[英]how can i extract source hostnames from JSON logs on logstash
i am collecting logs using OSSEC and forwarding JSON logs to logstash using logstash-forwarder. 我正在使用OSSEC收集日志,并使用logstash-forwarder将JSON日志转发到logstash。 this is my logstash configuration. 这是我的logstash配置。
input {
lumberjack {
port => 10516
type => "lumberjack"
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
codec => json
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
host => localhost
}
}
i would like to extract the host indicated on "location" field inside the parenthesis and create a dedicated tag because logstash only sees OSSEC as the source host because it forwards the logs. 我想提取括号中“位置”字段上指示的主机并创建专用标签,因为Logstash仅将OSSEC视为源主机,因为它转发了日志。 below is the sample output of logstash. 以下是logstash的示例输出。
{
"_index": "logstash-2015.09.23",
"_type": "ossec-alerts",
"_id": "AU_4Q1Hc5OjGfEBnRiWa",
"_score": null,
"_source": {
"rule": {
"level": 3,
"comment": "Nginx error message.",
"sidid": 31301
},
"srcip": "192.168.192.10",
"location": "(logstash) 192.168.212.104->/var/log/nginx/error.log",
"full_log": "2015/09/23 11:33:24 [error] 1057#0: *562 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.192.10, server: _, request: \"POST /elasticsearch/.kibana/__kibanaQueryValidator/_validate/query?explain=true&ignore_unavailable=true HTTP/1.1\", upstream: \"http://[::1]:5601/elasticsearch/.kibana/__kibanaQueryValidator/_validate/query?explain=true&ignore_unavailable=true\", host: \"192.168.212.104\", referrer: \"http://192.168.212.104/\"",
"@version": "1",
"@timestamp": "2015-09-23T03:33:25.588Z",
"type": "ossec-alerts",
"file": "/var/ossec/logs/alerts/alerts.json",
"host": "ossec",
"offset": "51048"
},
"fields": {
"@timestamp": [
1442979205588
]
},
"sort": [
1442979205588
]
}
Once you apply the json{} filter, you're left with a bunch of fields. 一旦应用了json {}过滤器,您将获得一堆字段。 You can now apply more filters to those fields, including grok{} for making more fields! 现在,您可以将更多过滤器应用于这些字段,包括用于创建更多字段的grok {}!
What you need is the grok filter . 您需要的是grok过滤器 。 You can use the grok debugger to find the best patterns for you. 您可以使用grok调试器为您找到最佳模式。 The following pattern should work for your location
field: 以下模式适用于您的location
字段:
\(%{HOST:host}\) %{IP:srcip}->%{PATH:path}
In logstash filter section : 在logstash过滤器部分 :
grok {
match => { "location" => "\(%{HOST:host}\) %{IP:srcip}->%{PATH:path}" }
overwrite => [ "host", "srcip" ]
}
overwrite
is necessary because you already have fields host
and srcip
. 必须进行overwrite
,因为您已经具有host
和srcip
字段。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.