次のlogstash構成は、WindowsイベントログをTCP接続を介してjsonとして受け入れ、その後いくつかのフィルタリングの後に結果をElastic search(ソース: https:// Gist。 github.com/robinsmidsrod/4215337 ):
input {
tcp {
type => "syslog"
Host => "127.0.0.1"
port => 3514
}
tcp {
type => "eventlog"
Host => "10.1.1.2"
port => 3515
format => 'json'
}
}
# Details at http://cookbook.logstash.net/recipes/syslog-pri/
filter {
# Incoming data from rsyslog
grok {
type => "syslog"
pattern => [ "<%{POSINT:syslog_pri}>(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:syslog_timestamp8601}) %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{@source_Host}" ]
}
syslog_pri {
type => "syslog"
}
date {
type => "syslog"
syslog_timestamp8601 => "ISO8601" # RSYSLOG_ForwardFormat
syslog_timestamp => [ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
mutate {
type => "syslog"
exclude_tags => "_grokparsefailure"
replace => [ "@source_Host", "%{syslog_hostname}" ]
replace => [ "@message", "%{syslog_message}" ]
}
mutate {
type => "syslog"
remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp", "syslog_timestamp8601" ]
}
# Incoming Windows Event logs from nxlog
# The EventReceivedTime field must contain only digits, or it is an invalid message
grep {
type => "eventlog"
EventReceivedTime => "\d+"
}
mutate {
# Lowercase some values that are always in uppercase
type => "eventlog"
lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
}
mutate {
# Set source to what the message says
type => "eventlog"
rename => [ "Hostname", "@source_Host" ]
}
date {
# Convert timestamp from integer in UTC
type => "eventlog"
EventReceivedTime => "UNIX"
}
mutate {
# Rename some fields into something more useful
type => "eventlog"
rename => [ "Message", "@message" ]
rename => [ "Severity", "eventlog_severity" ]
rename => [ "SeverityValue", "eventlog_severity_code" ]
rename => [ "Channel", "eventlog_channel" ]
rename => [ "SourceName", "eventlog_program" ]
rename => [ "SourceModuleName", "nxlog_input" ]
rename => [ "Category", "eventlog_category" ]
rename => [ "EventID", "eventlog_id" ]
rename => [ "RecordNumber", "eventlog_record_number" ]
rename => [ "ProcessID", "eventlog_pid" ]
}
mutate {
# Remove redundant fields
type => "eventlog"
remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
}
}
output {
elasticsearch {
embedded => true
}
graphite {
# Ping the graphite server every time a syslog message is received
type => "syslog"
port => 2023 # carbon-aggregator
metrics => [ "syslog.received.%{@source_Host}.count", "1" ]
}
graphite {
# Ping the graphite server every time an eventlog message is received
type => "eventlog"
port => 2023 # carbon-aggregator
metrics => [ "eventlog.received.%{@source_Host}.count", "1" ]
}
}
一部のフィールド名の58行目と68行目の@
接頭辞の意味は何ですか?つまり、これらのmutate
フィルターの@source_Host
および@message
:
mutate {
# Set source to what the message says
type => "eventlog"
rename => [ "Hostname", "@source_Host" ]
}
そして
mutate {
# Rename some fields into something more useful
type => "eventlog"
rename => [ "Message", "@message" ]
rename => [ "Severity", "eventlog_severity" ]
rename => [ "SeverityValue", "eventlog_severity_code" ]
rename => [ "Channel", "eventlog_channel" ]
rename => [ "SourceName", "eventlog_program" ]
rename => [ "SourceModuleName", "nxlog_input" ]
rename => [ "Category", "eventlog_category" ]
rename => [ "EventID", "eventlog_id" ]
rename => [ "RecordNumber", "eventlog_record_number" ]
rename => [ "ProcessID", "eventlog_pid" ]
}
衝突を避けるための名前空間の決定だったと思います。
これは主に新しいバージョンのlogstashから削除されています。 @timestampと@versionのみが残ります。 logstashと配送業者のアップグレードを検討する必要があります。