ],
          "maxDataPoints": 100,
          "nullPointMode": "connected",
          "nullText": null,
          "postfix": "",
          "postfixFontSize": "50%",
          "prefix": "",
          "prefixFontSize": "50%",
          "rangeMaps": [
            {
              "from": "null",
              "text": "N/A",
              "to": "null"
            }
          ],
          "span": 3,
          "sparkline": {
            "fillColor": "rgba(31, 118, 189, 0.18)",
            "full": false,
            "lineColor": "rgb(31, 120, 193)",
            "show": false
          },
          "tableColumn": "",
          "targets": [
            {
              "bucketAggs": [
                {
                  "field": "timestamp",
                  "id": "2",
                  "settings": {
                    "interval": "1s",
                    "min_doc_count": 0,
                    "trimEdges": 0
                  },
                  "type": "date_histogram"
                }
              ],
              "dsType": "elasticsearch",
              "metrics": [
                {
                  "field": "select field",
                  "id": "1",
                  "type": "count"
                }
              ],
              "query": "rule_level:>=7",
              "refId": "A",
              "timeField": "timestamp"
            }
          ],
          "thresholds": "",
          "title": "告警数",
          "type": "singlestat",
          "valueFontSize": "80%",
          "valueMaps": [
            {
              "op": "=",
              "text": "N/A",
              "value": "null"
            }
          ],
          "valueName": "total"
        },
        {
          "aliasColors": {},
          "cacheTimeout": null,
          "combine": {
            "label": "Others",
            "threshold": 0
          },
          "datasource": "OSSEC",
          "fontSize": "80%",
          "format": "short",
          "id": 9,
          "interval": null,
          "legend": {
            "show": true,
            "values": true
          },
          "legendType": "Under graph",
          "links": [],
          "maxDataPoints": 3,
          "nullPointMode": "connected",
          "pieType": "pie",
          "span": 4,
          "strokeWidth": 1,
          "targets": [
            {
              "bucketAggs": [
                {
                  "fake": true,
                  "field": "rule_description",
                  "id": "3",
                  "settings": {
                    "min_doc_count": 1,
                    "order": "desc",
                    "orderBy": "_term",
                    "size": "10"
                  },
                  "type": "terms"
                },
                {
                  "field": "timestamp",
                  "id": "2",
                  "settings": {
                    "interval": "auto",
                    "min_doc_count": 0,
                    "trimEdges": 0
                  },
                  "type": "date_histogram"
                }
              ],
              "dsType": "elasticsearch",
              "metrics": [
                {
                  "field": "select field",
                  "id": "1",
                  "type": "count"
                }
              ],
              "refId": "A",
              "timeField": "timestamp"
            }
          ],
          "title": "告警事件比",
          "type": "grafana-piechart-panel",
          "valueName": "total"
        },
        {
          "aliasColors": {},
          "bars": false,
          "dashLength": 10,
          "dashes": false,
          "datasource": "OSSEC",
          "fill": 1,
          "id": 1,
          "interval": "",
          "legend": {
            "avg": false,
            "current": false,
            "max": false,
            "min": false,
            "show": true,
            "total": false,
            "values": false
          },
          "lines": true,
          "linewidth": 1,
          "links": [],
          "nullPointMode": "null",
          "percentage": false,
          "pointradius": 5,
          "points": false,
          "renderer": "flot",
          "seriesOverrides": [],
          "spaceLength": 10,
          "span": 5,
          "stack": false,
          "steppedLine": false,
          "targets": [
            {
              "bucketAggs": [
                {
                  "fake": true,
                  "field": "rule_level",
                  "id": "3",
                  "settings": {
                    "min_doc_count": 1,
                    "order": "desc",
                    "orderBy": "_count",
                    "size": "10"
                  },
                  "type": "terms"
                },
                {
                  "field": "timestamp",
                  "id": "2",
                  "settings": {
                    "interval": "1m",
                    "min_doc_count": 0,
                    "trimEdges": 0
                  },
                  "type": "date_histogram"
                }
              ],
              "dsType": "elasticsearch",
              "metrics": [
                {
                  "field": "select field",
                  "id": "1",
                  "type": "count"
                }
              ],
              "query": "rule_level:>=7",
              "refId": "A",
              "timeField": "timestamp"
            }
          ],
          "thresholds": [],
          "timeFrom": null,
          "timeShift": null,
          "title": "实时告警数(告警等级)",
          "tooltip": {
            "shared": true,
            "sort": 0,
            "value_type": "individual"
          },
          "type": "graph",
          "xaxis": {
            "buckets": null,
            "mode": "time",
            "name": null,
            "show": true,
            "values": []
          },
          "yaxes": [
            {
              "format": "short",
              "label": null,
              "logBase": 1,
              "max": null,
              "min": null,
              "show": true
            },
            {
              "format": "short",
              "label": null,
              "logBase": 1,
              "max": null,
              "min": null,
              "show": false
            }
          ]
        }
      ],
      "repeat": null,
      "repeatIteration": null,
      "repeatRowId": null,
      "showTitle": false,
      "title": "Dashboard Row",
      "titleSize": "h6"
    },
    {
      "collapse": false,
      "height": 273,
      "panels": [
        {
          "aliasColors": {},
          "cacheTimeout": null,
          "combine": {
            "label": "Others",
            "threshold": 0
          },
          "datasource": "OSSEC",
          "fontSize": "80%",
          "format": "short",
          "id": 4,
          "interval": null,
          "legend": {
            "percentage": true,
            "percentageDecimals": null,
            "show": true,
            "sortDesc": true,
            "values": true
          },
          "legendType": "Right side",
          "links": [],
          "maxDataPoints": 3,
          "nullPointMode": "connected",
          "pieType": "pie",
          "span": 4,
          "strokeWidth": 1,
          "targets": [
            {
              "bucketAggs": [
                {
                  "fake": true,
                  "field": "rule_level",
                  "id": "3",
                  "settings": {
                    "min_doc_count": 1,
                    "order": "desc",
                    "orderBy": "_count",
                    "size": "10"
                  },
                  "type": "terms"
                },
                {
                  "field": "timestamp",
                  "id": "2",
                  "settings": {
                    "interval": "auto",
                    "min_doc_count": 0,
                    "trimEdges": 0
                  },
                  "type": "date_histogram"
                }
              ],
              "dsType": "elasticsearch",
              "metrics": [
                {
                  "field": "select field",
                  "id": "1",
                  "type": "count"
                }
              ],
              "query": "rule_level:>=7",
              "refId": "A",
              "timeField": "timestamp"
            }
          ],
          "title": "告警等级比",
          "type": "grafana-piechart-panel",
          "valueName": "total"
        },
        {
          "aliasColors": {},
          "cacheTimeout": null,
          "combine": {
            "label": "Others",
            "threshold": 0
          },
          "datasource": "OSSEC",
          "fontSize": "80%",
          "format": "short",
          "id": 7,
          "interval": null,
          "legend": {
            "percentage": true,
            "percentageDecimals": null,
            "show": true,
            "sortDesc": true,
            "values": true
          },
          "legendType": "Right side",
          "links": [],
          "maxDataPoints": 3,
          "nullPointMode": "connected",
          "pieType": "pie",
          "span": 4,
          "strokeWidth": 1,
          "targets": [
            {
              "bucketAggs": [
                {
                  "fake": true,
                  "field": "srcip",
                  "id": "3",
                  "settings": {
                    "min_doc_count": 1,
                    "order": "desc",
                    "orderBy": "_count",
                    "size": "10"
                  },
                  "type": "terms"
                },
                {
                  "field": "timestamp",
                  "id": "2",
                  "settings": {
                    "interval": "auto",
                    "min_doc_count": 0,
                    "trimEdges": 0
                  },
                  "type": "date_histogram"
                }
              ],
              "dsType": "elasticsearch",
              "metrics": [
                {
                  "field": "select field",
                  "id": "1",
                  "type": "count"
                }
              ],
              "query": "rule_level:>=7",
              "refId": "A",
              "timeField": "timestamp"
            }
          ],
          "title": "攻击ip TOP10",
          "type": "grafana-piechart-panel",
          "valueName": "total"
        },
        {
          "aliasColors": {},
          "cacheTimeout": null,
          "combine": {
            "label": "Others",
            "threshold": 0
          },
          "datasource": "OSSEC",
          "decimals": null,
          "fontSize": "80%",
          "format": "short",
          "hideTimeOverride": false,
          "id": 6,
          "interval": null,
          "legend": {
            "percentage": true,
            "show": true,
            "values": true
          },
