1.elasticsearch.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: elasticsearch-deployment
labels:
app: elasticsearch
env: prod
spec:
replicas: 1
selector:
matchLabels:
app: elasticsearch
template:
metadata:
name: elasticsearch-deployment
labels:
app: elasticsearch
spec:
containers:
- name: elasticsearch
image: elasticsearch:7.8.0
imagePullPolicy: IfNotPresent
resources:
requests:
memory: "1024Mi"
cpu: "200m"
limits:
memory: "2048Mi"
cpu: "500m"
env:
- name: discovery.type
value: single-node
volumeMounts:
- name: elasticsearch-nfs
mountPath: /usr/share/elasticsearch/data
ports:
- name: tcp-port
containerPort: 9200
volumes:
- name: elasticsearch-nfs
nfs:
server: 192.168.0.184
path: "/opt/nfs1/elasticsearch"
---
apiVersion: v1
kind: Service
metadata:
name: elasticsearch-service
labels:
app: elasticsearch
env: prod
spec:
selector:
app: elasticsearch
type: NodePort
ports:
- name: elasticsearch
port: 9200
targetPort: 9200
nodePort: 30061
2.kibana.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: kibana-deployment
labels:
app: kibana
env: prod
spec:
replicas: 1
selector:
matchLabels:
app: kibana
template:
metadata:
name: kibana-deployment
labels:
app: kibana
spec:
containers:
- name: kibana
image: kibana:7.8.0
imagePullPolicy: IfNotPresent
resources:
requests:
memory: "512Mi"
cpu: "200m"
limits:
memory: "1024Mi"
cpu: "400m"
env:
- name: ELASTICSEARCH_HOSTS
value: http://elasticsearch-service:9200
volumeMounts:
- name: kibana-nfs
mountPath: /usr/share/kibana/data
ports:
- name: tcp-port
containerPort: 5601
volumes:
- name: kibana-nfs
nfs:
server: 192.168.0.184
path: "/opt/nfs1/kibana"
---
apiVersion: v1
kind: Service
metadata:
name: kibana-service
labels:
app: kibana
env: prod
spec:
selector:
app: kibana
type: NodePort
ports:
- name: kibana
port: 5601
targetPort: 5601
nodePort: 300633.logstash.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: logstash-deployment
labels:
app: logstash
env: prod
spec:
replicas: 1
selector:
matchLabels:
app: logstash
template:
metadata:
name: logstash-deployment
labels:
app: logstash
spec:
containers:
- name: logstash
image: logstash:7.8.0
imagePullPolicy: IfNotPresent
resources:
requests:
memory: "512Mi"
cpu: "200m"
limits:
memory: "1024Mi"
cpu: "200m"
env:
- name: xpack.monitoring.elasticsearch.hosts
value: http://elasticsearch-service:9200
volumeMounts:
- name: logstash-nfs
mountPath: /usr/share/logstash/pipeline
ports:
- name: tcp-port
containerPort: 5044
nodeSelector:
node: lp-knode-02
volumes:
- name: logstash-nfs
nfs:
server: 192.168.0.184
path: "/opt/nfs1/logstash/pipeline"
---
apiVersion: v1
kind: Service
metadata:
name: logstash-service
labels:
app: logstash
env: prod
spec:
selector:
app: logstash
type: NodePort
ports:
- name: logstash
port: 5044
targetPort: 5044
nodePort: 30062- logstash pipeline config file for input and output and filter
02-beats-input.conf
input {
beats {
port => 5044
}
}30-elasticsearch-output.conf
output {
elasticsearch {
hosts => ["http://elasticsearch-service:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}10-syslog-filter.conf
filter {
if [fileset][module] == "system" {
if [fileset][name] == "auth" {
grok {
match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][user][add][name]}, UID=%{NUMBER:[system][auth][user][add][uid]}, GID=%{NUMBER:[system][auth][user][add][gid]}, home=%{DATA:[system][auth][user][add][home]}, shell=%{DATA:[system][auth][user][add][shell]}$",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] }
pattern_definitions => {
"GREEDYMULTILINE"=> "(.|\n)*"
}
remove_field => "message"
}
date {
match => [ "[system][auth][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
geoip {
source => "[system][auth][ssh][ip]"
target => "[system][auth][ssh][geoip]"
}
}
else if [fileset][name] == "syslog" {
grok {
match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }
pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
remove_field => "message"
}
date {
match => [ "[system][syslog][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
}
