从AWS SQS和AWS S3中的批存储接收消息的Logstash替代方案
我需要能够将日志作为批存储在AWS S3中,作为针对JSON SerDe适当格式化的文本文件 一个批处理日志文件在S3上的外观示例,日期时间格式为从AWS SQS和AWS S3中的批存储接收消息的Logstash替代方案,logstash,amazon-sqs,audit-logging,audit-trail,Logstash,Amazon Sqs,Audit Logging,Audit Trail,我需要能够将日志作为批存储在AWS S3中,作为针对JSON SerDe适当格式化的文本文件 一个批处理日志文件在S3上的外观示例,日期时间格式为yyyy-MM-dd HH:MM:ss {"message":"Message number 1","datetime":"2020-12-01 14:37:00"} {"message":"Message number 2",&qu
yyyy-MM-dd HH:MM:ss{"message":"Message number 1","datetime":"2020-12-01 14:37:00"}
{"message":"Message number 2","datetime":"2020-12-01 14:38:00"}
{"message":"Message number 3","datetime":"2020-12-01 14:39:00"}
我几乎成功地使用了Logstash,并使用了下面的配置
input {
sqs {
endpoint => "AWS_SQS_ENDPOINT"
queue => "logs"
}
}
output {
s3 {
access_key_id => "AWS_ACCESS_KEY_ID"
secret_access_key => "AWS_SECRET_ACCESS_KEY"
region => "AWS_REGION"
bucket => "AWS_BUCKET"
prefix => "audit/year=%{+YYYY}/month=%{+MM}/day=%{+dd}/"
size_file => 128
time_file => 5
codec => "json_lines"
encoding => "gzip"
canned_acl => "private"
}
}
@timestamp由于[Badger]的原因,更新的配置正在使用Logstash[https://stackoverflow.com/users/11792977/badger]
input {
sqs {
endpoint => "http://AWS_SQS_ENDPOINT"
queue => "logs"
}
}
filter {
mutate {
add_field => {
"[@metadata][year]" => "%{+YYYY}"
"[@metadata][month]" => "%{+MM}"
"[@metadata][day]" => "%{+dd}"
}
remove_field => [ "@timestamp" ]
}
}
output {
s3 {
access_key_id => "AWS_ACCESS_KEY_ID"
secret_access_key => "AWS_SECRET_ACCESS_KEY"
region => "AWS_REGION"
bucket => "AWS_BUCKET"
prefix => "audit/year=%{[@metadata][year]}/month=%{[@metadata][month]}/day=%{[@metadata][day]}"
# 1 MB
size_file => 1024
# 1 Minute
time_file => 1
codec => "json_lines"
encoding => "gzip"
canned_acl => "private"
}
}
我在s3输出代码中看不到对@timestamp的任何依赖。您已经在
前缀=>“audit/year=%{+YYYY}/month=%{+MM}/day=%{+dd}/”