如何使用FileBeat以管道分隔格式将日志数据以JSON格式发送到Elasticsearch?

时间:2017-08-07 10:01:44

标签: elasticsearch logstash kibana elastic-stack filebeat

我正在监控的日志文件以以下格式记录:

Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|opendir|ok|.
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|closedir|ok|
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|open|ok|r|file.txt
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|pread|ok|file.txt
Oct 23 16:06:44 server smbd_audit: user01|192.168.0.23|project|close|ok|file.txt

如何在使用FileBeat将数据发送到Elasticsearch之前格式化此数据?

我希望我的文档看起来如下(不包括elasticsearch元数据字段):

{
  "timestamp": "Oct 23 16:06:44",
  "machine-name": "server",
  "type": "smbd_audit",
  "username": "user01",
  "machine-ip": "192.168.0.23",
  "directory": "project",
  "operation": "opendir",
  "success": "ok",
  "file": "file.txt"
}

1 个答案:

答案 0 :(得分:1)

我认为您不想使用Logstash,因此您可以使用ingest pipeline Grok

put _ingest/my-pipeline    
{
  "description": "My Ingest Pipeline",
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": [
          "%{SYSLOGTIMESTAMP:log_date} %{WORD:machine-name} %{WORD:type}: %{WORD:username}|{IP:machine-ip}|{WORD:directory}|{WORD:operation}|{WORD:success}|{WORD:file}"
        ]
      }
    },
    {
      "date": {
        "field": "log_date"
      }
    }
  ]
}

完全未经测试,但至少应该给你一些东西。

相关问题
最新问题