Fatal编程技术网
  • logging/
  • Logging kibana4和suricata json过滤显示不正确

Logging kibana4和suricata json过滤显示不正确

logging logstash kibana

Logging kibana4和suricata json过滤显示不正确,logging,logstash,kibana,kibana-4,Logging,Logstash,Kibana,Kibana 4,我有一堆麋鹿正在奔跑,而且刚刚在上面放了一些苏里卡塔 我想我已经正确设置了它,因为它正在从主机向ELK服务器发送日志 在kibana中,我可以看到eve.json文件和数据,但我似乎无法将其正确格式化,因为所有重要信息都存储在消息字段中。我想我可以像其他领域一样在kibana很好地过滤这个 还是我遗漏了什么 { "_index": "logstash-2015.04.09", "_type": "suricata", "_id": "", "_score": null, "_

我有一堆麋鹿正在奔跑,而且刚刚在上面放了一些苏里卡塔

我想我已经正确设置了它,因为它正在从主机向ELK服务器发送日志

在kibana中,我可以看到eve.json文件和数据,但我似乎无法将其正确格式化,因为所有重要信息都存储在消息字段中。我想我可以像其他领域一样在kibana很好地过滤这个

还是我遗漏了什么

{
  "_index": "logstash-2015.04.09",
  "_type": "suricata",
  "_id": "",
  "_score": null,
  "_source": {
    "message": "{\"timestamp\":\"2015-04-09T14:33:43.585096\",\"event_type\":\"alert\",\"src_ip\":\"x.x.x.x\",\"src_port\":40238,\"dest_ip\":\"x.x.x.x\",\"dest_port\":443,\"proto\":\"TCP\",\"alert\":{\"action\":\"allowed\",\"gid\":1,\"signature_id\":2402000,\"rev\":3672,\"signature\":\"ET DROP Dshield Block Listed Source group 1\",\"category\":\"Misc Attack\",\"severity\":2}}",
    "@version": "1",
    "@timestamp": "2015-04-09T13:33:41.389Z",
    "type": "suricata",
    "file": "/var/log/suricata/eve.json",
    "host": "xx",
    "offset": "51171"
  },
  "fields": {
    "@timestamp": [
      1428586421389
    ]
  },
  "highlight": {
    "message": [
      "{\"timestamp\":\"2015-04-09T14:33:43.585096\",\"event_type\":\"@kibana-highlighted-field@alert@/kibana-highlighted-field@\",\"src_ip\":\"x.x.x.x\",\"src_port",
      "\":40238,\"dest_ip\":\"x.x.x.x\",\"dest_port\":443,\"proto\":\"TCP\",\"@kibana-highlighted-field@alert@/kibana-highlighted-field@\":{\"action\":\"allowed\",\"gid\":1"
    ]
  },
  "sort": [
    1428586421389
  ]
}
logstash conf文件的设置如下

filter {
  if [type] == "SuricataIDPS" {
    date {
      match => [ "timestamp", "ISO8601" ]
    }
    ruby {
      code => "if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;"
    }
  }

  if [src_ip]  {
    geoip {
      source => "src_ip"
      target => "geoip"
      #database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
    if ![geoip.ip] {
      if [dest_ip]  {
        geoip {
          source => "dest_ip"
          target => "geoip"
          #database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
          add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
          add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
        }
        mutate {
          convert => [ "[geoip][coordinates]", "float" ]
        }
      }
    }
  }
}
我想我通过在lumberjack的主输入中添加
codec=>json
解决了这个问题