filebeat客户端传输cisco日志到elasticsearch

一、安装相应版本的filebeat

wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.5.2-x86_64.rpm
rpm -ivh filebeat-7.5.2-x86_64.rpm

二、cisco端的配置让老哥去做(手动滑稽)

三、配置文件

# 1、修改filebeat的总体配置
vim /etc/filebeat/filebeat.yml

output.elasticsearch:
  hosts: ["<es_url>"]
  # 自定义索引
  indices:
    - index: "netsec_asa_%{+yyyy.MM.dd}"
      when.equals:
        fileset.name: "asa"
    - index: "netsec_ios_%{+yyyy.MM.dd}"
      when.equals:
        fileset.name: "ios"
  # 配置es的登陆账号和密码
  username: "elastic"
  password: "<password>"
setup.kibana:
  host: "<kibana_url>"

# 2、启用cisco模块并修改cisco模块的配置  
filebeat modules enable cisco

vim /etc/filebeat/modules.d/cisco.yml
# Module: cisco
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.5/filebeat-module-cisco.html

- module: cisco
  asa:
    enabled: true

    # Set which input to use between syslog (default) or file.
    var.input: syslog
    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    var.syslog_host: 0.0.0.0

    # The UDP port to listen for syslog traffic. Defaults to 9001.
    var.syslog_port: 9001

    # Set the log level from 1 (alerts only) to 7 (include all messages).
    # Messages with a log level higher than the specified will be dropped.
    # See https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html
    var.log_level: 7

  ftd:
    enabled: true

    # Set which input to use between syslog (default) or file.
    #var.input: syslog

    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    #var.syslog_host: localhost

    # The UDP port to listen for syslog traffic. Defaults to 9003.
    #var.syslog_port: 9003

    # Set the log level from 1 (alerts only) to 7 (include all messages).
    # Messages with a log level higher than the specified will be dropped.
    # See https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs-sev-level.html
    #var.log_level: 7

  ios:
    enabled: true

    # Set which input to use between syslog (default) or file.
    #var.input: syslog

    # The interface to listen to UDP based syslog traffic. Defaults to
    # localhost. Set to 0.0.0.0 to bind to all available interfaces.
    var.syslog_host: 0.0.0.0

    # The UDP port to listen for syslog traffic. Defaults to 9002.
    var.syslog_port: 9002

    # Set custom paths for the log files when using file input. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths
    
# 3、启动filebeat
systemctl start filebeat
posted @ 2020-11-27 10:54  带着泥土  阅读(667)  评论(0)    收藏  举报