#文件名称为flume-es.conf
#定义sources,channel和sinks的名称
agent.sources = tail
agent.sinks = elasticsearch
agent.channels = memoryChannel
#配置source的详情
agent.sources.tail.type = exec
agent.sources.tail.command = tail -F /var/log/secure
agent.sources.tail.interceptors=i1 i2 i3
agent.sources.tail.interceptors.i1.type=regex_extractor
agent.sources.tail.interceptors.i1.regex =(\\w+\\s+\\w+\\s+\\d+\\\:\\d+\\\:\\d+)\\s+(\\w+)\\s+(\\w+)
agent.sources.tail.interceptors.i1.serializers = s1 s2s3
agent.sources.tail.interceptors.i1.serializers.s1.name= time
agent.sources.tail.interceptors.i1.serializers.s2.name= hostname
agent.sources.tail.interceptors.i1.serializers.s3.name= service
agent.sources.tail.interceptors.i2.type=org.apache.flume.interceptor.TimestampInterceptor$Builder
agent.sources.tail.interceptors.i3.type=org.apache.flume.interceptor.HostInterceptor$Builder
agent.sources.tail.interceptors.i3.hostHeader = host
#配置channel的详情
agent.channels.memoryChannel.type = memory
agentes.channels.channel1.capacity = 1000000
agentes.channels.channel1.transactionCapacity = 5000
#agentes.channels.channel1.keep-alive = 10
#配置sink的详情
agent.sinks.elasticsearch.type=org.apache.flume.sink.elasticsearch.ElasticSearchSink
agent.sinks.elasticsearch.batchSize=100
agent.sinks.elasticsearch.hostNames=127.0.0.1:9300
agent.sinks.elasticsearch.indexName=linux_secure
agent.sinks.elasticsearch.indexType=message
agent.sinks.elasticsearch.clusterName=elasticsearch
agent.sinks.elasticsearch.serializer=org.apache.flume.sink.elasticsearch.ElasticSearchLogStashEventSerializer
#配置source、sink和channel的详情
agent.sources.tail.channels = memoryChannel
agent.sinks.elasticsearch.channel = memoryChannel
Feb 23 17:38:20 laiym sshd[1591]:pam_unix(sshd:session): session closed for user root
Feb 23 17:38:20 laiym sshd[1616]:pam_unix(sshd:session): session closed for user root
Feb 23 17:38:38 laiym sshd[1954]: reverse mappingchecking getaddrinfo for bogon [192.168.141.1] failed - POSSIBLE BREAK-INATTEMPT!
Feb 23 17:38:38 laiym sshd[1954]: Accepted passwordfor root from 192.168.141.1 port 61857 ssh2
Feb 23 17:38:38 laiym sshd[1954]:pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 23 17:50:19 laiym sshd[2019]: reverse mappingchecking getaddrinfo for bogon [192.168.141.1] failed - POSSIBLE BREAK-INATTEMPT!
Feb 23 17:50:19 laiym sshd[2019]: Accepted passwordfor root from 192.168.141.1 port 50289 ssh2
Feb 23 17:50:20 laiym sshd[2019]:pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 24 09:40:51 laiym sshd[1585]:pam_unix(sshd:session): session closed for user root