我正在使用以下代码来阅读McAfee Logs(我选择使用CSV过滤器,因为grok过滤器结果很混乱)
input {
stdin{}
}
filter {
csv {
columns => ["timestamp", "McAf_ThreatSeverity", "McAf_Event", "McAf_EventDescription", "McAf_EventCategory", "McAf_ThreatT$
separator => "|"
}
date {
locale => "en"
match => ["timestamp", "dd/MM/YYYY:HH:mm:ss"]
timezone => "Europe/London"
add_tag => "McAfee_ThreatEventLog"
}
}
output {
elasticsearch {
#action => "index"
host => "localhost"
}
stdout {
codec => rubydebug
}
}
输入是这样的......
31/03/2015:12:59:07| SEVERITY_CRITICAL | 1093| Buffer Overflow detected and blocked| Host intrusion buffer overflow| 10.3.1.252| Blocked| buffer overflow
输出没问题,时间戳比日志落后一小时。也就是说,
Using milestone 2 filter plugin 'csv'. This plugin should be stable, but if you see strange behavior, please let us know! For more information on plugin milestones, see http://logstash.net/docs/1.4.2/plugin-milestones {:level=>:warn}
31/03/2015:12:59:07| SEVERITY_CRITICAL | 1093| Buffer Overflow detected and blocked| Host intrusion buffer overflow| 10.3.1.252| Blocked| buffer overflow
{
"message" => [
[0] "31/03/2015:12:59:07| SEVERITY_CRITICAL | 1093| Buffer Overflow detected and blocked| Host intrusion buffer overflow| 10.3.1.252| Blocked| buffer overflow"
],
"@version" => "1",
"@timestamp" => "2015-03-31T11:59:07.000Z",
"host" => "UOD-220076",
"timestamp" => "31/03/2015:12:59:07",
"McAf_ThreatSeverity" => " SEVERITY_CRITICAL ",
"McAf_Event" => " 1093",
"McAf_EventDescription" => " Buffer Overflow detected and blocked",
"McAf_EventCategory" => " Host intrusion buffer overflow",
"McAf_ThreatTargetIPv4Address" => " 10.3.1.252",
"McAf_ActionTaken" => " Blocked",
"McAf_ThreatType" => " buffer overflow",
"tags" => [
[0] "McAfee_ThreatEventLog"
]
}
在上面的输出中,日志中的时间是12:59:07但解析后的值是11:59:07。
有趣的是我昨天使用以下代码解析了不同的日志(防火墙日志):
input {
stdin{}
}
filter {
csv {
columns => ["timestamp", "Interface", "Origin", "Type", "Action", "Service", "SourcePort", "SourceIP", "DestinationIP", "P$
separator => "|"
}
date {
locale => "en"
match => ["timestamp", "dd/MMM/YYYY:HH:mm:ss"]
timezone => "Europe/London"
add_tag => "checkpoint_fw"
}
}
output {
elasticsearch {
host => "localhost"
}
stdout {
以下输入......
18 / MAR / 2015:15:00:00 | eth3-04 | grog1 |登录|接受| HTTP | 46718 | 193.60.148.101 | 23.194.230.180 | TCP | 0 | | | inzone:Local; outzone:外部; service_id:http; message_info:隐含规则|安全网关/管理
它给出了正确的时间戳输出,如下所示:
[0] "18/MAR/2015:15:00:00| eth3-04| grog1| Log| Accept| http| 46718| 193.60.148.101| 23.194.230.180| tcp| 0| | | inzone: Local; outzone: External; service_id: http; message_info: Implied rule| Security Gateway/Management"
],
"@version" => "1",
"@timestamp" => "2015-03-18T15:00:00.000Z",
"host" => "UOD-220076",
"timestamp" => "18/MAR/2015:15:00:00",
"Interface" => " eth3-04",
"Origin" => " grog1",
"Type" => " Log",
"Action" => " Accept",
"Service" => " http",
"SourcePort" => " 46718",
"SourceIP" => " 193.60.148.101",
"DestinationIP" => " 23.194.230.180",
"Protocol" => " tcp",
"Rule" => " 0",
"RuleName" => " ",
"CurrentRule" => " ",
"Information" => " inzone: Local; outzone: External; service_id: http; message_info: Implied rule",
"Product" => " Security Gateway/Management",
"tags" => [
[0] "checkpoint_fw"
McAfee脚本和防火墙脚本(显然除了字段之外)的唯一区别是防火墙脚本使用dd / MMM / YYYY而McAfee脚本使用dd / MM / YYYY - 我非常怀疑这将是一个显着差异。
任何关于如何让McAfee时间戳与日志完全相同的想法? (我甚至尝试过改变时区,但所做的就是增加时差) - 有没有办法说" + 1小时"在logstash(不是kibana)?
感谢。
答案 0 :(得分:1)
答案很简单。欧洲/伦敦时区从3月29日开始是BST(GMT + 100)。您的其他参赛作品是18日之前的BST标志。