![](/img/trans.png)
[英]remove sub-field on demand from _source field during ingestion in elasticsearch 7.15
[英]ECS-Compatiblity mode requires a `target` when `source` is not an `ip` sub-field, eg. [client][ip]
我试图在我的 openvpn 服务器上实施 logstash,但出现以下错误:
GeoIP Filter in ECS-Compatiblity mode requires a `target` when `source` is not an `ip` sub-field, eg. [client][ip]>
我的 logstash 文件如下所示,这是我从这个要点https://gist.github.com/soulsearcher/68fa902298e59dc4d70696862244e778 中获取的:
input {
beats {
port => 5044
}
}
filter {
grok {
match => {
"message" => "%{SYSLOGBASE} %{USER:user}/%{IP:source_ip}:%{POSINT:source_port} SENT CONTROL \[%{USER:user1}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
}
remove_field => ["user1"]
match => {
"message" => "%{SYSLOGBASE} %{IP:source_ip}:%{POSINT:source_port} SENT CONTROL \[%{USER:user}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
}
}
geoip {
source => "source_ip"xy
}
if [msg] =~ "PUSH_REPLY" {
mutate {
replace => { type => "openvpn_access" }
}
}
if [msg] =~ "AUTH_FAILED" {
mutate {
replace => { type => "openvpn_err" }
}
}
date {
match => ["timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss"]
target => "@timestamp"
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
output {
# send to elasticsearch
elasticsearch {
cloud_id => "removed"
cloud_auth => "removed"
index => "openvpn-%{+YYYY.MM.dd}"
}
}
我正在使用 logstash 8.5.1 和 elastic 8.5.0。 我希望能够将我的日志推送到 elasticsearch,以便将它们保存更长的时间。
Logstash 8.5 默认在 ECS 兼容模式下运行。 当没有为 geoip 插件提供目标且 ip 地址位于 source.ip 时,地理数据将放置在 source.geo
您的 geoip 插件来源不符合 ECS 标准,因此您必须自己提供目标
当你更换
geoip {
source => "source_ip"xy
}
和
geoip {
source => "source_ip"
target => "source_geo"
}
地理数据应放在 source_geo 中。
另见https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.