我知道ntopng可以直接使用elasticsearch但我的老板想要使用logtash作为图层来将日志传输到elasticsearch。
我尝试了很多次却失败了。
ntopng log like:
add_filter('frm_setup_new_fields_vars', 'remove_field_option', 30, 2);
add_filter('frm_setup_edit_fields_vars', 'remove_field_option', 30, 2);
function remove_field_option( $values, $field ) {
if ( $field->id == 242 ) {
$timestamp = time();
$options_to_remove = array( '2016-08-19', '2016-08-20' )
foreach ( $options_to_remove as $remove ) {
$option_key = array_search( $remove, $values['options'] );
if ( $option_key !== false ) {
unset( $values['options'][ $option_key ] );
}
}
}
return $values;
}
Logstash config:
{"index": {"_type": "ntopng", "_index": "ntopng-2016.08.23"}}
{ "@timestamp": "2016-08-23T01:49:41.0Z", "type": "ntopng", "IN_SRC_MAC": "04:2A:E2:0D:62:FB", "OUT_DST_MAC": "00:16:3E:8D:B7:E4", "IPV4_SRC_ADDR": "14.152.84.14", "IPV4_DST_ADDR": "xxx.xxx.xxx", "L4_SRC_PORT": 34599, "L4_DST_PORT": 53, "PROTOCOL": 17, "L7_PROTO": 5, "L7_PROTO_NAME": "DNS", "IN_PKTS": 15, "IN_BYTES": 1185, "OUT_PKTS": 15, "OUT_BYTES": 22710, "FIRST_SWITCHED": 1471916981, "LAST_SWITCHED": 1471916981, "SRC_IP_COUNTRY": "CN", "SRC_IP_LOCATION": [ 113.250000, 23.116699 ], "DST_IP_COUNTRY": "VN", "DST_IP_LOCATION": [ 105.849998, 21.033300 ], "NTOPNG_INSTANCE_NAME": "ubuntu", "INTERFACE": "ens192", "DNS_QUERY": "cpsc.gov", "PASS_VERDICT": true }
由于