我想通过logstash导入aws cloudtrail eventTime_Logstash_Elk_Amazon Cloudtrail

我想通过logstash导入aws cloudtrail eventTime

logstash

我想通过logstash导入aws cloudtrail eventTime,logstash,elk,amazon-cloudtrail,Logstash,Elk,Amazon Cloudtrail,我想通过logstash导入aws cloudtrail eventTime。工作正常，但无法获得eventTime my logstash.conf input { s3 { bucket => "xxxxx" prefix => "xxxxx" sincedb_path => "/etc/logstash/sincedb/cloudtrail" temporary_direct

我想通过logstash导入aws cloudtrail eventTime。工作正常，但无法获得eventTime

my logstash.conf

input {
  s3 {
    bucket => "xxxxx"
    prefix => "xxxxx"
    sincedb_path => "/etc/logstash/sincedb/cloudtrail"
    temporary_directory => "/etc/logstash/tmp"
    region => "xxxxx"
    type => "cloudtrail"
    codec => "cloudtrail"
  }
}

filter {
  if [type] == "cloudtrail" {
    mutate {
      gsub => [ "eventSource", "\.amazonaws\.com$", "" ]
    }

    if [eventSource] == "elasticloadbalancing" and [eventName] == "describeInstanceHealth" and [userIdentity.userName] == "secret_username" {
      drop {}
    }
  }

  date {
      match => ["eventTime", "ISO8601"]
  }
}

在Kibana中，可以检查其他表，但找不到eventTime。

当您更改内容时，索引模式是否已经存在？你刷新了吗？您是否尝试过不使用日期过滤器？默认情况下，

date

插件将使用解析的日期填充

@timestamp

字段。

@timestamp

字段是否包含摄取时间或解析的

eventTime

值？如果您想将其存储在其他地方，请使用该设置。我确实忘记了日期筛选器以@timestamp事件为目标，如果您想将值保存在那里，则确实需要以字段本身为目标