我想用ElasticSearch索引我的Exchange Server的SMTP接收日志。所以我创建了一个logstash配置文件,它工作得非常好,但我的所有字段都是字符串,而不是ip,例如源和目标服务器。所以我尝试更改logstash模板中的默认映射:
curl -XGET http://localhost:9200/_template/logstash?pretty > C:\temp\logstashTemplate.txt 编辑文本文件并添加我的'SourceIP'字段
{
"template": "logstash-*",
"settings": {
"index": {
"refresh_interval": "5s"
}
},
"mappings": {
"_default_": {
"dynamic_templates": [{
"message_field": {
"mapping": {
"fielddata": {
"format": "disabled"
},
"index": "analyzed",
"omit_norms": true,
"type": "string"
},
"match_mapping_type": "string",
"match": "message"
}
}, {
"string_fields": {
"mapping": {
"fielddata": {
"format": "disabled"
},
"index": "analyzed",
"omit_norms": true,
"type": "string",
"fields": {
"raw": {
"ignore_above": 256,
"index": "not_analyzed",
"type": "string"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}],
"_all": {
"omit_norms": true,
"enabled": true
},
"properties": {
"@timestamp": {
"type": "date"
},
"geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "float"
}
}
},
"@version": {
"index": "not_analyzed",
"type": "string"
},
"SourceIP": {
"type": "ip"
}
}
}
},
"aliases": {}
}
我使用命令curl -XPUT http://localhost:9200/_t
emplate/logstash -d@C:\temp\logstash.template
重新启动ElasticSearch服务器并删除/重新创建索引
'SourceIP'字段未更改为输入ip。我错了什么?你能给我一个提示吗?谢谢!