苹果系统日志到ELK
[英]Apple System Log to ELK
问题描述
Anyone know how to export the ASL log of mac os x in a SIEM like ELK ? 
有谁知道如何在像ELK这样的SIEM中导出mac os x的ASL日志? Is there a configuration on filebeat to transform them first in a text format. 是否在filebeat上进行配置以首先将其转换为文本格式。
I know we can read them via syslog –T utc –F raw 我知道我们可以通过syslog –T utc –F raw读取它们
2 个解决方案
解决方案1
2 2018-10-18 05:29:30
You should be a able to export everything via the log command. 您应该能够通过log命令导出所有内容。 I sometimes like to analyze the logs my personal laptop produces through logstash and elasticsearch. 有时我想分析个人笔记本电脑通过logstash和elasticsearch生成的日志。 To get the logs into logstash I run the following in a tmux window: 为了使日志进入logstash,我在tmux窗口中运行以下命令:
sudo log stream --info --debug |sudo -E socat -dddd STDIN TCP4:logstash.docker:6661,interval=4,reuseaddr,forever
I hacked together a couple of groks in logstash to parse the macos system logs and they work most of the time. 我用logstash破解了一些古怪的东西来解析macos系统日志,并且它们大部分时间都在工作。 Feel free to use them for your own logs. 随意将它们用作您自己的日志。 If you manage to improve them please send them (or a link to the gist) my way. 如果您设法改进它们,请发送给我(或要点链接)。
filter {
grok {
match => { "message" => "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}\s+%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}%{ISO8601_TIMEZONE:tz}%{GREEDYDATA}" }
add_field => {"[log_timestamp]" => "%{year}-%{month}-%{day} %{hour}:%{minute}:%{second}%{tz}"}
tag_on_failure => ["datefail_string"]
}
grok {
match => { "message" => ["%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}\s+%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}%{ISO8601_TIMEZONE:tz}\s+%{BASE16NUM:thread_id}\s+%{LOGLEVEL:log_type}\s+%{BASE16NUM:activity}\s+%{NUMBER:pid}\s+%{DATA:program}:\s+\(%{DATA:library}\)\s+\[%{DATA:package}\]\s+%{GREEDYDATA:msg}", "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}\s+%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}%{ISO8601_TIMEZONE:tz}\s+%{BASE16NUM:thread_id}\s+%{LOGLEVEL:log_type}\s+%{BASE16NUM:activity}\s+%{NUMBER:pid}\s+%{DATA:program}:\s+\[%{DATA:package}\]\s+%{GREEDYDATA:msg}", "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}\s+%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second}%{ISO8601_TIMEZONE:tz}\s+%{BASE16NUM:thread_id}\s+%{LOGLEVEL:log_type}\s+%{BASE16NUM:activity}\s+%{NUMBER:pid}\s+%{DATA:program}:%{GREEDYDATA:msg}"] }
tag_on_failure => ["logfail1"]
remove_field => ["message"]
}
mutate {
remove_field => ["month","day","year","minute","hour","second","tz"]
}
}
解决方案2
0 2018-12-03 12:01:26
You can use a log collector agent like NXLog EE to send logs directly to Elasticsearch, or forward collected logs to Logstash and MacOS is a supported platform. 您可以使用日志收集器代理(例如NXLog EE)将日志直接发送到Elasticsearch,或将收集的日志转发到Logstash,而MacOS是受支持的平台。 Kernel logs, local Syslog, Apple System Logs, process accounting logs, and other log files can be collected. 可以收集内核日志,本地Syslog,Apple系统日志,进程记帐日志和其他日志文件。 EE is not free but there is a trial available. EE不是免费的,但是有试用版。
There are also modules to parse Apple System Log (*.asl) files. 还有一些模块可以解析Apple系统日志(* .asl)文件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.