使用winlogbeats将消息从windows主机转发到kafka群集。在主机上安装winlog beats代理并尝试将安全日志转发到kafka代理。但我看到事件中缺少消息字段。winlogbeat配置:
# ======================= Winlogbeat specific options ==========================
winlogbeat.event_logs:
- name: Security
ignore_older: 72h
forwarded: true
fields:
log_topic: TEST
extra_id: testId
fields_under_root: true
# ------------------------------- Kafka output ----------------------------------
output.kafka:
# Boolean flag to enable or disable the output module.
enabled: true
# The list of Kafka broker addresses from where to fetch the cluster metadata.
# The cluster metadata contain the actual Kafka brokers events are published
# to.
output.kafka.hosts: ["localhost:9092","localhost:9093"]
output.kafka.topic: '%{[log_topic]}'
我能够运行winlogbeat并看到流量流向kafka,但问题是下面编辑的输出记录中缺少消息字段。
"record_number": "20092012",
"event_data": {
"TargetLogonId": "00000000",
"LogonType": "3",
"TargetUserName": "USER1",
"TargetDomainName": "DOMAIN",
"TargetUserSid": "1-1-1-1-1"
我期待着看到像下面这样的winlogbeat发送的东西
* message: An account was logged off.
Subject:
Security ID: S-000000000000000000000
Account Name: 000000
Account Domain: DOmain
Logon ID: 0x1234
Logon Type: 7
This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.*
winlogbeat.yml配置文件中是否缺少任何内容?
暂无答案!
目前还没有任何答案,快来回答吧!