我们可以向特定的电子邮件地址发送电子邮件通知,但我想根据日志中的某些模式向不同的邮寄地址发送电子邮件。
例如说我有三个用户使用电子邮件地址
使用的Logstash版本是1.3.3 任何帮助,如果这可以在logstash或任何解决方法,以达到这样的目的。
这是我的配置,虽然“安全”和“安全”都是和' Portal'匹配,但电子邮件只发送给一个。
当我只保留一种日志时说安全日志或门户日志它可以工作,但是当我保留两个日志时它只向其中一个发送电子邮件。
output {
if [module] == "Security"{
email {
to => "userOne@somemail.com"
from => "dummy2161@somemail.com"
match =>["%{message}","severity,ERROR"]
subject => "Error Occured"
body => "%{message}"
via => "smtp"
options => {
starttls => "true"
smtpIporHost => "smtp.gmail.com"
port => "587"
userName => "dummy2161@somemail.com"
password => "*******"
authenticationType => "plain"
}
}
}
if [module] == "Portal"{
email {
to => "userTwo@somemail.com"
from => "dummy2161@gmail.com"
match =>["%{message}","severity,ERROR"]
subject => "Error Occured"
body => "%{message}"
via => "smtp"
options => {
starttls => "true"
smtpIporHost => "smtp.gmail.com"
port => "587"
userName => "dummy2161@somemail
password => "*****"
authenticationType => "plain"
}
}
}
}
谢谢
答案 0 :(得分:0)
您可以将收件人电子邮件地址存储在字段中(使用条件或grok过滤器来分配值)并在电子邮件输出的to参数中引用该字段,或者您可以在条件中包装多个电子邮件输出
使用字段存储地址:
filter {
# If the module name is the same as the recipient address's local part
mutate {
add_field => { "recipient" => "%{modulename}@example.com" }
}
# Otherwise you might have to use conditionals.
if [modulename] == "something" {
mutate {
add_field => { "recipient" => "someuser@example.com" }
}
} else {
mutate {
add_field => { "recipient" => "otheruser@example.com" }
}
}
}
output {
email {
to => "%{recipient}"
...
}
}
在条件中包装输出:
output {
if [modulename] == "something" {
email {
to => "someuser@example.com"
...
}
} else {
email {
to => "otheruser@example.com"
...
}
}
}