我正在使用ELK堆栈从iptables防火墙收集系统日志。 尝试使用geoip过滤器可视化数据。 Logstash conf外观:
filter {
if [type] == "syslog" {
mutate {
gsub => [
# replace all "= " with double quotes to truly indicate no value
"message", "= ", '="" '
]
}
kv {
id => "syslog_kv"
source => "message"
trim_key => " "
trim_value => " "
value_split => "="
field_split => " "
}
#now check if source IP is a private IP, if so, tag it
cidr {
address => [ "%{src_ip}" ]
add_tag => [ "src_internalIP" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]
}
# don't run geoip if it's internalIP, otherwise find the GEOIP location
if "src_internalIP" not in [tags] {
geoip {
add_tag => [ "src_geoip" ]
source => "src_ip"
}
}
else {
#check DST IP now. If it is a private IP, tag it
cidr {
add_tag => [ "dst_internalIP" ]
address => [ "%{dst_ip}" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]
}
# don't run geoip if it's internalIP, otherwise find the GEOIP location
if "dst_internalIP" not in [tags] {
geoip {
add_tag => [ "dst_geoip" ]
source => "dst_ip"
database => "/etc/logstash/GeoLite2-City.mmdb"
}
}
}
}
}
在kibana中,每个事件我只会看到_geoip_lookup_failure标签。 在调试日志中
[2019-03-22T20:21:18,135][DEBUG][logstash.filters.geoip ] IP was not found in the database {:event=>#<LogStash::Event:0x5f71a6be>}
[2019-03-22T20:21:18,136][WARN ][logstash.filters.cidr ] Invalid IP address, skipping {:address=>"%{src_ip}", :event=>#<LogStash::Event:0x79cf2cf0>}
输入数据格式:
<30>2019:03:22-20:16:49 hostname ulogd[13334]: id="2002" severity="info" sys="SecureNet" sub="packetfilter" name="Packet accepted" action="accept" fwrule="8" initf="eth2" outitf="eth0" srcmac="70:79:b3:ab:e0:e8" dstmac="00:1a:8c:f0:89:02" srcip="10.0.125.11" dstip="13.78.180.50" proto="6" length="52" tos="0x00" prec="0x00" ttl="126" srcport="53180" dstport="443" tcpflags="SYN"
请帮助我解决此问题。试图找到解决方案。