[英]kibana4 and suricata json filtering not showing up correct
我已經運行了ELK堆棧,並在上面也放了一些suricata
我認為我已經正確設置了它,因為它將日志從主機發送到ELK服務器
在kibana中,我可以看到eve.json文件並看到數據,但是由於所有重要信息都存儲在message字段中,因此我似乎無法正確格式化它。 我以為我可以像其他領域一樣在kibana中過濾掉它?
還是我錯過了什么?
{
"_index": "logstash-2015.04.09",
"_type": "suricata",
"_id": "",
"_score": null,
"_source": {
"message": "{\"timestamp\":\"2015-04-09T14:33:43.585096\",\"event_type\":\"alert\",\"src_ip\":\"x.x.x.x\",\"src_port\":40238,\"dest_ip\":\"x.x.x.x\",\"dest_port\":443,\"proto\":\"TCP\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2402000,\"rev\":3672,\"signature\":\"ET DROP Dshield Block Listed Source group 1\",\"category\":\"Misc Attack\",\"severity\":2}}",
"@version": "1",
"@timestamp": "2015-04-09T13:33:41.389Z",
"type": "suricata",
"file": "/var/log/suricata/eve.json",
"host": "xx",
"offset": "51171"
},
"fields": {
"@timestamp": [
1428586421389
]
},
"highlight": {
"message": [
"{\"timestamp\":\"2015-04-09T14:33:43.585096\",\"event_type\":\"@kibana-highlighted-field@alert@/kibana-highlighted-field@\",\"src_ip\":\"x.x.x.x\",\"src_port",
"\":40238,\"dest_ip\":\"x.x.x.x\",\"dest_port\":443,\"proto\":\"TCP\",\"@kibana-highlighted-field@alert@/kibana-highlighted-field@\":{\"action\":\"allowed\",\"gid\":1"
]
},
"sort": [
1428586421389
]
}
像這樣設置了logstash conf文件
filter {
if [type] == "SuricataIDPS" {
date {
match => [ "timestamp", "ISO8601" ]
}
ruby {
code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
}
}
if [src_ip] {
geoip {
source => "src_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
if ![geoip.ip] {
if [dest_ip] {
geoip {
source => "dest_ip"
target => "geoip"
#database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
}
我想我通過向伐木工人的主要輸入添加codec => json來解決此問題
使用 Winston 3.0 和 Nodejs 的 Json 格式日志未在 Kibana 中顯示
[英]Json format logs using Winston 3.0 and Nodejs not showing in Kibana
將JSON文件導入Logstash + Elasticsearch + Kibana
[英]Import JSON Files into Logstash + Elasticsearch + Kibana
Nginx json 日志在 Elasticsearch (+ Kibana) 中被 Fluentd 錯誤解析
[英]Nginx json logs are incorrectly parsed by Fluentd in Elasticsearch (+ Kibana)
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.