Logstash 过滤

Question

我有一个 python 脚本，它使用以下格式将 JSON 对象（逐行）写入 /var/log/myLog.json：

{"timestamp":"2016-07-21T01:20:04.392799-0400","in_iface":"docker0","event_type":"alert","src_ip":"172.17.0.2","dest_ip":"172.17.0.3","proto":"ICMP","icmp_type":0,"icmp_code":0,"alert":{"action":"allowed","**gid**":2,"signature_id":2,"rev":0,"signature":"ICMP msg","category":"","severity":3},"payload":"hFuQVwAA","payload_printable":"kk"}

我想使用 Logstash 来：

1. 从 /var/log/myLog.json 中逐行读取 json 对象

2. 解析 gid 并作为 udp msg 转发到另一台机器（给定特定的 IP 地址+端口）——例如：如果 gid==2 则将此 json 对象转发到 172.123.10.3:10001

此外，我希望能够动态更新 Logstash 配置文件过滤器（也就是能够添加另一个规则，例如：“如果 gid==x 则将此 json 对象转发到另一个 IP）。

我该怎么做？

Logstash conf 文件应该是什么样子？ 以及插入/删除动态过滤器的命令是什么样的？

谢谢各位。

Answer 1

您可以按照以下配置运行 logstash。 我已经测试了两个示例 json 数据。

{"timestamp":"2016-07-21T01:20:04.392799-0400","in_iface":"docker0","event_type":"alert","src_ip":"172.17.0.2","dest_ip":"172.17.0.3","proto":"ICMP","icmp_type":0,"icmp_code":0,"alert":{"action":"allowed","gid":2,"signature_id":2,"rev":0,"signature":"ICMP msg","category":"","severity":3},"payload":"hFuQVwAA","payload_printable":"kk"}
{"timestamp":"2016-07-21T01:20:04.392799-0400","in_iface":"docker0","event_type":"alert","src_ip":"172.17.0.2","dest_ip":"172.17.0.3","proto":"ICMP","icmp_type":0,"icmp_code":0,"alert":{"action":"allowed","gid":3,"signature_id":2,"rev":0,"signature":"ICMP msg","category":"","severity":3},"payload":"hFuQVwAA","payload_printable":"kk"}



input {
  file {
        path => "/etc/logstash/jsonSample.log"
       start_position => "beginning"
       sincedb_path => "/dev/null"
   }
}

filter {
                json {
                        source => "message"
                        target => "doc"
                        add_field => {"alert.gid" => "%{[doc][alert][gid]}"}
                        add_tag => ["tagName_%{[doc][alert][gid]}"]
                }


}


output {
if "tagName_2" in [tags] {
 stdout {codec => rubydebug}
}else if "tagName_3" in [tags] {
}

}

然后就可以看到结果了

{
       "message" => "{\"timestamp\":\"2016-07-21T01:20:04.392799-0400\",\"in_iface\":\"docker0\",\"event_type\":\"alert\",\"src_ip\":\"172.17.0.2\",\"dest_ip\":\"172.17.0.3\",\"proto\":\"ICMP\",\"icmp_type\":0,\"icmp_code\":0,\"alert\":{\"action\":\"allowed\",\"gid\":2,\"signature_id\":2,\"rev\":0,\"signature\":\"ICMP msg\",\"category\":\"\",\"severity\":3},\"payload\":\"hFuQVwAA\",\"payload_printable\":\"kk\"}",
      "@version" => "1",
    "@timestamp" => "2016-07-25T04:41:11.980Z",
          "path" => "/etc/logstash/jsonSample.log",
          "host" => "baklava",
           "doc" => {
                "timestamp" => "2016-07-21T01:20:04.392799-0400",
                 "in_iface" => "docker0",
               "event_type" => "alert",
                   "src_ip" => "172.17.0.2",
                  "dest_ip" => "172.17.0.3",
                    "proto" => "ICMP",
                "icmp_type" => 0,
                "icmp_code" => 0,
                    "alert" => {
                  "action" => "allowed",
                     "gid" => 2,
            "signature_id" => 2,
                     "rev" => 0,
               "signature" => "ICMP msg",
                "category" => "",
                "severity" => 3
        },
                  "payload" => "hFuQVwAA",
        "payload_printable" => "kk"
    },
     "alert.gid" => 2,
          "tags" => [
        [0] "tagName_2"
    ]
}

你也可以改变上面应用的配置。

问候。

可以参考event和json filter的配置 https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html

https://www.elastic.co/guide/en/logstash/current/plugins-filters-json.html