Filebeat 7.3.0未解析多行json
我从ELK 7.3.0开始使用SIEM功能。我现在需要集成JSON格式的Cloudflare日志。我很肯定filebeat可以做到这一点 我已在CentOS 7服务器上安装了filebeat rpm软件包 到目前为止我所做的 弹性端口更改为:1300 日志存储端口更改为:2300 基巴纳港改为:3300 filebeat.yml如下所示Filebeat 7.3.0未解析多行json,json,logging,elastic-stack,filebeat,Json,Logging,Elastic Stack,Filebeat,我从ELK 7.3.0开始使用SIEM功能。我现在需要集成JSON格式的Cloudflare日志。我很肯定filebeat可以做到这一点 我已在CentOS 7服务器上安装了filebeat rpm软件包 到目前为止我所做的 弹性端口更改为:1300 日志存储端口更改为:2300 基巴纳港改为:3300 filebeat.yml如下所示 filebeat.config.inputs: enabled: true path: configs/*.yml reload.enable
filebeat.config.inputs:
enabled: true
path: configs/*.yml
reload.enabled: true
reload.period: 10s
setup.kibana:
host: "10.139.111.216:3300"
output.elasticsearch:
hosts: ["10.139.111.216:1300"]
我已经将配置文件放在/etc/filebeat/modules.d/cloudflare-FW.conf目录中,因为如果像我在filebeat.yml中提到的那样对配置进行任何更改,这将重新加载
cloudflare-FW.conf
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/crons/logs/*.json
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after
processors:
- decode_json_fields:
fields: ['message']
target: json
output.elasticsearch:
hosts: ["10.136.111.216:1300"]
index: "cloudflare-FW-%{+yyyy.MM.dd}"
setup.template.enabled: true
setup.template.name: "cloudflare-FW"
setup.template.pattern: "cloudflare-FW-*"
这是我要解析的目标json文件
{
"ray_id": "501dxxxxxxxx0ce1b",
"kind": "firewall",
"source": "bic",
"action": "drop",
"rule_id": "bic",
"ip": "161.00.6.8",
"ip_class": "noRecord",
"country": "GB",
"colo": "LHR",
"host": "site.com",
"method": "POST",
"proto": "HTTP/1.1",
"scheme": "https",
"ua": "Jakarta Commons-HttpClient/3.1",
"uri": "/nxxxxxxx/senxxxxxxxxail.php",
"matches": [
{
"rule_id": "bic",
"source": "bic",
"action": "drop"
}
],
"occurred_at": "2019-08-06T03:28:57Z"
},
{
"ray_id": "501dxxxxxxxxxx6ce27",
"kind": "firewall",
"source": "bic",
"action": "drop",
"rule_id": "bic",
"ip": "161.61.6.8",
"ip_class": "noRecord",
"country": "GB",
"colo": "LHR",
"host": "site.com",
"method": "POST",
"proto": "HTTP/1.1",
"scheme": "https",
"ua": "Jakarta Commons-HttpClient/3.1",
"uri": "/nxxxxxxx/senxxxxxxxxail.php",
"matches": [
{
"rule_id": "bic",
"source": "bic",
"action": "drop"
}
],
"occurred_at": "2019-08-06T03:02:52Z"
}
当我运行filebeat-e时,它应该创建一个名为cloudflare FW-%{+yyyy.MM.dd}的索引,并且应该将json文件中的数据摄取到索引中。最后,JSON键应该是可以查询的字段
但事实并非如此。非常感谢您的帮助。请记住,这是filebeat 7.3.0
谢谢
我已将配置文件放在/etc/filebeat/modules.d/cloudflare-FW.conf目录中
在filebeat.yml中,您指定了一个完全不同的路径:
filebeat.config.inputs:
enabled: true
path: "configs/*.yml" <--
reload.enabled: true
reload.period: 10s
filebeat.config.inputs:
已启用:true
路径:“configs/*.yml”我的回答是否成功?很抱歉这么长时间没有回复。我注意到您在配置文件中突出显示的错误;谢谢,但我解决了我的问题,通过使用logstash http输入插件从http响应中读取日志,而不是从文件中读取日志,并使用split logstash filter分割json子键;它工作得很好。