Logstash:替换匹配模式的字段值

时间:2015-04-16 11:32:51

标签: linux logstash kibana-4

我使用Elasticsearch + Logstash + kibana进行Windows事件日志分析。我得到以下日志:

{
  "_index": "logstash-2015.04.16",
  "_type": "logs",
  "_id": "Ov498b0cTqK8W4_IPzZKbg",
  "_score": null,
  "_source": {
    "EventTime": "2015-04-16 14:12:45",
    "EventType": "AUDIT_FAILURE",
    "EventID": "4656",
    "Message": "A handle to an object was     requested.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2832557239-2908104349-351431359-3166\r\n\tAccount Name:\t\ts.tekotin\r\n\tAccount Domain:\t\tIAS\r\n\tLogon ID:\t\t0x88991C8\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Folders\\Общая (HotSMS)\\Test_folder\\3\r\n\tHandle ID:\t\t0x0\r\n\tResource Attributes:\t-\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x4\r\n\tProcess Name:\t\t\r\n\r\nAccess Request Information:\r\n\tTransaction ID:\t\t{00000000-0000-0000-0000-000000000000}\r\n\tAccesses:\t\tReadData (or ListDirectory)\r\n\t\t\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Reasons:\t\tReadData (or ListDirectory):\tDenied by\tD:(D;OICI;CCDCLCSWRPWPLOCRSDRC;;;S-1-5-21-2832557239-2908104349-351431359-3166)\r\n\t\t\t\tReadAttributes:\tGranted by ACE on parent folder\tD:(A;OICI;0x1200a9;;;S-1-5-21-2832557239-2908104349-351431359-3166)\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x81\r\n\tPrivileges Used for Access Check:\t-\r\n\tRestricted SID Count:\t0",
"ObjectServer": "Security",
"ObjectName": "C:\\Folders\\Общая (HotSMS)\\Test_folder\\3",
"HandleId": "0x0",
"PrivilegeList": "-",
"RestrictedSidCount": "0",
"ResourceAttributes": "-",
"@timestamp": "2015-04-16T11:12:45.802Z"
  },
  "sort": [
    1429182765802,
    1429182765802
  ]
}

我收到许多带有不同EventID的日志消息,当我收到一个带有EventID 4656的日志条目时 - 我想替换值#34; 4656"用字符串"访问失败"。有没有机会这样做?

3 个答案:

答案 0 :(得分:0)

您可以在使用logstash加载时执行此操作 - 只需执行以下操作:

filter {
  if [EventID] == "4656" {
    mutate {
      replace => [ "EventID", "Access Failure" ]
    }
  }
}

答案 1 :(得分:0)

如果您有很多值,请查看翻译{}:

translate {
  dictionary => [
    "4656",  "Access Failure",
    "1234",  "Another Value"
  ]
  field => "EventID"
  destination => "EventName"
}

我认为翻译{}不会让您替换原始字段。但是,您可以将其删除,以支持新字段。

答案 2 :(得分:0)

使用替换过滤器:

用新值替换字段。新值可以包含%{foo}字符串,以帮助您从事件的其他部分构建新值。

示例:

filter {
 if [source] == "your code like 4656" {
   mutate {
    replace => { "message" => "%{source_host}: My new message" }
   }
 }
}
相关问题
最新问题