我能够将我的一些日志从FileBeat发送到Logstash,但是其中的两个似乎有问题。
你们有智慧的话吗?
我在应该从FileBeat读取的文件夹中看到日志,但是在将它们发送回时我没有任何办法。
Filebeat Yml的一部分
# Mailoney
-
paths:
- /data/mailoney/log/commands.log
input_type: log
document_type: Mailoney
fields:
fields_under_root: true
json.keys_under_root: false
json.add_error_key: true
# Conpot
-
paths:
- /data/conpot/log/*.json"
input_type: log
document_type: Conpot
fields:
fields_under_root: true
json.keys_under_root: false
json.add_error_key: true
# Heralding
-
paths:
- /data/heralding/log/auth.csv"
document_type: Heralding
fields:
fields_under_root: true
json.keys_under_root: false
json.add_error_key: true
Logstash conf
# Heralding
if [type] == "Heralding" {
csv {
columns => ["timestamp","auth_id","session_id","src_ip","src_port","dest_ip","dest_port","proto","username","password"] separator => ","
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSS" ]
remove_field => ["timestamp"]
}
}
# Conpot
if [type] == "Conpot" {
date {
match => [ "timestamp", "ISO8601" ]
}
mutate {
rename => {
"dst_port" => "dest_port"
"dst_ip" => "dest_ip"
}
}
}
# Mailoney
if [type] == "Mailoney" {
grok {
match => [ "message", "\A%{NAGIOSTIME}\[%{IPV4:src_ip}:%{INT:src_port:integer}] %{GREEDYDATA:smtp_input}" ]
}
mutate {
add_field => {
"dest_port" => "25"
}
}
date {
match => [ "nagios_epoch", "UNIX" ]
remove_field => ["nagios_epoch"]
}
}
答案 0 :(得分:0)
由于复制粘贴,我不知道这是否是错字,但是 filebeat.yml 文件中的#Conpot和#Heralding仅带有引号。