堆栈内存溢出
  简体   繁体   English

如何从Logstash上的JSON日志中提取源主机名

[英]how can i extract source hostnames from JSON logs on logstash

 原文  2015-09-23 04:32:11       json/ filter/ logstash/ logstash-forwarder

问题描述

i am collecting logs using OSSEC and forwarding JSON logs to logstash using logstash-forwarder. 我正在使用OSSEC收集日志,并使用logstash-forwarder将JSON日志转发到logstash。 this is my logstash configuration. 这是我的logstash配置。 

input {   
  lumberjack {
    port => 10516
    type => "lumberjack"
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
    codec => json
    }
}

filter {
  json {
    source => "message"
  }
}
output {
  elasticsearch {
    host => localhost
  }
}

i would like to extract the host indicated on "location" field inside the parenthesis and create a dedicated tag because logstash only sees OSSEC as the source host because it forwards the logs. 我想提取括号中“位置”字段上指示的主机并创建专用标签,因为Logstash仅将OSSEC视为源主机,因为它转发了日志。 below is the sample output of logstash. 以下是logstash的示例输出。 

{
  "_index": "logstash-2015.09.23",
  "_type": "ossec-alerts",
  "_id": "AU_4Q1Hc5OjGfEBnRiWa",
  "_score": null,
  "_source": {
    "rule": {
      "level": 3,
      "comment": "Nginx error message.",
      "sidid": 31301
    },
    "srcip": "192.168.192.10",
    "location": "(logstash) 192.168.212.104->/var/log/nginx/error.log",
    "full_log": "2015/09/23 11:33:24 [error] 1057#0: *562 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.192.10, server: _, request: \"POST /elasticsearch/.kibana/__kibanaQueryValidator/_validate/query?explain=true&ignore_unavailable=true HTTP/1.1\", upstream: \"http://[::1]:5601/elasticsearch/.kibana/__kibanaQueryValidator/_validate/query?explain=true&ignore_unavailable=true\", host: \"192.168.212.104\", referrer: \"http://192.168.212.104/\"",
    "@version": "1",
    "@timestamp": "2015-09-23T03:33:25.588Z",
    "type": "ossec-alerts",
    "file": "/var/ossec/logs/alerts/alerts.json",
    "host": "ossec",
    "offset": "51048"
  },
  "fields": {
    "@timestamp": [
      1442979205588
    ]
  },
  "sort": [
    1442979205588
  ]
}

2 个解决方案

解决方案1
 1  2015-09-23 07:57:35

Once you apply the json{} filter, you're left with a bunch of fields. 一旦应用了json {}过滤器,您将获得一堆字段。 You can now apply more filters to those fields, including grok{} for making more fields! 现在,您可以将更多过滤器应用于这些字段,包括用于创建更多字段的grok {}!

解决方案2
 1 已采纳  2015-09-23 07:59:27

What you need is the grok filter . 您需要的是grok过滤器 You can use the grok debugger to find the best patterns for you. 您可以使用grok调试器为您找到最佳模式。 The following pattern should work for your location field: 以下模式适用于您的location字段: 

\(%{HOST:host}\) %{IP:srcip}->%{PATH:path}

In logstash filter section : 在logstash过滤器部分 

grok {
    match => { "location" => "\(%{HOST:host}\) %{IP:srcip}->%{PATH:path}" }
    overwrite => [ "host", "srcip" ]
}

overwrite is necessary because you already have fields host and srcip . 必须进行overwrite ,因为您已经具有hostsrcip字段。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从日志 Logstash 中提取 JSON - Extract JSON from a log Logstash 在logstash中,如何按json键和值过滤日志? - In logstash, How to filter logs by json key and value? 如何从json中提取数据 - How can I extract data from json 如何从JSON提取数据? - How can I extract data from JSON? 如何从 json 中提取这些值 - How can I extract these values from json 在 Logstash 中,如何限制在 Elasticsearch 中转换为索引字段的日志中 JSON 属性的深度? - In Logstash, how do I limit the depth of JSON properties in my logs that are turned into Index fields in Elasticsearch? 如何从“[”开始的 Json 中提取数据? - how can I extract data from Json which start from “[”? 如何解析包含带有Logstash的JSON的CSV - How can I parse a csv that contains JSON with logstash 如何使用logstash和kibana分解json数据 - How can I break up json data with logstash and kibana 如何从json localStorage字符串中提取数字值? - How can I extract a number value from a json localStorage string?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM