[TOC] ## 一、开启审计日志功能 确保功能开启，并生成出审计日志，具体参考：[开发说明-审计日志](../develop/审计日志.md) ## 二、ELK部署 * 请看前面几篇 ## 三、定义es索引模板 执行下面的ssh脚本创建`审计日志`的索引模板，ip改为自己的服务器地址 ~~~ curl -XPUT http://192.168.28.130:9200/_template/template_audit_log -H 'Content-Type: application/json' -d ' { "index_patterns" : ["audit-log-*"], "order" : 0, "settings" : { "number_of_replicas" : 0 }, "mappings": { "doc": { "properties": { "operation": { "type": "text", "fields": { "keyword": { "type": "keyword", "ignore_above": 256 } }, "analyzer": "ik_max_word" } } } } }' ~~~ ## 四、Logstash配置 ### 4.1. 修改10-syslog.conf配置，在filter里增加以下内容 ~~~ if [fields][docType] == "audit-log" { grok { patterns_dir => ["/opt/logstash/patterns"] match => { "message" => "%{TIMESTAMP_ISO8601:logTime}\|%{MYAPPNAME:appName}\|%{MYTHREADNAME:className}\|%{WORD:methodName}\|%{MYAPPNAME:userId}\|%{MYAPPNAME:userName}\|%{MYAPPNAME:clientId}\|%{GREEDYDATA:operation}" } } date { match => ["logTime","yyyy-MM-dd HH:mm:ss.SSS Z"] } date { match => ["logTime","yyyy-MM-dd HH:mm:ss.SSS"] target => "timestamp" locale => "en" timezone => "+08:00" } mutate { remove_field => "message" remove_field => "logTime" remove_field => "@version" remove_field => "host" remove_field => "offset" } } ~~~ ### 4.2. 修改30-output.conf配置，增加以下内容 ~~~ if [fields][docType] == "audit-log" { elasticsearch { hosts => ["localhost"] manage_template => false index => "audit-log-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" } } ~~~ ## 五、Filebeat配置 修改配置文件`filebeat.yml`，在`filebeat.inputs`里添加以下内容，抓取日志内容 ~~~ - type: log enabled: true paths: - D:\workspaces\projects\logs\audit\*.log fields: docType: audit-log project: microservices-platform ~~~ ## 六、查看数据 配置好elk之后日志数据就能同步到es了并自动创建索引  通过页面展示数据