解析KV时出现异常Invalid FieldReference Logstash 7.6.1

kjthegm6  于 12个月前  发布在  Logstash
关注(0)|答案(2)|浏览(271)

我尝试使用logstash 7.6.1来记录我的f5 waf/asm,当我尝试从我的f5远程日志收集一些日志时,我从我的elk服务器运行logstash -f f5.config。它说这句话并循环:
[[main]> worker 1]错误-分析KV时出现异常{:exception=>“Invalid FieldReference:`info tmm 2 [16492]:Rule /Common/myrule:source logreq:/mywebsitepath/"}
那么这里有什么问题以及如何解决呢?
这是我的f5.config:

input {
  syslog {
    port => 5144
  }
}
filter {
  kv {
    field_split => ","
  }
  mutate {
    split => { "attack_type" => "," }
    split => { "sig_ids" => "," }
    split => { "sig_names" => "," }
    split => { "sig_cves" => "," }
    split => { "staged_sig_ids" => "," }
    split => { "staged_sig_names" => "," }
    split => { "staged_sig_cves" => "," }
    split => { "threat_campaign_names" => "," }
    split => { "staged_threat_campaign_names" => "," }
    split => { "violations" => "," }
    split => { "sub_violations" => "," }
  }
  geoip {
    source => "ip_client"
  }
}
output {
  elasticsearch {
    hosts => ['myip:9200']
    index => "waf-logs-%{+YYY.MM.dd}"
  }
}

字符串
这是kibana我用于可视化logstash:Project
先谢了。

8e2ybdfx

8e2ybdfx1#

默认情况下,KV解析器将[]特殊字符视为键。

[a][0]=1 is valid and would set a.0 = 1 in Elastic
[a=1 is not

字符串
您可以设置

remove_key_value => "\[\]"


来规避这个问题

yhxst69z

yhxst69z2#

这应该适用于v4.7.0:

kv {
    remove_char_value => "<>\[\],"
  }

字符串

相关问题