Question

作为标题，当我使用logstash解析netflow（来自cisco_f7）并将流数据提取到ElasticSearch时，我发现ES中的数据缺少OUT_BYTES字段。我搜索了很长时间，有些人有同样的问题，但我不知道如何解决。

这是ES中netflow数据的文档：

{
  "_index": "netflow-%{year}-%{month}-%{day}",
  "_type": "doc",
  "_id": "QnjmS2EBwY8ORgd4n7yl",
  "_version": 1,
  "_score": null,
  "_source": {
    "netflow": {
      "in_pkts": 13,
      "version": 5,
      "src_tos": 0,
      "engine_type": 1,
      "ipv4_next_hop": "120.127.163.193",
      "dst_as": 0,
      "dst_mask": 0,
      "sampling_algorithm": 0,
      "src_mask": 0,
      "flow_records": 24,
      "output_snmp": 0,
      "last_switched": "2018-01-31T10:58:40.971Z",
      "first_switched": "2018-01-31T10:58:40.971Z",
      "ipv4_dst_addr": "120.127.163.193",
      "tcp_flags": 0,
      "ipv4_src_addr": "216.58.200.234",
      "protocol": 6,
      "src_as": 0,
      "input_snmp": 191,
      "l4_dst_port": 10029,
      "sampling_interval": 0,
      "l4_src_port": 443,
      "in_bytes": 5548,
      "flow_seq_num": 1259678413,
      "engine_id": 2
    },
    "@timestamp": "2018-01-31T10:58:44.972Z",
    "host": "120.127.163.4",
    "@version": "1"
  },
  "fields": {
    "netflow.first_switched": [
      "2018-01-31T10:58:40.971Z"
    ],
    "@timestamp": [
      "2018-01-31T10:58:44.972Z"
    ],
    "netflow.last_switched": [
      "2018-01-31T10:58:40.971Z"
    ]
  }
}

logstash config：

input{
    udp{
        host => "120.127.XXX.XX"
        port => 5556
        codec => netflow    
    }
}
output{
elasticsearch {
                hosts => ["120.127.XXX.XX:9200"]
                index => "netflow-%{year}-%{month}-%{day}"
            }

        stdout{codec=> rubydebug}

}

任何人都可以帮助我吗？提前谢谢你！

当我通过logstash解析netflow时，没有“OUT_BYTES”字段

0 个答案: