Skip to content

Instantly share code, notes, and snippets.

@rmrf-run
Last active August 29, 2015 14:07
Show Gist options
  • Save rmrf-run/fa8dbd69b75c7d14e82b to your computer and use it in GitHub Desktop.
Save rmrf-run/fa8dbd69b75c7d14e82b to your computer and use it in GitHub Desktop.
Helpful logstash crap, simple logstash forwarder script to install LF on centos 6.0 and above boxes
APACHE_ERROR_TIME %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}
APACHE_ERROR_LOG \[%{APACHE_ERROR_TIME:timestamp}\] \[%{LOGLEVEL:loglevel}\] (?:\[client %{IPORHOST:clientip}\] ){0,1}%{GREEDYDATA:errormsg}
#!/bin/bash
scp user@****:/etc/pki/tls/certs/logstash-forwarder.crt /etc/pki/tls/certs/logstash-forwarder.crt
cd ~; curl -O http://packages.elasticsearch.org/logstashforwarder/centos/logstash-forwarder-0.3.1-1.x86_64.rpm
rpm -ivh ~/logstash-forwarder-0.3.1-1.x86_64.rpm
cd /etc/init.d/; sudo curl -o logstash-forwarder http://logstashbook.com/code/4/logstash_forwarder_redhat_init
sudo chmod +x logstash-forwarder
echo "LOGSTASH_FORWARDER_OPTIONS=\"-config /etc/logstash-forwarder -spool-size 100\"" > /etc/sysconfig/logstash-forwarder
echo { >> /etc/logstash-forwarder
echo \"network\": { >> /etc/logstash-forwarder
echo \"servers\": [ \"****:5000\" ], >> /etc/logstash-forwarder
echo \"timeout\": 15, >> /etc/logstash-forwarder
echo \"ssl ca\": \"/etc/pki/tls/certs/logstash-forwarder.crt\" >> /etc/logstash-forwarder
echo }, >> /etc/logstash-forwarder
echo \"files\": [ >> /etc/logstash-forwarder
echo { >> /etc/logstash-forwarder
echo \"paths\": [ >> /etc/logstash-forwarder
echo \"/var/log/secure\" >> /etc/logstash-forwarder
echo ], >> /etc/logstash-forwarder
echo \"fields\": { \"type\": \"syslog\" } >> /etc/logstash-forwarder
echo } >> /etc/logstash-forwarder
echo ] >> /etc/logstash-forwarder
echo } >> /etc/logstash-forwarder
chkconfig --add logstash-forwarder
echo -e "\e[1;31m Please test install: /opt/logstash-forwarder/bin/logstash-forwarder -config /etc/logstash-forwarder \e[0m"
echo -e "\e[1;31m If all is good start the service: service logstash-forwarder start \e[0m"
SSHD_ACCEPTED Accepted %{WORD:[sshd][authmethod]} for %{DATA:[sshd][user]} from %{IPORHOST:[sshd][clientip]} port %{INT:[sshd][clientport]} ssh%{INT:[sshd][protoversion]}(:? : %{WORD:[sshd][keytype]} %{GREEDYDATA:[sshd][pubkey]})?
SSHD_FAILED Failed %{WORD:[sshd][authmethod]} for %{DATA:[sshd][user]} from %{IPORHOST:[sshd][clientip]} port %{INT:[sshd][clientport]} ssh%{INT:[sshd][protoversion]}(:? : %{WORD:[sshd][keytype]} %{GREEDYDATA:[sshd][pubkey]})?
SSHD_CLOSED Connection closed by %{IPORHOST:[sshd][clientip]} \[%{DATA:[sshd][phase]}\]
SSHD_DISCON Received disconnect from %{IPORHOST:[sshd][clientip]}: %{NUMBER:[sshd][reason]}: %{GREEDYDATA:[sshd][message]} (\[%{WORD:[sshd][phase]}\])?
SSHD_SUBSYS subsystem request for %{WORD:[sshd][subsystem]} by user %{WORD:[sshd][user]}
SSHD_INVALID_USER Invalid user %{WORD:[sshd][user]} from %{IPORHOST:[sshd][clientip]}
SSHD_INVALID_USER_AUTH input_userauth_request: invalid user %{WORD:[sshd][user]} \[%{DATA:[sshd][phase]}\]
SSHD_SOCKET_ERR fatal: Read from socket failed: %{GREEDYDATA:[sshd][reason]} \[%{DATA:[sshd][phase]}\]
SSHD_INVALID_MAPPING Address %{IP:[sshd][clientip]} maps to %{HOST:[sshd][hostname]}, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
SSHD_INVALID_REVERSE_MAPPING reverse mapping checking getaddrinfo for %{HOST:[sshd][hostname]} \[%{IP:[sshd][clientip]}\] failed - POSSIBLE BREAK-IN ATTEMPT!
SSHD_PAM_SESSION pam_unix\(sshd:session\): session %{WORD:[sshd][session_state]} for user %{WORD:[sshd][user]}(:? by \(%{GREEDYDATA:[sshd][opened_by]\))?
/opt/logstash-forwarder/bin/logstash-forwarder -config /etc/logstash-forwarder
##COPY CRT TO REMOTE BOX
scp /etc/pki/tls/certs/logstash-forwarder.crt root@SERVERIP:/etc/pki/tls/certs/logstash-forwarder.crt
##INSTALL LOGSTASH_FORWARDER
cd ~; curl -O http://packages.elasticsearch.org/logstashforwarder/centos/logstash-forwarder-0.3.1-1.x86_64.rpm
sudo rpm -ivh ~/logstash-forwarder-0.3.1-1.x86_64.rpm
cd /etc/init.d/; sudo curl -o logstash-forwarder http://logstashbook.com/code/4/logstash_forwarder_redhat_init
sudo chmod +x logstash-forwarder
sudo curl -o /etc/sysconfig/logstash-forwarder http://logstashbook.com/code/4/logstash_forwarder_redhat_sysconfig
vim /etc/sysconfig/logstash-forwarder
### TO FILE
LOGSTASH_FORWARDER_OPTIONS="-config /etc/logstash-forwarder -spool-size 100"
vim /etc/logstash-forwarder
chkconfig --add logstash-forwarder
service logstash-forwarder start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment