[英]fluentd filter regexp with json data
I am trying to filter (keep) only oauth authenticated audit logs but it's not working.我正在尝试仅过滤(保留)oauth 经过身份验证的审核日志,但它不起作用。 When I set the pattern to /.*/ everything appears in Kibana.当我将模式设置为 /.*/ 时,所有内容都会出现在 Kibana 中。 If I set /oauth/ or /.*oauth.*/ nothing appears.如果我设置 /oauth/ 或 /.*oauth.*/ 什么都不会出现。 What am I doing wrong?我究竟做错了什么?
Line in log file I want to filter:我要过滤的日志文件中的行:
{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2020-07-17T20:06:49Z"},"level":"Metadata","timestamp":"2020-07-17T20:06:49Z","auditID":"cf56d61e-30b3-486c-a513-6bd9e96fb592","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-logging/pods?limit=500","verb":"list","user":{"username":"user","uid":"388e0232-c5bb-11ea-904d-7a59592b634f","groups":["system:authenticated:oauth","system:authenticated"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"sourceIPs":["10.0.72.20"],"objectRef":{"resource":"pods","namespace":"openshift-logging","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-07-17T20:06:49.918391Z","stageTimestamp":"2020-07-17T20:06:49.921475Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"registry-controller\" of ClusterRole \"cluster-admin\" to User \"user\""}}
fluentd config:流利的配置:
<source>
@type tail
@id in_tail_audit_logs
multiline_flush_interval 5s
path "/var/lib/origin/audit-ocp.log"
tag "ocp-audit"
<parse>
@type "json"
time_format "%Y-%m-%dT%T.%L%Z"
time_type string
</parse>
</source>
<filter ocp-audit>
@type grep
<regexp>
key user.groups
pattern /oauth/
</regexp>
</filter>
Try this configuration for grep
:为grep
尝试此配置:
<regexp>
key user
pattern /.*groups.*oauth/
</regexp>
Alternatively, you can install and configure fluent-plugin-json like this:或者,您可以像这样安装和配置fluent-plugin-json :
<filter ocp-audit>
@type json
@id json_filter
<check>
pointer /user/groups/0 # point to 0th index of groups array
pattern /.*:oauth/
</check>
</filter>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.