Warning: file_get_contents(/data/phpspider/zhask/data//catemap/8/logging/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Filebeat 7.3.0未解析多行json_Json_Logging_Elastic Stack_Filebeat - Fatal编程技术网
Fatal编程技术网
  • json/
  • Filebeat 7.3.0未解析多行json

Filebeat 7.3.0未解析多行json

json logging

Filebeat 7.3.0未解析多行json,json,logging,elastic-stack,filebeat,Json,Logging,Elastic Stack,Filebeat,我从ELK 7.3.0开始使用SIEM功能。我现在需要集成JSON格式的Cloudflare日志。我很肯定filebeat可以做到这一点 我已在CentOS 7服务器上安装了filebeat rpm软件包 到目前为止我所做的 弹性端口更改为:1300 日志存储端口更改为:2300 基巴纳港改为:3300 filebeat.yml如下所示 filebeat.config.inputs: enabled: true path: configs/*.yml reload.enable

我从ELK 7.3.0开始使用SIEM功能。我现在需要集成JSON格式的Cloudflare日志。我很肯定filebeat可以做到这一点

我已在CentOS 7服务器上安装了filebeat rpm软件包

到目前为止我所做的

弹性端口更改为:1300 日志存储端口更改为:2300 基巴纳港改为:3300

filebeat.yml如下所示

filebeat.config.inputs:
   enabled: true
   path: configs/*.yml
   reload.enabled: true
   reload.period: 10s

setup.kibana: 
   host: "10.139.111.216:3300"

output.elasticsearch:
   hosts: ["10.139.111.216:1300"]
我已经将配置文件放在/etc/filebeat/modules.d/cloudflare-FW.conf目录中,因为如果像我在filebeat.yml中提到的那样对配置进行任何更改,这将重新加载

cloudflare-FW.conf

filebeat.inputs:
- type: log
  enabled: true
  paths:
  - /var/crons/logs/*.json
  multiline.pattern: '^{'
  multiline.negate: true
  multiline.match:  after

processors:
- decode_json_fields:
 fields: ['message']
 target: json

output.elasticsearch:
  hosts: ["10.136.111.216:1300"]
  index: "cloudflare-FW-%{+yyyy.MM.dd}"
  setup.template.enabled: true
  setup.template.name: "cloudflare-FW"
  setup.template.pattern: "cloudflare-FW-*"
这是我要解析的目标json文件

{
  "ray_id": "501dxxxxxxxx0ce1b",
  "kind": "firewall",
  "source": "bic",
  "action": "drop",
  "rule_id": "bic",
  "ip": "161.00.6.8",
  "ip_class": "noRecord",
  "country": "GB",
  "colo": "LHR",
  "host": "site.com",
  "method": "POST",
  "proto": "HTTP/1.1",
  "scheme": "https",
  "ua": "Jakarta Commons-HttpClient/3.1",
  "uri": "/nxxxxxxx/senxxxxxxxxail.php",
  "matches": [
    {
      "rule_id": "bic",
      "source": "bic",
      "action": "drop"
    }
  ],
  "occurred_at": "2019-08-06T03:28:57Z"
},
{
  "ray_id": "501dxxxxxxxxxx6ce27",
  "kind": "firewall",
  "source": "bic",
  "action": "drop",
  "rule_id": "bic",
  "ip": "161.61.6.8",
  "ip_class": "noRecord",
  "country": "GB",
  "colo": "LHR",
  "host": "site.com",
  "method": "POST",
  "proto": "HTTP/1.1",
  "scheme": "https",
  "ua": "Jakarta Commons-HttpClient/3.1",
  "uri": "/nxxxxxxx/senxxxxxxxxail.php",
  "matches": [
    {
      "rule_id": "bic",
      "source": "bic",
      "action": "drop"
    }
  ],
  "occurred_at": "2019-08-06T03:02:52Z"
}
当我运行filebeat-e时,它应该创建一个名为cloudflare FW-%{+yyyy.MM.dd}的索引,并且应该将json文件中的数据摄取到索引中。最后,JSON键应该是可以查询的字段

但事实并非如此。非常感谢您的帮助。请记住,这是filebeat 7.3.0

谢谢

我已将配置文件放在/etc/filebeat/modules.d/cloudflare-FW.conf目录中

在filebeat.yml中,您指定了一个完全不同的路径:

filebeat.config.inputs:
  enabled: true
  path: "configs/*.yml" <--
  reload.enabled: true
  reload.period: 10s

filebeat.config.inputs:
已启用:true

路径:“configs/*.yml”我的回答是否成功?很抱歉这么长时间没有回复。我注意到您在配置文件中突出显示的错误;谢谢,但我解决了我的问题,通过使用logstash http输入插件从http响应中读取日志,而不是从文件中读取日志,并使用split logstash filter分割json子键;它工作得很好。