winlogbeat之windows日志微信报警
架构简述
现有的收集AD日志架构是通过winlogbeat 发送日志到elasticsearch
我的思路是通过winlogbeat 在发送一份日志到logstash中,通过logstash中output的exec执行Python脚本发送锁定日志给用户,并引导解锁。
环境搭建
安装 Winlogbeatedit
- Download the Winlogbeat zip file from the downloads page.
- Extract the contents into C:\Program Files.
- Rename the winlogbeat- directory to Winlogbeat.
- Open a PowerShell prompt as an Administrator (right-click on the
PowerShell icon and select Run As Administrator). If you are running
Windows XP, you may need to download and install PowerShell. - Run the following commands to install the service.
PS C:\Users\Administrator> cd ‘C:\Program Files\Winlogbeat’
PS C:\Program Files\Winlogbeat> .\install-service-winlogbeat.ps1
注意 要是在powershell中执行不了上面的命令,就看下 下面的note
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-winlogbeat.ps1.
配置 Winlogbeat
To configure Winlogbeat, you edit the winlogbeat.yml
配置发送日志到elasticsearch
output.elasticsearch:
hosts: ["10.10.10.10:9200"]
template.name: "winlogbeat"
template.path: "winlogbeat.template.json"
template.overwrite: false
配置发送日志到logstash
output.logstash:
# The Logstash hosts
hosts: ["10.10.10.10:5044"]
检查配置语法
.\winlogbeat.exe -c .\winlogbeat.yml -configtest -e
配置logstash
注意
output plugins的exec默认是没有安装的
This plugin does not ship with Logstash by default, but it is easy to install by running
logstash-plugin install logstash-output-exec
测试环境选用了一个监控服务状态的event_id
vi /etc/logstash/conf.d/winlogbeat.conf
input {
beats {
port => 5044
}
}
filter{
mutate{
convert => ["event_id","string"]
}
}
output {
if [event_id] == "7036"{
exec {
command => "python3 /etc/logstash/conf.d/sendwechat.py \"%{message}\""
}
}
}
