zabbix实现暴力破解登录密码告警

# logstash安装zabbix模块
```
logstash-plugin install logstash-output-zabbix
```
# logstash配置
```
# 输入
input {
   file {
      # 监听的文本路径
      path => ["/var/log/secure"]
      # 检查时间戳
      start_position => "beginning"
   }
}
# 日志过虑
filter {
   # 通过正则表达式分割secure日志内容
   grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:message_timestamp} %{SYSLOGHOST:hostname} %{DATA:message_program}(?:\[%{POSINT:messag
e_pid}\])?: %{GREEDYDATA:message_content}" }
   }
   # 添加zabbix标签
   mutate {
      add_field => [ "[zabbix_key]" , "securelog" ]
      add_field => [ "[zabbix_host]" , "%{host}" ]
   }
   # 删除无用标签
   mutate {
      remove_field => "@version"
      remove_field => "message"
      remove_field => "type"
      remove_field => "path"
      remove_field => "host"
      remove_field => "hostname"
   }
}
# 输出到zabbix
output {
   # 判断是否为错误日志
   if [message_content] =~ /(ERR|error|ERROR|Failed)/ {
      # 输出到控制台测试使用
      # stdout { codec =>rubydebug }
      zabbix {
         # 使用上面的标签
         zabbix_host => "[zabbix_host]"
         zabbix_key => "[zabbix_key]"
         # zabbix 主机配置
         zabbix_server_host => "192.168.100.101"
         zabbix_server_port => "10051"
         # 输出的值
         zabbix_value => "message_content"
      }
   }
}

```
# zabbix触发器表达式
```
{zabbix logstash:securelog.strlen()} > 5
```