Logstash 过滤/var/log/messages中的文本并在日志存储中转发
我正在使用logstash,无法找出如何进行过滤。我想从/var/log/messages中筛选以下日志,并只转发其中包含[INFO]的行Logstash 过滤/var/log/messages中的文本并在日志存储中转发,logstash,Logstash,我正在使用logstash,无法找出如何进行过滤。我想从/var/log/messages中筛选以下日志,并只转发其中包含[INFO]的行 mingus sshd[INFO]: Failed password for illegal user user from 219.117.251.250 port 44741 ssh2 mingus sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2 min
mingus sshd[INFO]: Failed password for illegal user user from 219.117.251.250 port 44741 ssh2
mingus sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2
mingus sshd[2264]: Failed password for root from 219.117.251.250 port 44866 ssh2
mingus sshd[INFO]: Failed password for root from 219.117.251.250 port 44918 ssh2
mingus sshd[2268]: Illegal user test from 219.117.251.250
mingus sshd[2268]: Failed password for illegal user test from 219.117.251.250 port 44997 ssh2
我想知道这是否可能。是的,这是可能的!使用筛选器提取所需的信息。您可以使用它来获取一个包含sshd内部的字段[这里有一些字符串]。例如:
filter {
grok {
match => ["message", "mingus sshd\[%{WORD:messagetype}\]: %{GREEDYDATA}"]
}
}
output {
if [messagetype] == "INFO" {
stdout {
codec => "rubydebug"
}
}
}
完成此操作后,可以在输出上使用条件语句,以便只传递包含信息的行。例如:
filter {
grok {
match => ["message", "mingus sshd\[%{WORD:messagetype}\]: %{GREEDYDATA}"]
}
}
output {
if [messagetype] == "INFO" {
stdout {
codec => "rubydebug"
}
}
}
我希望这有帮助
编辑:
这是我的conf文件:
input {
stdin {}
}
filter {
grok {
match => ["message", "mingus sshd\[%{WORD:messagetype}\]: %{GREEDYDATA}"]
}
}
output {
if [messagetype] == "INFO" {
stdout {
codec => "rubydebug"
}
}
}
使用stdin和stdout的选择很简单,使调试变得容易。使用提供的日志行片段,我输入以下内容:
mingus sshd[INFO]: Failed password for illegal user user from 219.117.251.250 port 44741 ssh2
mingus sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2
mingus sshd[2264]: Failed password for root from 219.117.251.250 port 44866 ssh2
mingus sshd[INFO]: Failed password for root from 219.117.251.250 port 44918 ssh2
mingus sshd[2268]: Illegal user test from 219.117.251.250
mingus sshd[2268]: Failed password for illegal user test from 219.117.251.250 port 44997 ssh2
并收到以下输出:
{
"message" => "mingus sshd[INFO]: Failed password for illegal user user from 219.117.251.250 port 44741 ssh2",
"@version" => "1",
"@timestamp" => "2014-07-31T13:59:34.376Z",
"host" => "cmssrv221.fnal.gov",
"messagetype" => "INFO"
}
{
"message" => "mingus sshd[INFO]: Failed password for root from 219.117.251.250 port 44817 ssh2",
"@version" => "1",
"@timestamp" => "2014-07-31T13:59:34.378Z",
"host" => "cmssrv221.fnal.gov",
"messagetype" => "INFO"
}
{
"message" => "mingus sshd[INFO]: Failed password for root from 219.117.251.250 port 44918 ssh2",
"@version" => "1",
"@timestamp" => "2014-07-31T13:59:34.387Z",
"host" => "cmssrv221.fnal.gov",
"messagetype" => "INFO"
}
根据你给我的信息,这似乎是你想要的。如果这不是你想要的,你必须更具体
顺便说一句,我使用的是logstash 1.4.1,以防您使用的是完全不同的版本。非常感谢,我会试试这个。我试过了,但没有按照我的需要工作。我仍在获取所有日志,包括错误和警告。有什么想法吗?嗯,这对我来说很有效,至少看起来很有效,尽管也许你在寻找更具体的东西。。。请稍等。我想我做错了什么,你们可以参考链接,我的日志库配置也完全一样