- elasticsearch/
elasticsearch Logstash-如何在一条消息中使用多个geoip筛选器
elasticsearch Logstash-如何在一条消息中使用多个geoip筛选器
我想包括两个geoip过滤器,用于一条日志存储消息——比方说:一条带有dst字段(防火墙位置)和src字段(访问源)的防火墙消息 日志条目可能如下所示:
<190>2015 Mar 23 02:21:30 fw1 <50000> Dropped Inbound packet (Stateless ICMP) Src:87.245.196.38 Dst:154.54.27.169 Type:11 Code:0 IPP:1 Rule:-1 Interface:WAN (Internet)
2015年3月23日02:21:30 fw1丢弃入站数据包(无状态ICMP)Src:87.245.196.38 Dst:154.54.27.169类型:11代码:0 IPP:1规则:-1接口:WAN(互联网)
if [message] =~ "packet" {
grok {
match => [
"message", "<%{POSINT:syslog_pri}>%{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:device} <%{POSINT:status}> %{WORD:activity} %{DATA:inout} \(%{DATA:msg}\) Src:%{IPV4:src} SPort:%{INT:sport} Dst:%{IPV4:dst} DPort:%{INT:dport} IPP:%{INT:ipp} Rule:%{INT:rule} Interface:%{WORD:iface}",
"message", "<%{POSINT:syslog_pri}>%{YEAR} %{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:device} <%{POSINT:status}> %{WORD:activity} %{DATA:inout} \(%{DATA:msg}\) Src:%{IPV4:src} Dst:%{IPV4:dst} Type:%{POSINT:type} Code:%{INT:code} IPP:%{INT:ipp} Rule:%{INT:rule} Interface:%{WORD:iface}"
]
}
geoip { source => "src" }
geoip { source => "dst" }
}
如果[消息]=“数据包”{
格罗克{
匹配=>[
“消息”、“%{YEAR}%{SYSLOGTIMESTAMP:syslog_timestamp}%{DATA:device}%{WORD:activity}%{DATA:inout}\({DATA:msg}\)Src:%%{IPV4:Src}SPort:%%{INT:SPort}Dst:%%{IPP:%%{INT:DPort}规则:%%{INT:Rule}接口:{WORD iface}”,
“消息”、“{YEAR}%{SYSLOGTIMESTAMP:syslog_timestamp}%{DATA:device}%{WORD:activity}%{DATA:inout}\({DATA:msg}\)Src:%%{IPV4:Src}Dst:%%{IPV4:Dst}类型:%%{POSINT:Type}代码:%%{INT:Code}IPP:%%{INT:IPP}规则:%%{INT:Rule}接口:%%{WORD iface}”
]
}
geoip{source=>“src”}
geoip{source=>“dst”}
}
filter {
geoip {
source => "src"
target => "src_geoip"
}
geoip {
source => "dst"
target => "dst_geoip"
}
}
filter {
geoip {
source => "src"
target => "src_geoip"
}
geoip {
source => "dst"
target => "dst_geoip"
}
}
filter {
geoip {
source => "src"
target => "src_geoip"
}
geoip {
source => "dst"
target => "dst_geoip"
}
}
filter {
geoip {
source => "src"
target => "src_geoip"
}
geoip {
source => "dst"
target => "dst_geoip"
}
}