堆栈内存溢出
  简体   繁体   English

使用FileBeat发送日志问题

[英]issue sending logs with FileBeat

 原文  2019-05-27 00:33:02       elasticsearch/ elastic-stack/ filebeat/ elasticsearch-aggregation

问题描述

I am able to get some of my logs sent from FileBeat to Logstash, but I seem to be having an issue with a 2 of them. 我可以将从FileBeat发送到Logstash的一些日志,但我似乎遇到了其中两个的问题。

Do you guys have any words of wisdom? 你们有任何智慧的话吗?

I see logs in the folders that FileBeat is suppose to read from, but I am getting no dice on getting them to be sent back. 我看到FileBeat想要读取的文件夹中的日志,但是我没有把它们发送回来的骰子。

Part of the Filebeat Yml Filebeat Yml的一部分 

# Mailoney
     -
        paths:
        - /data/mailoney/log/commands.log
        input_type: log
        document_type: Mailoney

        fields:
        fields_under_root: true
        json.keys_under_root: false
        json.add_error_key: true


# Conpot
     -
        paths:
        - /data/conpot/log/*.json"
        input_type: log
        document_type: Conpot

        fields:
        fields_under_root: true
        json.keys_under_root: false
        json.add_error_key: true


# Heralding
     -
        paths:
        - /data/heralding/log/auth.csv"
        document_type: Heralding

        fields:
        fields_under_root: true
        json.keys_under_root: false
        json.add_error_key: true

Logstash conf Logstash conf 

# Heralding
  if [type] == "Heralding" {
    csv {
      columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => ","
    }
    date {
      match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
      remove_field => ["timestamp"]
    }
  }



# Conpot
  if [type] == "Conpot" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    mutate { 
      rename => { 
        "dst_port" => "dest_port" 
        "dst_ip" => "dest_ip" 
      } 
    } 
  }


# Mailoney
  if [type] == "Mailoney" {
    grok {
      match => [ "message", "\A%{NAGIOSTIME}\[%{IPV4:src_ip}:%{INT:src_port:integer}] %{GREEDYDATA:smtp_input}" ]
    }
    mutate {
      add_field => {
        "dest_port" => "25"
      }
    }
    date {
      match => [ "nagios_epoch", "UNIX" ]
      remove_field => ["nagios_epoch"]
    }
  }

1 个解决方案

解决方案1
 0  2019-05-28 12:00:26

我不知道这是不是因为复制粘贴这是一个错字,但你在filebeat.yml文件中只有#Conpot#Heralding只有结束引号。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Filebeat未将日志发送到Logstash - Filebeat is not sending the logs to the logstash 即使收获成功,Filebeat 也不会将日志发送到 Logstash - Filebeat Is not Sending Logs to Logstash even Harvesting Successfull filebeat 在向 elasticsearch 发送日志时是否添加元数据? - Does filebeat add metadata while sending logs to elasticsearch? Filebeat 不使用自动发现收集日志 - Filebeat not harvesting logs with autodiscover 将带有 filebeat 的日志发送到 logstash - Send logs with filebeat to logstash Filebeat没有将日志推送到Elasticsearch - Filebeat not pushing logs to Elasticsearch Docker Filebeat Nginx 日志 - Docker Filebeat Nginx Logs Filebeat未将数据发送到Logstash - Filebeat is not sending data to Logstash Filebeat vs Rsyslog用于转发日志 - Filebeat vs Rsyslog for forwarding logs 将filebeat的日志发送到kibana时出错? - Error in send logs of filebeat to kibana?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM