ELK-Stack:使用Logstash仅解析Syslog中的IP / MAC
[英]ELK-Stack: Parse only IP/MAC from Syslog with Logstash
问题描述
I'm searching for a way to parse IP addresses and MACs from a syslog entry with Logstash. 
我正在寻找一种使用Logstash从系统日志条目中解析IP地址和MAC的方法。 Currently I try to fetch it with GROK, but the problem is, that I might have to match the entire line, instead of just a part of the message itself. 目前,我尝试使用GROK来获取它,但是问题是,我可能必须匹配整行,而不仅仅是消息本身的一部分。
For example I have to following line: 例如,我必须执行以下操作:
Apr 9 12:41:01 cn1Label=Host ID dvchost=exch01 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 dstMAC=55:C0:A8:55:FF:41 srcMAC=CA:36:42:B1:78:3D TrendMicroDsFrameType=IP src=10.0.251.84 dst=56.19.41.128 out=166 cs3= cs3Label=Fragmentation Bits proto=ICMP srcPort=0 dstPort=0 cnt=1 act=IDS:Reset cn3=0 cn3Label=DPI Packet Position cs5=0 cs5Label=DPI Stream Position cs6=0 cs6Label=DPI Flags
I wanna fetch the "src" and "dst" IPs and the "srcMAC" and "dstMAC" as well. 我想获取“ src”和“ dst” IP以及“ srcMAC”和“ dstMAC”。 I would try it like that in Logstash: 我会在Logstash中尝试这样:
grok{
match => { "message" => "src=%{IPV4:src_ip}" }
match => { "message" => "dst=%{IPV4:dst_ip}" }
match => { "message" => "srcMAC=%{MAC:src_mac}" }
match => { "message" => "dstMAC=%{MAC:dst_mac}" }
}
But it does not work, because it does not match the whole line. 但这不起作用,因为它与整行不匹配。 I tried with .* and other matching techniques as well, without success. 我尝试使用.*和其他匹配技术也没有成功。
Is there a way to just parse the IPs like shown without parsing the full line? 有没有一种方法可以只解析显示的IP而不解析整行?
I would try to parse other parts of the message, such as protocol as well. 我会尝试解析消息的其他部分,例如协议。 The reason why I do not match the full line is, that the some messages are different and need then also another way to extract its values. 我之所以不匹配实线,是因为某些消息不同,因此还需要另一种提取其值的方法。
Thank you! 谢谢!
3 个解决方案
解决方案1
2 2019-04-11 10:11:30
You can use the kv filter to deal with key-value pairs like like those you have in your log. 您可以使用kv过滤器来处理键值对,例如日志中的键值对。 To only keep the relevant pairs, use the include_keys option. 要仅保留相关对,请使用include_keys选项。
In your case, it would look like this: 在您的情况下,它看起来像这样:
kv{
include_keys => [ "src", "dst", "srcMAC", "dstMAC" ]
}
Which would result in: 这将导致:
{
"dst": "56.19.41.128",
"host": "frsred-0077",
"srcMAC": "CA:36:42:B1:78:3D",
"dstMAC": "55:C0:A8:55:FF:41"
}
One benefit of the kv filter is that you're not dependent on the order of the pairs staying the same, unlike with the grok filter. kv过滤器的一个好处是,与grok过滤器不同,您不必依赖成对的顺序保持不变。
解决方案2
0 2019-04-11 02:37:49
The grok filter needs to match the whole message, to fetch only a couple of fields you still need to match everything, the following pattern will match your example. grok过滤器需要匹配整个消息,只获取您仍然需要匹配所有内容的几个字段,以下模式将与您的示例匹配。
%{GREEDYDATA}%{SPACE}dstMAC=%{MAC:dst_mac}%{SPACE}srcMAC=%{MAC:src_mac}%{SPACE}%{GREEDYDATA}%{SPACE}src=%{IP:src_ip}%{SPACE}dst=%{IP:dst_ip}%{SPACE}%{GREEDYDATA}
The result will be: 结果将是:
{
"src_ip": "10.0.251.84",
"src_mac": "CA:36:42:B1:78:3D",
"dst_mac": "55:C0:A8:55:FF:41",
"dst_ip": "56.19.41.128"
}
This pattern will also match any message with the following format: 此模式还将匹配具有以下格式的任何消息:
ANYTHING dstMAC=MACADDRESS srcMAC=MACADDRESS ANYTHING src=IPADDRESS dst=IPADRESS ANYTHING
解决方案3
0 已采纳 2019-04-11 15:47:14
I just found the solution. 我刚刚找到了解决方案。 I did something very wrong. 我做错了什么 You have to do a matching filter for each matching separately. 您必须分别为每个匹配项做一个匹配过滤器。 If I do so, then I can extract also the content within the message field, for example like: 如果这样做,那么我还可以提取消息字段中的内容,例如:
grok{match => {"message" => "SRC=%{IPV4:ip}"}}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.