这是一个事件消息的例子:
{
"timestamp":"2016-03-29T22:35:44.770750-0400",
"flow_id":45385792,
"in_iface":"eth1",
"event_type":"alert",
"src_ip":"3.3.3.8",
"src_port":21,
"dest_ip":"2.2.2.2",
"dest_port":52934,
"proto":"TCP",
"alert":{
"action":"allowed",
"gid":1,
"signature_id":4027,
"rev":0,
"signature":"FTP Successful Login",
"category":"",
"severity":3
},
"payload":"MjU3ICIvaG9tZS9uZXd1c2VyIg0K",
"payload_printable":"257 newuser",
"stream":0,
"packet":"AFBWo0NoAFBWoxZWCABFAABJKDpAAEAGCGcDAwMIAgICAgAVzsbd4MhqOBOjfoAYAOMYcwAAAQEIChHN4EQHnwugMjU3ICIvaG9tZS9uZXd1c2VyIg0K"
}
我希望能够识别字符串"newuser"(始终在数字"257"之后)并创建另一个名为user的字段,并添加"newuser"字符串进入它。
我的Logstash配置文件如下:
input
beats
port => 5044
codec => json
type => "SuricataIDPS"
output
elasticsearch
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
#document_type => "%{[@metadata][type]}"
如何提取"newuser"字符串并添加具有该值的新字段?
答案 0 :(得分:0)
您必须使用filter过滤器在配置中定义grok节,请参阅以下内容:
input {
beats {
port => 5044
codec => json
type => "SuricataIDPS"
}
}
filter {
grok {
match => ["payload_printable", "257 (?<user>.+)"]
tag_on_failure => []
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
#document_type => "%{[@metadata][type]}"
}
}