- elasticsearch/
elasticsearch 聚合日志将第一个时间戳设置为@timestamp
elasticsearch 聚合日志将第一个时间戳设置为@timestamp
我正在为“389目录服务器”日志编写一个过滤器,这些日志显示用户在服务器上的操作、连接、搜索、添加、修改等的历史记录。。。 我使用聚合筛选器将所有日志行合并到一个事件中 但是,我希望事件的最终@timestamp(在用户断开连接后)是第一个事件的@timestamp(在首次建立连接时) 我尝试过使用日期过滤器,虽然它确实更改了每个事件(每个日志行)的@timestamp,但聚合过滤器生成的最终映射仍然使用处理日志的时间 我可以将第一个@timestamp保存到映射中的另一个字段,但是如何用该字段替换@timestamp 由于过滤器很长,我将仅包括开始和结束:
filter {
grok {
match => { "message" => [
"^(\s)?\[%{HTTPDATE:timestamp}\] conn=%{NUMBER:connection_id} fd=%{NUMBER:file_descriptor} slot=%{NUMBER} %{WORD:connection_method} connection from %{IP:source} to %{IP:destination}$",
"^(\s)?\[%{HTTPDATE:timestamp}\] conn=%{NUMBER:connection_id} %{NOTSPACE:ssl_version} (?<encryption_method>%{NOTSPACE} %{NOTSPACE})$",
"^(\s)?\[%{HTTPDATE:timestamp}\] conn=%{NUMBER:connection_id} op=%{NUMBER:op_number} %{WORD:ldap_operation} dn=%{QUOTEDSTRING:user_dn} method=%{NOTSPACE:bind_method} version=%{NUMBER:ldap_version}($)?(mech=%{NOTSPACE:auth_mechanism}$)?",
"^(\s)?\[%{HTTPDATE:timestamp}\] conn=%{NUMBER:connection_id} op=%{NUMBER:op_number} %{WORD:ldap_operation} err=%{NUMBER:error_code} tag=%{NUMBER:tag_number} nentries=%{NUMBER:number_of_entries} etime=%{NUMBER:operation_time}($)?(dn=%{QUOTEDSTRING}$)?",
"^(\s)?\[%{HTTPDATE:timestamp}\] conn=%{NUMBER:connection_id} op=%{NUMBER:op_number} %{WORD:ldap_operation} base=%{QUOTEDSTRING:search_base} scope=%{NUMBER:search_scope} filter=%{QUOTEDSTRING:search_filter} attrs=%{QUOTEDSTRING:search_attributes}$",
"^(\s)?\[%{HTTPDATE:timestamp}\] conn=%{NUMBER:connection_id} op=%{NUMBER:op_number} %{WORD:ldap_operation}$",
"^(\s)?\[%{HTTPDATE:timestamp}\] conn=%{NUMBER:connection_id} op=%{NUMBER:op_number} fd=%{NUMBER:file_descriptor} %{WORD:connection_result} - %{WORD:connection_code}$"
]
}
}
if "" in [connection_method] {
aggregate {
task_id => "%{connection_id}"
code => "
map['timestamp'] = event['@timestamp']
map['tags'] ||= ['aggregated']
map['source'] = event['source']
map['destination'] = event['destination']
map['file_descriptor'] = event['file_descriptor']
map['connection_method'] = event['connection_method']
"
map_action => "create"
}
}
else if "" in [connection_code] {
mutate {
add_tag => [ "map_finished" ]
}
aggregate {
task_id => "%{connection_id}"
code => "
map['operations'][event['op_number']]['connection_code'] = event['connection_code']
map['operations'][event['op_number']]['connection_result'] = event['connection_result']
"
map_action => "update"
}
}
else {
aggregate {
task_id => "%{connection_id}"
code => "
map['@timestamp'] = map['timestamp']
"
timeout => 0
push_map_as_event_on_timeout => true
}
}
}
过滤器{
格罗克{
匹配=>{“消息”=>[
“^(\s)\[%{HTTPDATE:timestamp}\]conn=%{NUMBER:connection\u id}fd=%{NUMBER:file\u descriptor}slot=%{NUMBER}%{WORD:connection\u method}从%{IP:source}到%{IP:destination}的连接”,
“^(\s)?\[%{HTTPDATE:timestamp}\]conn=%{NUMBER:connection\u id}%{NOTSPACE:ssl\u version}(?%{NOTSPACE}%{NOTSPACE})$”,
