logstash变异以替换输出中的字段值
我试图在我的logstash配置中将10.100.251.98替换为另一个IP 10.100.240.199,我尝试使用带函数的筛选器,但是,我无法获得语法wrtielogstash变异以替换输出中的字段值,logstash,logstash-grok,logstash-configuration,logstash-forwarder,Logstash,Logstash Grok,Logstash Configuration,Logstash Forwarder,我试图在我的logstash配置中将10.100.251.98替换为另一个IP 10.100.240.199,我尝试使用带函数的筛选器,但是,我无法获得语法wrtie Sep 25 15:50:57 10.100.251.98 mail_logs: Info: New SMTP DCID 13417989 interface 172.30.75.10 address 172.30.75.12 port 25 Sep 25 15:50:57 10.100.251.98 local_mail_log
Sep 25 15:50:57 10.100.251.98 mail_logs: Info: New SMTP DCID 13417989 interface 172.30.75.10 address 172.30.75.12 port 25
Sep 25 15:50:57 10.100.251.98 local_mail_logs: Info: New SMTP DCID 13417989 interface 172.30.75.10 address 172.30.75.12 port 25
Sep 25 15:51:04 10.100.251.98 cli_logs: Info: PID 35559: User smaduser login from 10.217.3.22 on 172.30.75.10
Sep 25 15:51:22 10.100.251.98 cli_logs: Info: PID 35596: User smaduser login from 10.217.3.22 on 172.30.75.10
input { file { path => "/data/collected" } }
filter {
if [type] == "syslog" {
mutate {
replace => [ "@source_host", "10.100.251.99" ]
}
}
}
output {
syslog {
facility => "kernel"
host => "10.100.250.199"
port => 514
}
}
我注意到关于你的配置的一些事情。首先,您没有任何日志解析。如果字段尚不存在,则无法替换该字段。为此,可以在输入块中使用或。我添加了一个简单的grok过滤器 如果[type]=“syslog”,您还可以检查
。您从未设置类型,因此检查将始终失败。如果要设置类型,可以在输入块input{file{path=>“/data/collected”type=>“syslog}}
下面是我用来测试grok模式和IP替换的示例配置
input { tcp { port => 5544 } }
filter {
grok { match => { "message" => "%{CISCOTIMESTAMP:log_time} %{IP:@source_host} %{DATA:log_type}: %{DATA:log_level}: %{GREEDYDATA:log_message}" } }
mutate {
replace => [ "@source_host", "10.100.251.199" ]
}
}
output {
stdout { codec => rubydebug }
}
哪个输出:
{
"message" => "Sep 25 15:50:57 10.100.251.98 mail_logs: Info: New SMTP DCID 13417989 interface 172.30.75.10 address 172.30.75.12 port 25",
"@version" => "1",
"@timestamp" => "2016-09-25T14:03:20.332Z",
"host" => "0:0:0:0:0:0:0:1",
"port" => 52175,
"log_time" => "Sep 25 15:50:57",
"@source_host" => "10.100.251.199",
"log_type" => "mail_logs",
"log_level" => "Info",
"log_message" => "New SMTP DCID 13417989 interface 172.30.75.10 address 172.30.75.12 port 25"
}
我注意到有关配置的一些事情。首先,您没有任何日志解析。如果字段尚不存在,您将无法替换该字段。为此,您可以在输入块中使用a或。我添加了一个简单的grok筛选器
如果[type]==“syslog”。您从未设置过类型,因此检查总是会失败。如果您想设置类型,可以在输入块input{file{path=>“/data/collected”type=>“syslog}}
下面是我用来测试grok模式和IP替换的示例配置
input { tcp { port => 5544 } }
filter {
grok { match => { "message" => "%{CISCOTIMESTAMP:log_time} %{IP:@source_host} %{DATA:log_type}: %{DATA:log_level}: %{GREEDYDATA:log_message}" } }
mutate {
replace => [ "@source_host", "10.100.251.199" ]
}
}
output {
stdout { codec => rubydebug }
}
哪个输出:
{
"message" => "Sep 25 15:50:57 10.100.251.98 mail_logs: Info: New SMTP DCID 13417989 interface 172.30.75.10 address 172.30.75.12 port 25",
"@version" => "1",
"@timestamp" => "2016-09-25T14:03:20.332Z",
"host" => "0:0:0:0:0:0:0:1",
"port" => 52175,
"log_time" => "Sep 25 15:50:57",
"@source_host" => "10.100.251.199",
"log_type" => "mail_logs",
"log_level" => "Info",
"log_message" => "New SMTP DCID 13417989 interface 172.30.75.10 address 172.30.75.12 port 25"
}