McAfee日志数据收集
McAfee采用讲日志数据使用ssl加密后,通过syslog方式进行输出给日志数据收集端。
1、日志收集端配置
采用logstash方案。
1.1、安装openssl 生成ssl证书
- 安装openssl软件,centos中默认会安装该软件。
yum install openssl
- 生成ssl证书
[secure@p0-secure-log-logstash02 .ssh]$ openssl req -newkey rsa:2048 -nodes -keyout /home/secure/.ssh/syslogselfsigned.key -x509 -days 365 -out /home/secure/.ssh/syslogselfsigned.crt
Generating a 2048 bit RSA private key
...+++
.............................................................................................+++
writing new private key to '/home/secure/.ssh/syslogselfsigned.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[secure@p0-secure-log-logstash02 .ssh]$
1.2、配置logstash文件
[secure@p0-secure-log-logstash02 config]$ pwd
/u01/logstash-5.2.2/config
[secure@p0-secure-log-logstash02 config]$ vim logstash.conf
具体配置文件如下:
input
{
tcp
{
port => 514
ssl_cert => "/home/secure/.ssh/syslogselfsigned.crt"
ssl_key => "/home/secure/.ssh/syslogselfsigned.key"
ssl_enable => true
ssl_verify => false
}
stdin {}
}
output
{
stdout { codec=> rubydebug }
file
{
path=>"/u01/logstash-5.2.2/logs/logstash.%{+YYYY.MM.dd}.log"
codec => rubydebug
}
}
2、日志发送端配置
“已注册服务器” -> "Syslog 服务器" ->"操作" -> "编辑" -> "下一步" ->“测试连接”-> "保存"
3、测试成功日志输出
[2017-09-04T14:51:40,274][INFO ][logstash.pipeline ] Pipeline main started
The stdin plugin is now waiting for input:
[2017-09-04T14:51:40,359][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
{
"@timestamp" => 2017-09-04T06:54:24.935Z,
"port" => 63532,
"@version" => "1",
"host" => "10.129.160.41",
"message" => "<29>1 2017-09-04T06:54:24.0Z TKEPO-APP EPOEvents - EventFwd [agentInfo@3401 tenantId=\"1\"] ?If you can see this, ePO has successfully tested the connection to your syslog receiver.\r"
}