Logstash 对数滤波_Logstash_Logstash Configuration_Logstash Forwarder

Logstash 对数滤波

logstash

Logstash 对数滤波,logstash,logstash-configuration,logstash-forwarder,Logstash,Logstash Configuration,Logstash Forwarder,我有一个python脚本，它将JSON对象（逐行）写入/var/log/myLog.JSON，格式如下： {"timestamp":"2016-07-21T01:20:04.392799-0400","in_iface":"docker0","event_type":"alert","src_ip":"172.17.0.2","dest_ip":"172.17.0.3","proto":"ICMP","icmp_type":0,"icmp_code":0,"alert":{"action":"a

我有一个python脚本，它将JSON对象（逐行）写入/var/log/myLog.JSON，格式如下：

{"timestamp":"2016-07-21T01:20:04.392799-0400","in_iface":"docker0","event_type":"alert","src_ip":"172.17.0.2","dest_ip":"172.17.0.3","proto":"ICMP","icmp_type":0,"icmp_code":0,"alert":{"action":"allowed","**gid**":2,"signature_id":2,"rev":0,"signature":"ICMP msg","category":"","severity":3},"payload":"hFuQVwAA","payload_printable":"kk"}

我想使用Logstash来：

从/var/log/myLog.json逐行读取json对象

解析gid并将其作为udp消息转发到另一台机器（给定一个特定的IP地址+端口）——例如：如果gid==2，则将此json对象转发到172.123.10.3:10001

此外，我希望能够动态更新Logstash配置文件过滤器（也称为，能够添加另一条规则，如：“如果gid==x，则将此json对象forware到另一个IP）

我怎样才能做到

Logstash conf文件应该是什么样子？插入/删除动态过滤器的命令是什么样子的

谢谢，各位。

您可以按照下面的配置运行日志存储。我已经测试了两个示例json数据

{"timestamp":"2016-07-21T01:20:04.392799-0400","in_iface":"docker0","event_type":"alert","src_ip":"172.17.0.2","dest_ip":"172.17.0.3","proto":"ICMP","icmp_type":0,"icmp_code":0,"alert":{"action":"allowed","gid":2,"signature_id":2,"rev":0,"signature":"ICMP msg","category":"","severity":3},"payload":"hFuQVwAA","payload_printable":"kk"}
{"timestamp":"2016-07-21T01:20:04.392799-0400","in_iface":"docker0","event_type":"alert","src_ip":"172.17.0.2","dest_ip":"172.17.0.3","proto":"ICMP","icmp_type":0,"icmp_code":0,"alert":{"action":"allowed","gid":3,"signature_id":2,"rev":0,"signature":"ICMP msg","category":"","severity":3},"payload":"hFuQVwAA","payload_printable":"kk"}



input {
  file {
        path => "/etc/logstash/jsonSample.log"
       start_position => "beginning"
       sincedb_path => "/dev/null"
   }
}

filter {
                json {
                        source => "message"
                        target => "doc"
                        add_field => {"alert.gid" => "%{[doc][alert][gid]}"}
                        add_tag => ["tagName_%{[doc][alert][gid]}"]
                }


}


output {
if "tagName_2" in [tags] {
 stdout {codec => rubydebug}
}else if "tagName_3" in [tags] {
}

}

然后你就可以看到结果了

{
       "message" => "{\"timestamp\":\"2016-07-21T01:20:04.392799-0400\",\"in_iface\":\"docker0\",\"event_type\":\"alert\",\"src_ip\":\"172.17.0.2\",\"dest_ip\":\"172.17.0.3\",\"proto\":\"ICMP\",\"icmp_type\":0,\"icmp_code\":0,\"alert\":{\"action\":\"allowed\",\"gid\":2,\"signature_id\":2,\"rev\":0,\"signature\":\"ICMP msg\",\"category\":\"\",\"severity\":3},\"payload\":\"hFuQVwAA\",\"payload_printable\":\"kk\"}",
      "@version" => "1",
    "@timestamp" => "2016-07-25T04:41:11.980Z",
          "path" => "/etc/logstash/jsonSample.log",
          "host" => "baklava",
           "doc" => {
                "timestamp" => "2016-07-21T01:20:04.392799-0400",
                 "in_iface" => "docker0",
               "event_type" => "alert",
                   "src_ip" => "172.17.0.2",
                  "dest_ip" => "172.17.0.3",
                    "proto" => "ICMP",
                "icmp_type" => 0,
                "icmp_code" => 0,
                    "alert" => {
                  "action" => "allowed",
                     "gid" => 2,
            "signature_id" => 2,
                     "rev" => 0,
               "signature" => "ICMP msg",
                "category" => "",
                "severity" => 3
        },
                  "payload" => "hFuQVwAA",
        "payload_printable" => "kk"
    },
     "alert.gid" => 2,
          "tags" => [
        [0] "tagName_2"
    ]
}

您还可以更改上面应用的配置

问候

您可以参考事件和json过滤器的配置

您好，谢谢您的帮助！我不知道如何将此对象转发到某个IP地址。您已经提到：在[tags]{stdout{codec=>rubydebug}中输出{if“tagName_2”}或者在[tags]{}中输出“tagName_3”}但是告诉Logstash将对象发送到另一个地址的部分在哪里？