Logstash 过滤/var/log/messages中的文本并在日志存储中转发

Logstash 过滤/var/log/messages中的文本并在日志存储中转发,logstash,Logstash,我正在使用logstash,无法找出如何进行过滤。我想从/var/log/messages中筛选以下日志,并只转发其中包含[INFO]的行 mingus sshd[INFO]: Failed password for illegal user user from 219.117.251.250 port 44741 ssh2 mingus sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2 min

我正在使用logstash,无法找出如何进行过滤。我想从/var/log/messages中筛选以下日志,并只转发其中包含[INFO]的行

mingus  sshd[INFO]: Failed password for illegal user user from 219.117.251.250 port 44741 ssh2
mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2
mingus  sshd[2264]: Failed password for root from 219.117.251.250 port 44866 ssh2
mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44918 ssh2
mingus  sshd[2268]: Illegal user test from 219.117.251.250
mingus  sshd[2268]: Failed password for illegal user test from 219.117.251.250 port 44997 ssh2

我想知道这是否可能。

是的,这是可能的!使用筛选器提取所需的信息。您可以使用它来获取一个包含sshd内部的字段[这里有一些字符串]。例如:

filter {
    grok {
        match => ["message", "mingus  sshd\[%{WORD:messagetype}\]: %{GREEDYDATA}"]
    }
}
output {
    if [messagetype] == "INFO" {
        stdout {
            codec => "rubydebug"
        }
    }
}
完成此操作后,可以在输出上使用条件语句,以便只传递包含信息的行。例如:

filter {
    grok {
        match => ["message", "mingus  sshd\[%{WORD:messagetype}\]: %{GREEDYDATA}"]
    }
}
output {
    if [messagetype] == "INFO" {
        stdout {
            codec => "rubydebug"
        }
    }
}
我希望这有帮助

编辑: 这是我的conf文件:

input {
    stdin {}
}
filter {
    grok {
        match => ["message", "mingus  sshd\[%{WORD:messagetype}\]: %{GREEDYDATA}"]
    }
}
output {
    if [messagetype] == "INFO" {
        stdout {
            codec => "rubydebug"
        }
    }
}
使用stdin和stdout的选择很简单,使调试变得容易。使用提供的日志行片段,我输入以下内容:

mingus  sshd[INFO]: Failed password for illegal user user from 219.117.251.250 port 44741   ssh2
mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2
mingus  sshd[2264]: Failed password for root from 219.117.251.250 port 44866 ssh2
mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44918 ssh2
mingus  sshd[2268]: Illegal user test from 219.117.251.250
mingus  sshd[2268]: Failed password for illegal user test from 219.117.251.250 port 44997 ssh2
并收到以下输出:

{
        "message" => "mingus  sshd[INFO]: Failed password for illegal user user from         219.117.251.250 port 44741 ssh2",
       "@version" => "1",
     "@timestamp" => "2014-07-31T13:59:34.376Z",
           "host" => "cmssrv221.fnal.gov",
    "messagetype" => "INFO"
}
{
        "message" => "mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2",
       "@version" => "1",
     "@timestamp" => "2014-07-31T13:59:34.378Z",
           "host" => "cmssrv221.fnal.gov",
    "messagetype" => "INFO"
}
{
        "message" => "mingus  sshd[INFO]: Failed password for root from 219.117.251.250 port 44918 ssh2",
       "@version" => "1",
     "@timestamp" => "2014-07-31T13:59:34.387Z",
           "host" => "cmssrv221.fnal.gov",
    "messagetype" => "INFO"
}
根据你给我的信息,这似乎是你想要的。如果这不是你想要的,你必须更具体


顺便说一句,我使用的是logstash 1.4.1,以防您使用的是完全不同的版本。

非常感谢,我会试试这个。我试过了,但没有按照我的需要工作。我仍在获取所有日志,包括错误和警告。有什么想法吗?嗯,这对我来说很有效,至少看起来很有效,尽管也许你在寻找更具体的东西。。。请稍等。我想我做错了什么,你们可以参考链接,我的日志库配置也完全一样