在filebeat上添加参数作为字段％T /％D apache

Question

我让Kibana显示来自apache的日志。但我想要做的是将字段％T /％D 解析为Kibana上的新字段，并能够使用此数据进行过滤。

我已经完成了this文档中有关正确格式化apache日志的内容。

谢谢！

我在apache服务器上有Filebeat的配置：

filebeat:
    -
     paths:
        - /var/log/auth.log
        - /var/log/syslog
     input_type: log
     document_type: syslog
    -
      paths:
         - /var/log/apache2/access.log
         - /var/www/vhosts/example.com/logs/access.log
         - /var/www/vhosts/example.com/logs/error.log
      document_type: apache-access
  registry_file: /var/lib/filebeat/registry
output:
  logstash:
    hosts: ["example.com:5044"]
    bulk_max_size: 1024
    tls:
      certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

shipper:
logging:
  files:
    rotateeverybytes: 10485760 # = 10MB
logging:
  level: warning
  to_files: true
  to_syslog: false
  files:
    path: /var/log/mybeat
    name: mybeat.log
    keepfiles: 7

我附上了logstash的配置文件logstash.rb

require 'rubygems' if RUBY_VERSION < '1.9.0'
require 'sensu-handler'
require 'redis'
require 'json'
require 'socket'
require 'time'

class LogstashHandler < Sensu::Handler
  def event_name
    @event['client']['name'] + '/' + @event['check']['name']
  end

  def action_to_string
    @event['action'].eql?('resolve') ? 'RESOLVE' : 'ALERT'
  end

  def event_status
    case @event['check']['status']
    when 0
      'OK'
    when 1
      'WARNING'
    when 2
      'CRITICAL'
    else
      'unknown'
    end
  end

  def handle
    time = Time.now.utc.iso8601
    logstash_msg = {
      :@timestamp    => time,
      :@version      => 1,
      :source        => ::Socket.gethostname,
      :tags          => ["sensu-#{action_to_string}"],
      :message       => @event['check']['output'],
      :host          => @event['client']['name'],
      :timestamp     => @event['check']['issued'],
      :address       => @event['client']['address'],
      :check_name    => @event['check']['name'],
      :command       => @event['check']['command'],
      :status        => event_status,
      :flapping      => @event['check']['flapping'],
      :occurrences   => @event['occurrences'],
      :action        => @event['action']
    }
    logstash_msg[:type] = settings['logstash']['type'] if settings['logstash'].key?('type')

    case settings['logstash']['output']
    when 'redis'
      redis = Redis.new(host: settings['logstash']['server'], port: settings['logstash']['port'])
      redis.lpush(settings['logstash']['list'], logstash_msg.to_json)
    when 'udp'
      socket = UDPSocket.new
      socket.send(JSON.parse(logstash_msg), 0, settings['logstash']['server'], settings['logstash']['port'])
      socket.close
    end
  end
end