几天前,我设置了第一台ELK服务器来监控防火墙上的流量。 Logstash正在收集所有日志,我可以在发现选项卡下看到kibana中的所有日志。但我注意到没有列出所有重要信息。我如何拆分消息字符串?我想有变量,如sourceip指向10.0.100.26和目标IP指向100.17.xxx.x
知道我该怎么做吗?
我上次日志中的JSON代码:
{
"_index": "logstash-2016.06.13",
"_type": "syslog",
"_id": "AVVI5yh_EZJEbJp591pq",
"_score": null,
"_source": {
"message": "RT_FLOW_SESSION_CREATE: session created 10.0.100.26/48107->100.17.xxx.x/41427 None xxx.xx.xx.x/20167->100.17.xxx.x/41427 wifi-to-internet-r1 None 17 wifi-to-internet wifi internet 146586 N/A(N/A) ge-0/0/4.0 UNKNOWN UNKNOWN UNKNOWN",
"@version": "1",
"@timestamp": "2016-06-13T08:35:56.042Z",
"type": "syslog",
"host": "10.0.2.1",
"syslog_severity_code": 5,
"syslog_facility_code": 1,
"syslog_facility": "user-level",
"syslog_severity": "notice",
"priority": "14",
"timestamp": "Jun 13 09:26:50",
"logsource": "srx",
"program": "RT_FLOW"
},
"fields": {
"@timestamp": [
1465806956042
]
},
"sort": [
1465806956042
]
}