Filebeat未将数据发送到Logstash
[英]Filebeat is not sending data to Logstash
问题描述
I'm trying to send alerts from Snort IDS to Elasticsearch, therefore I'm using 3 technologies: 
我正在尝试将警报从Snort IDS发送到Elasticsearch,因此我正在使用3种技术:
- Elasticsearch- https://pastebin.com/uCNMaZFJ Elasticsearch- https: //pastebin.com/uCNMaZFJ
- Logstash- https://pastebin.com/zgnbbw9K Logstash- https: //pastebin.com/zgnbbw9K
- Filebeat- https://pastebin.com/45rC3rW5 Filebeat- https: //pastebin.com/45rC3rW5
My filebeat configuration file has this code inside: 我的filebeat配置文件中包含以下代码:
input {
beats {
port => 5044
}
} filter { }过滤器{
if [type] == "snort" {
# parse the message into individual fields
grok {
match => { "message" => "(?<ts>.*\d{2}:\d{2}:\d{2})\s(?<host>.*?)\s.*?\s\[(?<generator_id>.*?)::(?<signature_id>.*?):.*?\]\s(?<signature>.*?)\s\[Classification:\s(?<classification>.*?)\]\s\[Priority:\s(?<priority>.*?)\].*?{(?<protocol>.*?)\}\s(?<source_ip>.*?):(?<source_port>.*?)\s-\>\s(?<destination_ip>.*?):(?<destination_port>.*)" }
}
# remove the original message if parsing was successful
if !("_grokparsefailure" in [tags]) {
mutate {
remove_field => [ "message" ]
}
}
# parse the timestamp and save in a new datetime field
if [ts] {
date {
match => [ "ts", "MMM dd HH:mm:ss" ]
target => "sys_timestamp"
}
# remove the original timestamp if date parsing was successful
if !("_dateparsefailure" in [tags]) {
mutate {
remove_field => [ "ts" ]
}
}
}
}
} output { }输出{
# save events to Elasticsearch with the uuid as the document id
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "teste-%{+YYYY-MM-dd}"
}
} }
I am expecting to see snort's alert logs when I check " http://localhost:9200/ola- */_search?pretty", however the alerts are not retrieved. 我希望在检查“ http:// localhost:9200 / ola- * / _ search?pretty”时看到snort的警报日志,但是未检索到警报。 I'm struggling to fix this problem...I don't have any idea what is the problem. 我正在努力解决此问题...我不知道问题是什么。
Thanks in advance! 提前致谢!
1 个解决方案
解决方案1
1 2019-02-03 18:01:13
What is the version of your stack? 您的堆栈是什么版本? Your filebeat configuration file has both filebeat.prospectors and filebeat.inputs , since version 6.3 you should use filebeat.inputs instead of filebeat.prospectors . 您的filebeat配置文件同时具有filebeat.prospectors和filebeat.inputs ,从6.3版filebeat.inputs ,您应该使用filebeat.inputs而不是filebeat.prospectors 。
Also the document_type configuration was removed since version 6.0, your message probably does not have a field called type with a value of snort , which is your main filter in the logstash pipeline. 同样从6.0版开始删除了document_type配置,您的消息可能没有名为snort type字段,它是logstash管道中的主要过滤器。 It's better to filter your messages using tags. 最好使用标签过滤邮件。
Use this in your filebeat.yml instead. 而是在您的filebeat.yml使用它。
filebeat.inputs:
- type: log
paths:
- /var/log/snort/*.log
tags: ["snort"]
And change your logstash filter, just use if "snort" in [tags] instead of if [type] == "snort" 并更改您的logstash过滤器,只需if "snort" in [tags]使用if "snort" in [tags]而不是if [type] == "snort"
Your output is sending any message that you receives to an index called teste-%{+YYYY-MM-dd} , why are you running a search against an index called ola-* ? 您的输出会将收到的所有消息发送到名为teste-%{+YYYY-MM-dd}的索引,为什么要对名为ola-*的索引进行搜索? You should run a search against the teste-* index. 您应该对teste-*索引进行搜索。
I recommend that you run your pipeline with the stdout output to see what is happening. 我建议您使用stdout输出运行管道,以查看发生了什么。
Just put this on your pipeline to see if you are getting any message and how are those messages. 只需将其放在您的管道中,以查看是否收到任何消息以及这些消息如何。
output {
stdout { }
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.