![](/img/trans.png)
[英]remove sub-field on demand from _source field during ingestion in elasticsearch 7.15
[英]ECS-Compatiblity mode requires a `target` when `source` is not an `ip` sub-field, eg. [client][ip]
我試圖在我的 openvpn 服務器上實施 logstash,但出現以下錯誤:
GeoIP Filter in ECS-Compatiblity mode requires a `target` when `source` is not an `ip` sub-field, eg. [client][ip]>
我的 logstash 文件如下所示,這是我從這個要點https://gist.github.com/soulsearcher/68fa902298e59dc4d70696862244e778 中獲取的:
input {
beats {
port => 5044
}
}
filter {
grok {
match => {
"message" => "%{SYSLOGBASE} %{USER:user}/%{IP:source_ip}:%{POSINT:source_port} SENT CONTROL \[%{USER:user1}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
}
remove_field => ["user1"]
match => {
"message" => "%{SYSLOGBASE} %{IP:source_ip}:%{POSINT:source_port} SENT CONTROL \[%{USER:user}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
}
}
geoip {
source => "source_ip"xy
}
if [msg] =~ "PUSH_REPLY" {
mutate {
replace => { type => "openvpn_access" }
}
}
if [msg] =~ "AUTH_FAILED" {
mutate {
replace => { type => "openvpn_err" }
}
}
date {
match => ["timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss"]
target => "@timestamp"
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
output {
# send to elasticsearch
elasticsearch {
cloud_id => "removed"
cloud_auth => "removed"
index => "openvpn-%{+YYYY.MM.dd}"
}
}
我正在使用 logstash 8.5.1 和 elastic 8.5.0。 我希望能夠將我的日志推送到 elasticsearch,以便將它們保存更長的時間。
Logstash 8.5 默認在 ECS 兼容模式下運行。 當沒有為 geoip 插件提供目標且 ip 地址位於 source.ip 時,地理數據將放置在 source.geo
您的 geoip 插件來源不符合 ECS 標准,因此您必須自己提供目標
當你更換
geoip {
source => "source_ip"xy
}
和
geoip {
source => "source_ip"
target => "source_geo"
}
地理數據應放在 source_geo 中。
另見https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.