3.5　Windows系統(tǒng)日志

Logstash社區(qū)有眾多的Windows用戶，本節(jié)單獨(dú)介紹一下對(duì)Windows平臺(tái)系統(tǒng)日志的收集處理。之前介紹過Linux上的系統(tǒng)日志，即syslog的處理。事實(shí)上，對(duì)于Windows平臺(tái)，也有類似syslog的設(shè)計(jì)，叫eventlog。本節(jié)介紹如何處理Windows eventlog。

3.5.1　采集端配置

由于Logstash作者出身Linux運(yùn)維，早期版本中出了不少Windows平臺(tái)上獨(dú)有的bug。所以，目前對(duì)Windows上的日志，推薦大家在嘗試Logstash的同時(shí)，也可以試用更穩(wěn)定的nxlog軟件。nxlog更詳細(xì)的介紹，請(qǐng)閱讀本書稍后章節(jié)。

這里先介紹Logstash和nxlog在處理Windows的eventlog時(shí)的配置方法。

Logstash配置如下：

input {
    eventlog {
        #logfile =>  [“Application”, “Security”, “System”]
        logfile =>  [“Security”]
        type =>“winevent”
        tags => [ “caen” ]
    }
}

nxlog配置中有如下幾個(gè)要點(diǎn)：

1）ROOT位置必須是nxlog的實(shí)際安裝路徑。

2）輸入模塊，在Windows 2003及之前版本上，不叫im_msvistalog而叫im_mseventlog。

下面是一段完整的nxlog配置示例：

define ROOT C:\Program Files （x86）\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension json>
    Module  xm_json
</Extension>
<Input in>
    Module  im_msvistalog
    Exec    to_json（）；
</Input>
<Output out>
    Module  om_tcp
    Host    10.66.66.66
    Port    5140
</Output>
<Route 1>
    Path    in => out
</Route>

3.5.2　接收解析端配置

在中心的接收端，統(tǒng)一采用Logstash來完成解析入庫操作。如果采集端也是Logstash，主要字段都已經(jīng)生成，接收端配置也就沒什么特別的了。如果采集端是nxlog，那么我們還需要把一些nxlog生成的字段轉(zhuǎn)換成Logstash更通用的風(fēng)格設(shè)計(jì)。

在之前插件介紹章節(jié)我們已經(jīng)講過，因?yàn)樵贓lasticsearch中默認(rèn)按小寫來檢索，所以需要盡量把數(shù)據(jù)小寫化。不巧的是，nxlog中，不單數(shù)據(jù)內(nèi)容，字段名稱也是大小寫混用的，所以，我們只能通過logstash-filter-mutate的rename功能來完成對(duì)字段名稱的小寫化重命名。

配置示例如下：

input {
  tcp {
    codec =>“json”
    port => 5140
    tags => [“windows”,“nxlog”]
    type =>“nxlog-json”
  }
} # end input
filter {
  if [type] == “nxlog-json” {
    date {
      match => [“[EventTime]”, “YYYY-MM-dd HH:mm:ss”]
      timezone =>“Europe/London”
    }
    mutate {
      rename => [ “AccountName”, “user” ]
      rename => [ “AccountType”, “[eventlog][account_type]” ]
      rename => [ “ActivityId”, “[eventlog][activity_id]” ]
      rename => [ “Address”, “ip6” ]
      rename => [ “ApplicationPath”, “[eventlog][application_path]” ]
      rename => [ “AuthenticationPackageName”, “[eventlog][authentication_package_
          name]” ]
      rename => [ “Category”, “[eventlog][category]” ]
      rename => [ “Channel”, “[eventlog][channel]” ]
      rename => [ “Domain”, “domain” ]
      rename => [ “EventID”, “[eventlog][event_id]” ]
      rename => [ “EventType”, “[eventlog][event_type]” ]
      rename => [ “File”, “[eventlog][file_path]” ]
      rename => [ “Guid”, “[eventlog][guid]” ]
      rename => [ “Hostname”, “hostname” ]
      rename => [ “Interface”, “[eventlog][interface]” ]
      rename => [ “InterfaceGuid”, “[eventlog][interface_guid]” ]
      rename => [ “InterfaceName”, “[eventlog][interface_name]” ]
      rename => [ “IpAddress”, “ip” ]
      rename => [ “IpPort”, “port” ]
      rename => [ “Key”, “[eventlog][key]” ]
      rename => [ “LogonGuid”, “[eventlog][logon_guid]” ]
      rename => [ “Message”, “message” ]
      rename => [ “ModifyingUser”, “[eventlog][modifying_user]” ]
      rename => [ “NewProfile”, “[eventlog][new_profile]” ]
      rename => [ “OldProfile”, “[eventlog][old_profile]” ]
      rename => [ “Port”, “port” ]
      rename => [ “PrivilegeList”, “[eventlog][privilege_list]” ]
      rename => [ “ProcessID”, “pid” ]
      rename => [ “ProcessName”, “[eventlog][process_name]” ]
      rename => [ “ProviderGuid”, “[eventlog][provider_guid]” ]
      rename => [ “ReasonCode”, “[eventlog][reason_code]” ]
      rename => [ “RecordNumber”, “[eventlog][record_number]” ]
      rename => [ “ScenarioId”, “[eventlog][scenario_id]” ]
      rename => [ “Severity”, “l(fā)evel” ]
      rename => [ “SeverityValue”, “[eventlog][severity_code]” ]
      rename => [ “SourceModuleName”, “nxlog_input” ]
      rename => [ “SourceName”, “[eventlog][program]” ]
      rename => [ “SubjectDomainName”, “[eventlog][subject_domain_name]” ]
      rename => [ “SubjectLogonId”, “[eventlog][subject_logonid]” ]
      rename => [ “SubjectUserName”, “[eventlog][subject_user_name]” ]
      rename => [ “SubjectUserSid”, “[eventlog][subject_user_sid]” ]
      rename => [ “System”, “[eventlog][system]” ]
      rename => [ “TargetDomainName”, “[eventlog][target_domain_name]” ]
      rename => [ “TargetLogonId”, “[eventlog][target_logonid]” ]
      rename => [ “TargetUserName”, “[eventlog][target_user_name]” ]
      rename => [ “TargetUserSid”, “[eventlog][target_user_sid]” ]
      rename => [ “ThreadID”, “thread” ]
    }
    mutate {
      remove_field => [“CurrentOrNextState”,“Description”,“EventReceivedTime”,“EventTime”,“EventTimeWr
    itten”,“IPVersion”,“KeyLength”,“Keywords”,“LmPackageName”,“LogonProcessName
”,“LogonType”,“Name”,“Opcode”,“OpcodeValue”,“PolicyProcessingMode”,“Protocol”,
“ProtocolType”,“SourceModuleType”,“State”,“Task”,“TransmittedServices”,“Type”,
“UserID”,“Version”
      ]
    }
  }
}