堆栈内存溢出
  简体   繁体   English

如何使用logstash解析ECS(弹性通用架构)之后的纯文本日志?

[英]How can I parse plain text log following ECS (elastic common schema) with logstash?

 原文  2020-09-03 10:47:04       elasticsearch/ logstash/ logstash-grok/ rsyslog/ elastic-common-schema

问题描述

I am using rsyslog to send plain text log to logstash.我正在使用 rsyslog 将纯文本日志发送到 logstash。 But I cannot assign data to host.name or host.ip fields by grok.但是我无法通过 grok 将数据分配给 host.name 或 host.ip 字段。 The system through following error:系统通过以下错误:

Could not index event to Elasticsearch.无法将事件索引到 Elasticsearch。 {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-syslog-2020.09.03", :routing=>nil, :_type=>"_doc"}, #LogStash::Event:0x3273b8c], :response=>{"index"=>{"_index"=>"logstash-syslog-2020.09.03", "_type"=>"_doc", "_id"=>"i2hRU3QBeWqyaoMf1lgh", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"Could not dynamically add mapping for field [host.ip]. Existing mapping for [host] must be of type object but found [text]."}}}} {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-syslog-2020.09.03", :routing=>nil, :_type=>"_doc" }, #LogStash::Event:0x3273b8c], :response=>{"index"=>{"_index"=>"logstash-syslog-2020.09.03", "_type"=>"_doc", "_id"= >"i2hRU3QBeWqyaoMf1lgh", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"无法为字段 [host.ip] 动态添加映射。现有映射为 [ host] 必须是 object 类型,但找到了 [text]。"}}}}

I tried with [host][name] but had an error message:我尝试使用 [host][name] 但有一条错误消息:

Grok regexp threw exception {:exception=>"Could not set field 'name' on object '' to value ''.This is probably due to trying to set a field like [foo][bar] = someValuewhen [foo] is not either a map or a string" ... Grok regexp 抛出异常 {:exception=>"Could not set field 'name' on object '' to value ''。这可能是由于尝试设置一个字段,如 [foo][bar] = someValuewhen [foo] is not地图或字符串”...

Here is grok configuration:这是 grok 配置:

grok {
  match => { "message" => "<%{INT:log.syslog.priority}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host.name} %{DATA:process.name}(?:\[%{POSINT:process.pid}\])?: %{GREEDYDATA:syslog_message}" }
}

My purpose is to parsing log messages according to ECS standard so that SIEM app can analyze these logs.我的目的是根据 ECS 标准解析日志消息,以便 SIEM 应用程序可以分析这些日志。

1 个解决方案

解决方案1
 0 已采纳  2020-09-03 11:03:49

I think that rsyslog already sends along with the message field another field called host which is a simple string.我认为 rsyslog 已经与message字段一起发送了另一个名为host字段,它是一个简单的字符串。 Then, when you try to assign something to [host][ip] it fails, because [host] is not an object but a string.然后,当您尝试将某些内容分配给[host][ip]它会失败,因为[host]不是对象而是字符串。

What you can try to do is to rename the original host field to something else and it should work:您可以尝试做的是将原始host字段重命名为其他名称,它应该可以工作:

Add this just before your grok filter:在您的grok过滤器之前添加以下内容:

mutate {
    rename => {
        "[host]" => "[source][address]"
    }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用logstash(grok)解析以下字符串? - How can I parse the following string using logstash (grok)? 如何检查弹性日志中的哪个字段解析错误 - How Can I check which field parse error from elastic log 如何使用Grok在Logstash中解析日志字符串? - How to parse a log string in Logstash using Grok? 使用logstash和弹性搜索进行自定义解析 - custom parse with logstash and elastic search logstash iptables日志解析 - logstash iptables log parse 如何解析包含带有Logstash的JSON的CSV - How can I parse a csv that contains JSON with logstash logstash 如何禁用 logstash-plain.log 中的“解剖器映射,找不到模式”错误 - logstash how to disable "Dissector mapping, pattern not found" error in logstash-plain.log 如何通过AWS VPC使用Elastic Cloud的Logstash从MySQL(AWS RDS)导入数据? - How can I import data from MySQL(AWS RDS) using Logstash of Elastic Cloud via AWS VPC? 使用 logstash 过滤和解析非结构化日志 - filter and parse unstructured log with logstash 使用logstash解析日志时如何添加序列ID - How to add sequence id when using logstash to parse log
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM