使用Winlogbeats将消息从Windows主机转发到Kafka群集。 在主机上安装了winlog beats代理,并尝试将安全日志转发到Kafka代理。但是我看到事件中缺少消息字段。 Winlogbeat配置:
<!-- Form Input Part -->
<form class="text-center" method="post">
<div class="form-group w-50 mx-auto">
<!-- First Name input section -->
<label for="username">USERNAME:</label>
<input id="username" class="form-control" type="text" maxlength="15" name="username" placeholder="Input your username.">
</div>
<div class="form-group w-50 mx-auto">
<!-- Last Name input section -->
<label for="password">PASSWORD:</label>
<input type="password" class="form-control" type="text" maxlength="15" name="password" placeholder="Input your password.">
</div>
<!-- Form Button Submission -->
<button type="submit" class="btn btn-dark">
Login
<i class="fas fa-sign-in-alt"></i>
</button>
</form>
</div>
我能够运行Winlogbeat并看到去往Kafka的流量,但问题是以下编辑的输出记录中缺少消息字段。
#======================= Winlogbeat specific options ==========================
winlogbeat.event_logs:
- name: Security
ignore_older: 72h
forwarded: true
fields:
log_topic: TEST
extra_id: testId
fields_under_root: true
#------------------------------- Kafka output ----------------------------------
output.kafka:
# Boolean flag to enable or disable the output module.
enabled: true
# The list of Kafka broker addresses from where to fetch the cluster metadata.
# The cluster metadata contain the actual Kafka brokers events are published
# to.
output.kafka.hosts: ["localhost:9092","localhost:9093"]
output.kafka.topic: '%{[log_topic]}'
我希望看到Winlogbeat发送的如下消息
"record_number": "20092012",
"event_data": {
"TargetLogonId": "00000000",
"LogonType": "3",
"TargetUserName": "USER1",
"TargetDomainName": "DOMAIN",
"TargetUserSid": "1-1-1-1-1"
我在winlogbeat.yml配置文件中缺少任何内容吗?