“^(\s)\[%{HTTPDATE:timestamp}\]conn=%{NUMBER:connection\u id}op=%{NUMBER:op\u NUMBER}%{WORD:ldap\u operation}dn=%{QUOTEDSTRING:user\u dn}方法=%{NOTSPACE:bind\u方法}版本=%{NUMBER:ldap\u版本}($)?(mech=%{NOTSPACE auth\u机制}$)?”,
“^(\s)\[%{HTTPDATE:timestamp}\]conn=%{NUMBER:connection\u id}op=%{NUMBER:op\u NUMBER}%{WORD:ldap\u operation}err=%{NUMBER:error\u code}tag=%{NUMBER:tag NUMBER}元素=%{NUMBER:NUMBER\u条目数}时间=%{NUMBER:operation\u time}($)?(dn=%{QUOTEDSTRING$)?”,
“^(\s)\[%{HTTPDATE:timestamp}\]conn=%{NUMBER:connection\u id}op=%{NUMBER:op\u NUMBER}%{WORD:ldap\u operation}base=%{QUOTEDSTRING:search\u base}scope=%{NUMBER:search\u scope}filter=%{QUOTEDSTRING:search\u filter}attrs=%{QUOTEDSTRING:search\u attributes}$,
“^(\s)\[%{HTTPDATE:timestamp}\]conn=%{NUMBER:connection\u id}op=%{NUMBER:op\u NUMBER}%{WORD:ldap\u operation}$”,
“^(\s)\[%{HTTPDATE:timestamp}\]conn=%{NUMBER:connection\u id}op=%{NUMBER:op\u NUMBER}fd=%{NUMBER:file\u descriptor}%{WORD:connection\u result}-%{WORD:connection\u code}”
]
}
}
如果[连接方法]中的“”为{
聚合{
任务\u id=>“%{connection\u id}”
代码=>”
映射['timestamp']=事件['@timestamp']
映射['tags']| |=['aggregated']
映射['source']=事件['source']
映射['destination']=事件['destination']
映射['file\u descriptor']=事件['file\u descriptor']
映射['connection\u method']=事件['connection\u method']
"
映射_操作=>“创建”
}
}
如果在[连接代码]中为“”,则为else{
变异{
添加标签=>[“映射完成”]
}
聚合{
任务\u id=>“%{connection\u id}”
代码=>”
映射['operations'][事件['op\u number']['connection\u code']=事件['connection\u code']
映射['operations'][事件['op\u number']['connection\u result']=事件['connection\u result']
"
映射\操作=>“更新”
}
}
否则{
聚合{
任务\u id=>“%{connection\u id}”
代码=>”
map['@timestamp']=map['timestamp']
"
超时=>0
推送映射为事件超时=>true
}
}
}
ISO8601表示您的日期类型
date {
# timezone => "America/Asuncion"
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
ISO8601表示您的日期类型
date {
# timezone => "America/Asuncion"
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
我发现,我没有意识到/理解的是,当我到达最后一个事件并推出映射时,它(映射)将由logstash作为一个新事件处理(如文件中的新日志行),logstash将尝试将该事件与其中一个过滤器匹配,并失败,因为最终贴图不包含与任何过滤器匹配的按摩字段 创建一个新的过滤器修复了这个问题
filter {
if "aggregated" in [tags] {
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
target => "@timestamp"
add_tag => [ "tmatch" ]
}
}
}
我发现,我没有意识到/理解的是,当我到达最后一个事件并推出映射时,它(映射)将由logstash作为一个新事件处理(如文件中的新日志行),logstash将尝试将该事件与其中一个过滤器匹配,并失败,因为最终贴图不包含与任何过滤器匹配的按摩字段 创建一个新的过滤器修复了这个问题
filter {
if "aggregated" in [tags] {
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
target => "@timestamp"
add_tag => [ "tmatch" ]
}
}
}
您还可以使用下面的代码行根据特定事件时间戳更新聚合事件时间戳。但是,如果您使用日志文件时间戳作为事件时间戳,那么请确保在聚合操作之前应用日期过滤器
map['@timestamp'] ||= event.get('@timestamp');
您还可以使用下面的代码行根据特定事件时间戳更新聚合事件时间戳。但是,如果您使用日志文件时间戳作为事件时间戳,那么请确保在聚合操作之前应用日期过滤器
map['@timestamp'] ||= event.get('@timestamp');
你试过map['@timestamp']=event['@timestamp']吗?IIRC,你不能在logstash 5中使用event['foo']-你需要说event.get()和event.set()。我试过
map['@timestamp']=event['@timestamp']映射['@timestamp']=event['@timestamp']