rsyslogd + graylog2 日志管理方案(3) backlist

graylog2-web-interface里的blacklist使用的是正则表达式，虽然写正则表达式并不是很难，但是这个graylog2功能很奇怪，并不是总能生效。所以我写了一个脚本，将graylog2的blacklist导出，写入到rsyslog的配置文件，让rsyslog去做过滤。

graylog2-blacklist-2-rsyslog.rb

	require 'rubygems'
	require 'mongo'

	@conn = Mongo::Connection.new
	@db = @conn['graylog2']
	@db.authenticate('grayloguser','grayloguser-mongo-passwd')
	@coll = @db['blacklists']
	@conf_file = '/etc/rsyslog_disgarding.conf'
	@conf_content = ""
	@file = File.open(@conf_file,'r')
	@conf_content = @file.read
	@file.close
	@new_config = ''
	@coll.find.each do \|b\|
	b['blacklisted_terms'].find.each do \|t\|
	@new_config = @new_config + ":msg, contains, \"#{t['term']}\" ~\n"
	end
	end

	if @conf_content != @new_config
	@file = File.open(@conf_file,'w')
	@file.write(@new_config)
	@file.close
	system '/etc/init.d/rsyslogforwarder restart'
	end

记得修改'grayloguser','grayloguser-mongo-passwd'

在/etc/rsyslogforwarder里增加一行

$IncludeConfig /etc/rsyslog_disgarding.conf

重启rsyslog

/etc/init.d/rsyslogforwarer restart

将graylog2-blacklist-2-rsyslog.rb加入cron

crontab -e
*/5 * * * * /usr/local/rvm/bin/ruby-1.9.3-p0 /opt/graylog2-rsyslog-blacklist/graylog2-blacklist-2-rsyslog.rb