我正在尝试处理旧版'我的本地ELK堆栈(macOs)上的日志文件,但我无法让Logstash读取我的文件。
{"eventid": "cowrie.direct-tcpip.data", "timestamp": "2016-07-10T03:00:17.713013Z", "format": "direct-tcp forward to %(dst_ip)s:%(dst_port)s with data %(data)s", "sensor": "sensor", "system": "says message", "src_ip": "8.8.8.8", "session": "session", "dst_port": 25, "dst_ip": "0.0.0.0", "message": "message'", "data": "data", "isError": 0}
当我在STDIN上输入一行时,它工作正常。 (但有些线条太大而无法复制粘贴为STDIN)
input {
# this is the actual live log file to monitor
file {
path => "/Users/Auyer/ELK/ServerLogs/cowrie.json"
start_position => beginning
ignore_older => 0
sincedb_path => "/Users/Auyer/ELK/ServerLogs/cowrie.sincedb"
codec => json_lines
sincedb_write_interval => 15
discover_interval => 5
}
stdin{
codec =>json_lines
type => "cowrie"
}
}
filter {
if [type] == "cowrie" {
json {
source => message
}
date {
match => [ "timestamp", "ISO8601" ]
}
if [src_ip] {
dns {
reverse => [ "src_host", "src_ip" ]
action => "append"
}
geoip {
source => "src_ip"
target => "geoip"
database => "/Users/Auyer/ELK/logstash-2.3.3/vendor/geoip/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
geoip {
source => "src_ip"
database => "/Users/Auyer/ELK/logstash-2.3.3/vendor/geoip/GeoIPASNum.dat"
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
}
}
output {
if [type] == "cowrie" {
elasticsearch {
hosts => ["localhost:9200"]
}
file {
path => "/Users/Auyer/ELK/tmp/cowrie-logstash.log"
codec => json
}
stdout {
codec => rubydebug
}
}
}
我已尝试过所有内容,阅读每个Stack Overflow问题,似乎没有任何工作。
我还可以使用其他方法吗?
答案 0 :(得分:1)
试试这个:
file {
path => "/Users/Auyer/ELK/ServerLogs/cowrie.json"
start_position => beginning
sincedb_path => "/dev/null"
codec => json_lines
type => "cowrie"
}
几天前我遇到了类似的问题。将sincedb_path设置为/dev/null可解决问题。