【发布时间】:2019-05-27 00:33:02
【问题描述】:
我能够将我的一些日志从 FileBeat 发送到 Logstash,但其中 2 个似乎有问题。
你们有什么智慧的话吗?
我在 FileBeat 应该从中读取的文件夹中看到日志,但我无法将它们送回。
Filebeat Yml 的一部分
# Mailoney
-
paths:
- /data/mailoney/log/commands.log
input_type: log
document_type: Mailoney
fields:
fields_under_root: true
json.keys_under_root: false
json.add_error_key: true
# Conpot
-
paths:
- /data/conpot/log/*.json"
input_type: log
document_type: Conpot
fields:
fields_under_root: true
json.keys_under_root: false
json.add_error_key: true
# Heralding
-
paths:
- /data/heralding/log/auth.csv"
document_type: Heralding
fields:
fields_under_root: true
json.keys_under_root: false
json.add_error_key: true
Logstash 配置
# Heralding
if [type] == "Heralding" {
csv {
columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => ","
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
remove_field => ["timestamp"]
}
}
# Conpot
if [type] == "Conpot" {
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => {
"dst_port" => "dest_port"
"dst_ip" => "dest_ip"
}
}
}
# Mailoney
if [type] == "Mailoney" {
grok {
match => [ "message", "\A%{NAGIOSTIME}\[%{IPV4:src_ip}:%{INT:src_port:integer}] %{GREEDYDATA:smtp_input}" ]
}
mutate {
add_field => {
"dest_port" => "25"
}
}
date {
match => [ "nagios_epoch", "UNIX" ]
remove_field => ["nagios_epoch"]
}
}
【问题讨论】:
标签: elasticsearch elastic-stack filebeat elasticsearch-aggregation