elasticsearch 将json输入logstash-config问题?
我想将以下json输入转储到logstash,并最终在elasticsearch/kibana中搜索/dashboardelasticsearch 将json输入logstash-config问题?,elasticsearch,logstash,elasticsearch,Logstash,我想将以下json输入转储到logstash,并最终在elasticsearch/kibana中搜索/dashboard {"vulnerabilities":[ {"ip":"10.1.1.1","dns":"z.acme.com","vid":"12345"}, {"ip":"10.1.1.2","dns":"y.acme.com","vid":"12345"}, {"ip":"10.1.1.3","dns":"x.acme.com","vid":"12345"} ]
{"vulnerabilities":[
{"ip":"10.1.1.1","dns":"z.acme.com","vid":"12345"},
{"ip":"10.1.1.2","dns":"y.acme.com","vid":"12345"},
{"ip":"10.1.1.3","dns":"x.acme.com","vid":"12345"}
]}
我正在使用以下日志存储配置
input {
file {
path => "/tmp/logdump/*"
type => "assets"
codec => "json"
}
}
output {
stdout { codec => rubydebug }
elasticsearch { host => localhost }
}
输出
{
"message" => "{\"vulnerabilities\":[\r",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.788Z",
"type" => "assets",
"host" => "av12612sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
{
"message" => "{\"ip\":\"10.1.1.30\",\"dns\":\"z.acme.com\",\"vid\":\"12345\"},\r",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.838Z",
"type" => "assets",
"host" => "av12612sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
{
"message" => "{\"ip\":\"10.1.1.31\",\"dns\":\"y.acme.com\",\"vid\":\"12345\"},\r",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.870Z",
"type" => "shellshock",
"host" => "av1261wag2sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
{
"ip" => "10.1.1.32",
"dns" => "x.acme.com",
"vid" => "12345",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.884Z",
"type" => "assets",
"host" => "av12612sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
显然,logstash将每一行视为一个事件,它认为{漏洞:[是一个事件,我猜后面两个节点上的尾随逗号会扰乱解析,最后一个节点看起来是正确的。我如何告诉logstash解析漏洞数组中的事件,并忽略行末尾的逗号
更新日期:2014-11-05
按照Magnus的建议,我添加了json过滤器,它工作得很好。但是,如果不在文件输入块中指定start_position=>start,它将无法正确解析json的最后一行。有什么想法吗?我知道它默认自底向上解析,但预计mutate/gsub会顺利处理这个问题
file {
path => "/tmp/logdump/*"
type => "assets"
start_position => "beginning"
}
}
filter {
if [message] =~ /^\[?{"ip":/ {
mutate {
gsub => [
"message", "^\[{", "{",
"message", "},?\]?$", "}"
]
}
json {
source => "message"
remove_field => ["message"]
}
}
}
output {
stdout { codec => rubydebug }
elasticsearch { host => localhost }
}
您可以跳过json编解码器,并使用多行筛选器将消息加入到单个字符串中,然后将其馈送到json filter.filter{
filter {
multiline {
pattern => '^{"vulnerabilities":\['
negate => true
what => "previous"
}
json {
source => "message"
}
}
但是,这会产生以下不必要的结果:
{
"message" => "<omitted for brevity>",
"@version" => "1",
"@timestamp" => "2014-10-31T06:48:15.589Z",
"host" => "name-of-your-host",
"tags" => [
[0] "multiline"
],
"vulnerabilities" => [
[0] {
"ip" => "10.1.1.1",
"dns" => "z.acme.com",
"vid" => "12345"
},
[1] {
"ip" => "10.1.1.2",
"dns" => "y.acme.com",
"vid" => "12345"
},
[2] {
"ip" => "10.1.1.3",
"dns" => "x.acme.com",
"vid" => "12345"
}
]
}
您可以跳过json编解码器,并使用多行筛选器将消息加入到单个字符串中,然后将其馈送到json filter.filter{
filter {
multiline {
pattern => '^{"vulnerabilities":\['
negate => true
what => "previous"
}
json {
source => "message"
}
}
但是,这会产生以下不必要的结果:
{
"message" => "<omitted for brevity>",
"@version" => "1",
"@timestamp" => "2014-10-31T06:48:15.589Z",
"host" => "name-of-your-host",
"tags" => [
[0] "multiline"
],
"vulnerabilities" => [
[0] {
"ip" => "10.1.1.1",
"dns" => "z.acme.com",
"vid" => "12345"
},
[1] {
"ip" => "10.1.1.2",
"dns" => "y.acme.com",
"vid" => "12345"
},
[2] {
"ip" => "10.1.1.3",
"dns" => "x.acme.com",
"vid" => "12345"
}
]
}