我尝试在我的openvpn服务器上实现logstash,但是我得到以下错误:
GeoIP Filter in ECS-Compatiblity mode requires a `target` when `source` is not an `ip` sub-field, eg. [client][ip]>我的logstash文件如下所示,这是我从这个要点https://gist.github.com/soulsearcher/68fa902298e59dc4d70696862244e778中提取的:
input {
beats {
port => 5044
}
}
filter {
grok {
match => {
"message" => "%{SYSLOGBASE} %{USER:user}/%{IP:source_ip}:%{POSINT:source_port} SENT CONTROL \[%{USER:user1}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
}
remove_field => ["user1"]
match => {
"message" => "%{SYSLOGBASE} %{IP:source_ip}:%{POSINT:source_port} SENT CONTROL \[%{USER:user}\]: \'%{DATA:msg}\' \(status=%{INT:status_code}\)"
}
}
geoip {
source => "source_ip"xy
}
if [msg] =~ "PUSH_REPLY" {
mutate {
replace => { type => "openvpn_access" }
}
}
if [msg] =~ "AUTH_FAILED" {
mutate {
replace => { type => "openvpn_err" }
}
}
date {
match => ["timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss"]
target => "@timestamp"
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
output {
# send to elasticsearch
elasticsearch {
cloud_id => "removed"
cloud_auth => "removed"
index => "openvpn-%{+YYYY.MM.dd}"
}
}我正在使用logstash8.5.1和elastic8.5.0。我希望能够将我的日志推送到elasticsearch,以保存更长的时间。
1条答案
按热度按时间tp5buhyn1#
Logstash 8.5默认在ECS兼容模式下运行。如果没有为geoip插件提供目标,并且ip地址位于source.ip,则geo数据将位于source.geo
您的geoip插件源不符合ECS标准,因此您必须自己提供目标
当您替换
与
geo数据应该放在source_geo。
另请参阅https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html