elasticsearch 如何在logstash中从TEXT和JSON混合格式中仅过滤JSON

mf98qq94  于 2022-11-02  发布在  ElasticSearch
关注(0)|答案(1)|浏览(161)

我们的输入来自其中一个应用程序,格式为TEXT + JSON,如下所示:

<12>1 2022-10-18T10:48:40.163Z 7VLX5D8 ERAServer 14016 - - {"event_type":"FilteredWebsites_Event","ipv4":"192.168.0.1","hostname":"9krkvs1","source_uuid":"11160173-r3bc-46cd-9f4e-99f66fc0a4eb","occured":"18-Oct-2022 10:48:37","severity":"Warning","event":"An attempt to connect to URL","target_address":"172.66.43.217","target_address_type":"IPv4","scanner_id":"HTTP filter","action_taken":"Blocked","handled":true,"object_uri":"https://free4pc.org","hash":"0E9ACB02118FBF52B28C3570D47D82AFB82EB58C","username":"CKFCVS1\\some.name","processname":"C:\\Users\\some.name\\AppData\\Local\\Programs\\Opera\\opera.exe","rule_id":"Blocked by internal blacklist"}

即TEXT中<12>1 2022-10-18T10:48:40.163Z 7VLX5D8 ERAServer 14016 - -和JSON中的其他值。

文本部分相似,只是日期和时间不同,因此即使我们删除所有文本部分也没关系。
JSON部分是随机的,但它包含有用的信息。

目前,在Kibana上,日志显示在消息字段中,但由于JSON不正确,单独的字段没有显示。因此,实际上我们试图通过手动将所需的JSON部分放入文件中,只推送所需的JSON部分,从而在Kibana中提供所需的输出。
因此,我们的问题是如何通过logstash过滤器/grok实现这一点。
更新:
@Val -我们已经有以下配置

input {
  syslog {
    port => 5044
    codec => json
  }
}

但Kibana上的输出显示为x1c 0d1x
我们希望它像这样:

elasticsearch

1条答案

按热度按时间
zazmityj

zazmityj1#

尽管syslog看起来是一种很有吸引力的数据传输方式,但它在标准化方面是一个大混乱,任何人都有不同的数据传输方式。Logstash syslog输入只支持RFC3164,而您的日志格式不符合该标准。
您仍然可以通过提供自己的grok模式来绕过正常的RFC3164解析,如下所示:

input {
  syslog {
    port => 5044
    grok_pattern => "<%{POSINT:priority_key}>%{POSINT:version} %{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:[observer][hostname]} %{WORD:[observer][name]} %{WORD:[process][id]} - - %{GREEDYDATA:[event][original]}"
  }
}
filter {
  json {
    source => "[event][original]"
  }
}
output {
   stdout { codec => json }
}

使用上述配置运行Logstash,示例日志行将被解析为:

{
    "@timestamp": "2022-10-18T10:48:40.163Z",
    "@version": "1",
    "action_taken": "Blocked",
    "event": "An attempt to connect to URL",
    "event_type": "FilteredWebsites_Event",
    "facility": 0,
    "facility_label": "kernel",
    "handled": true,
    "hash": "0E9ACB02118FBF52B28C3570D47D82AFB82EB58C",
    "host": "0:0:0:0:0:0:0:1",
    "hostname": "9krkvs1",
    "ipv4": "192.168.0.1",
    "message": "<12>1 2022-10-18T10:48:40.163Z 7VLX5D8 ERAServer 14016 - - {\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"192.168.0.1\",\"hostname\":\"9krkvs1\",\"source_uuid\":\"11160173-r3bc-46cd-9f4e-99f66fc0a4eb\",\"occured\":\"18-Oct-2022 10:48:37\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"172.66.43.217\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"Blocked\",\"handled\":true,\"object_uri\":\"https://free4pc.org\",\"hash\":\"0E9ACB02118FBF52B28C3570D47D82AFB82EB58C\",\"username\":\"CKFCVS1\\\\some.name\",\"processname\":\"C:\\\\Users\\\\some.name\\\\AppData\\\\Local\\\\Programs\\\\Opera\\\\opera.exe\",\"rule_id\":\"Blocked by internal blacklist\"}\n",
    "object_uri": "https://free4pc.org",
    "observer": {
        "hostname": "7VLX5D8",
        "name": "ERAServer"
    },
    "occured": "18-Oct-2022 10:48:37",
    "priority": 0,
    "priority_key": "12",
    "process": {
        "id": "14016"
    },
    "processname": "C:\\Users\\some.name\\AppData\\Local\\Programs\\Opera\\opera.exe",
    "rule_id": "Blocked by internal blacklist",
    "scanner_id": "HTTP filter",
    "severity": "Warning",
    "severity_label": "Emergency",
    "source_uuid": "11160173-r3bc-46cd-9f4e-99f66fc0a4eb",
    "target_address": "172.66.43.217",
    "target_address_type": "IPv4",
    "timestamp": "2022-10-18T10:48:40.163Z",
    "username": "CKFCVS1\\some.name",
    "version": "1"
}
赞(0)分享  回复(0)举报  2022-11-02
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com