这是我尝试完成的任务,我尝试从路由器和交换机收集系统日志,这里是一个设备的示例
I 05/23/16 11:50:14 ports: port 14 is now off-line
I 05/23/16 11:49:38 ports: port 14 is now on-line
W 05/23/16 11:49:36 ports: port 14 PD Invalid Signature indication.
I 05/23/16 11:49:35 ports: port 14 is Blocked by STP
I 05/23/16 11:49:32 ports: port 14 is now off-line
I 05/23/16 11:49:26 ip: VLAN101: network enabled on 10.101.0.130
I 05/23/16 11:49:26 ip: VLAN101: changing IP address to 10.101.0.130
我现在要做的就是捕捉字符串,如“现在离线”,然后发送emial警报,第二部分将使用Kibana轻松浏览所有日志。我让Logstash,Elasticsearch和Kibana工作,我看到所有日志都会通过。
日志将来自多个设备,不同类型,所以我只需要捕获我需要的字符串,标记它并基于它做一些动作,例如发送电子邮件
我是否必须一块一块地制动每个系统日志? 是否有搜索日志的功能?
input {
udp {
type => "syslog"
port => 514
}
}
filter {
if [type] == "syslog" {
**check if the single sting( or strings from dictionary) exist in this message**
**if yes, mark it, tag it if not just send the raw event to elasticsearch**
}
}
output {
elasticsearch { **send all logs**
}
**if the event needs attention send alert** {
email {
from => "myemail@somewhere.com"
subject => "%{tagged_event}"
to => "you@example.com"
via => "mail"
body => "Alert something something: %{@message}"
}
}
}
答案 0 :(得分:0)
根据您匹配的复杂程度,有几种方法。
in运营商:
if [type] == "syslog" {
if "is now off-line" in [message] or "some other thing" in [message] {
mutate { add_tag => [ "alertNeeded" ] }
}
}
正则表达式=~运营商:
if [type] == "syslog" {
if [message] =~ /is now (off-line|on-line)/ {
mutate { add_tag => [ "alertNeeded" ] }
}
}
然后在输出部分
if "alertNeeded" in [tags] {
email { ... }
}