          "legendType": "Right side",
          "links": [],
          "maxDataPoints": 3,
          "nullPointMode": "connected",
          "pieType": "pie",
          "span": 4,
          "strokeWidth": 1,
          "targets": [
            {
              "bucketAggs": [
                {
                  "fake": true,
                  "field": "agent_ip",
                  "id": "3",
                  "settings": {
                    "min_doc_count": 1,
                    "order": "desc",
                    "orderBy": "_count",
                    "size": "10"
                  },
                  "type": "terms"
                },
                {
                  "field": "timestamp",
                  "id": "2",
                  "settings": {
                    "interval": "auto",
                    "min_doc_count": 0,
                    "trimEdges": 0
                  },
                  "type": "date_histogram"
                }
              ],
              "dsType": "elasticsearch",
              "metrics": [
                {
                  "field": "select field",
                  "id": "1",
                  "type": "count"
                }
              ],
              "query": "rule_level:>=7",
              "refId": "A",
              "timeField": "timestamp"
            }
          ],
          "title": "告警ip比",
          "type": "grafana-piechart-panel",
          "valueName": "total"
        }
      ],
      "repeat": null,
      "repeatIteration": null,
      "repeatRowId": null,
      "showTitle": false,
      "title": "Dashboard Row",
      "titleSize": "h6"
    },
    {
      "collapse": false,
      "height": 599,
      "panels": [
        {
          "columns": [
            {
              "text": "timestamp",
              "value": "timestamp"
            },
            {
              "text": "agent_ip",
              "value": "agent_ip"
            },
            {
              "text": "rule_description",
              "value": "rule_description"
            },
            {
              "text": "full_log",
              "value": "full_log"
            }
          ],
          "datasource": "OSSEC",
          "fontSize": "80%",
          "id": 5,
          "links": [],
          "pageSize": null,
          "scroll": true,
          "showHeader": true,
          "sort": {
            "col": null,
            "desc": false
          },
          "span": 12,
          "styles": [
            {
              "alias": "",
              "colorMode": null,
              "colors": [
                "rgba(245, 54, 54, 0.9)",
                "rgba(237, 129, 40, 0.89)",
                "rgba(50, 172, 45, 0.97)"
              ],
              "dateFormat": "YYYY-MM-DD HH:mm:ss",
              "decimals": 2,
              "pattern": "timestamp",
              "thresholds": [],
              "type": "date",
              "unit": "short"
            }
          ],
          "targets": [
            {
              "bucketAggs": [],
              "dsType": "elasticsearch",
              "metrics": [
                {
                  "field": "select field",
                  "id": "1",
                  "meta": {},
                  "settings": {
                    "size": 500
                  },
                  "type": "raw_document"
                }
              ],
              "query": "rule_level:>=7",
              "refId": "A",
              "timeField": "timestamp"
            }
          ],
          "title": "告警原始日志",
          "transform": "json",
          "type": "table"
        }
      ],
      "repeat": null,
      "repeatIteration": null,
      "repeatRowId": null,
      "showTitle": false,
      "title": "Dashboard Row",
      "titleSize": "h6"
    }
  ],
  "schemaVersion": 14,
  "style": "dark",
  "tags": [],
  "templating": {
    "list": [
      {
        "allValue": null,
        "current": {
          "tags": [],
          "text": "All",
          "value": [
            "$__all"
          ]
        },
        "datasource": "OSSEC",
        "hide": 0,
        "includeAll": true,
        "label": "主机",
        "multi": true,
        "name": "agent",
        "options": [
          {
            "selected": true,
            "text": "All",
            "value": "$__all"
          },
          {
            "selected": false,
            "text": "10.133.22.10",
            "value": "10.133.22.10"
          },
          {
            "selected": false,
            "text": "10.133.22.11",
            "value": "10.133.22.11"
          }
        ],
        "query": "{\"find\": \"terms\", \"field\": \"agent_ip\"}",
        "refresh": 0,
        "regex": "",
        "sort": 0,
        "tagValuesQuery": "",
        "tags": [],
        "tagsQuery": "",
        "type": "query",
        "useTags": false
      },
      {
        "datasource": "OSSEC",
        "filters": [],
        "hide": 0,
        "label": "过滤",
        "name": "filter",
        "type": "adhoc"
      }
    ]
  },
  "time": {
    "from": "now-6h",
    "to": "now"
  },
  "timepicker": {
    "refresh_intervals": [
      "5s",
      "10s",
      "30s",
      "1m",
      "5m",
      "15m",
      "30m",
      "1h",
      "2h",
      "1d"
    ],
    "time_options": [
      "5m",
      "15m",
      "1h",
      "6h",
      "12h",
      "24h",
      "2d",
      "7d",
      "30d"
    ]
  },
  "timezone": "",
  "title": "OSSEC告警",
  "version": 19
}

下辈子想做头猪的博客

zhutougg

继续阅读此作者的更多文章