Filebeat 7.3.0 不解析多行 json
Filebeat 7.3.0 not parsing multiline json
我从 ELK 7.3.0 开始使用 SIEM 功能。我现在需要集成 JSON 格式的 Cloudflare 日志。我很确定 filebeat 可以做到这一点。
我已经在我的 CentOS 7 服务器上安装了 filebeat rpm 包
到目前为止我做了什么...
弹性端口更改为:1300
Logstash 端口更改为:2300
Kibana 端口更改为:3300
filebeat.yml如下
filebeat.config.inputs:
enabled: true
path: configs/*.yml
reload.enabled: true
reload.period: 10s
setup.kibana:
host: "10.139.111.216:3300"
output.elasticsearch:
hosts: ["10.139.111.216:1300"]
我已将我的配置放在 /etc/filebeat/modules.d/cloudflare-FW.conf 目录中,因为如果按照我在 filebeat.yml
中提到的那样进行任何配置更改,这将重新加载
cloudflare-FW.conf
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/crons/logs/*.json
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after
processors:
- decode_json_fields:
fields: ['message']
target: json
output.elasticsearch:
hosts: ["10.136.111.216:1300"]
index: "cloudflare-FW-%{+yyyy.MM.dd}"
setup.template.enabled: true
setup.template.name: "cloudflare-FW"
setup.template.pattern: "cloudflare-FW-*"
这是我要解析的目标 json 文件
{
"ray_id": "501dxxxxxxxx0ce1b",
"kind": "firewall",
"source": "bic",
"action": "drop",
"rule_id": "bic",
"ip": "161.00.6.8",
"ip_class": "noRecord",
"country": "GB",
"colo": "LHR",
"host": "site.com",
"method": "POST",
"proto": "HTTP/1.1",
"scheme": "https",
"ua": "Jakarta Commons-HttpClient/3.1",
"uri": "/nxxxxxxx/senxxxxxxxxail.php",
"matches": [
{
"rule_id": "bic",
"source": "bic",
"action": "drop"
}
],
"occurred_at": "2019-08-06T03:28:57Z"
},
{
"ray_id": "501dxxxxxxxxxx6ce27",
"kind": "firewall",
"source": "bic",
"action": "drop",
"rule_id": "bic",
"ip": "161.61.6.8",
"ip_class": "noRecord",
"country": "GB",
"colo": "LHR",
"host": "site.com",
"method": "POST",
"proto": "HTTP/1.1",
"scheme": "https",
"ua": "Jakarta Commons-HttpClient/3.1",
"uri": "/nxxxxxxx/senxxxxxxxxail.php",
"matches": [
{
"rule_id": "bic",
"source": "bic",
"action": "drop"
}
],
"occurred_at": "2019-08-06T03:02:52Z"
}
当我 运行 filebeat -e 它应该创建一个名为 cloudflare-FW-%{+yyyy.MM.dd} 的索引并且应该将数据从 json 文件提取到索引.最后JSONkey应该是可以查询的字段。
但这并没有发生。任何帮助是极大的赞赏。请记住这是 filebeat 7.3.0
谢谢
I have placed my config in /etc/filebeat/modules.d/cloudflare-FW.conf directory
在您的 filebeat.yml 中,您指定了一个完全不同的路径:
filebeat.config.inputs:
enabled: true
path: "configs/*.yml" <--
reload.enabled: true
reload.period: 10s
在我看来你的配置甚至没有加载,因为它在错误的位置。
还要注意您指定的文件扩展名 (*.yml)。
我从 ELK 7.3.0 开始使用 SIEM 功能。我现在需要集成 JSON 格式的 Cloudflare 日志。我很确定 filebeat 可以做到这一点。
我已经在我的 CentOS 7 服务器上安装了 filebeat rpm 包
到目前为止我做了什么...
弹性端口更改为:1300 Logstash 端口更改为:2300 Kibana 端口更改为:3300
filebeat.yml如下
filebeat.config.inputs:
enabled: true
path: configs/*.yml
reload.enabled: true
reload.period: 10s
setup.kibana:
host: "10.139.111.216:3300"
output.elasticsearch:
hosts: ["10.139.111.216:1300"]
我已将我的配置放在 /etc/filebeat/modules.d/cloudflare-FW.conf 目录中,因为如果按照我在 filebeat.yml
中提到的那样进行任何配置更改,这将重新加载cloudflare-FW.conf
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/crons/logs/*.json
multiline.pattern: '^{'
multiline.negate: true
multiline.match: after
processors:
- decode_json_fields:
fields: ['message']
target: json
output.elasticsearch:
hosts: ["10.136.111.216:1300"]
index: "cloudflare-FW-%{+yyyy.MM.dd}"
setup.template.enabled: true
setup.template.name: "cloudflare-FW"
setup.template.pattern: "cloudflare-FW-*"
这是我要解析的目标 json 文件
{
"ray_id": "501dxxxxxxxx0ce1b",
"kind": "firewall",
"source": "bic",
"action": "drop",
"rule_id": "bic",
"ip": "161.00.6.8",
"ip_class": "noRecord",
"country": "GB",
"colo": "LHR",
"host": "site.com",
"method": "POST",
"proto": "HTTP/1.1",
"scheme": "https",
"ua": "Jakarta Commons-HttpClient/3.1",
"uri": "/nxxxxxxx/senxxxxxxxxail.php",
"matches": [
{
"rule_id": "bic",
"source": "bic",
"action": "drop"
}
],
"occurred_at": "2019-08-06T03:28:57Z"
},
{
"ray_id": "501dxxxxxxxxxx6ce27",
"kind": "firewall",
"source": "bic",
"action": "drop",
"rule_id": "bic",
"ip": "161.61.6.8",
"ip_class": "noRecord",
"country": "GB",
"colo": "LHR",
"host": "site.com",
"method": "POST",
"proto": "HTTP/1.1",
"scheme": "https",
"ua": "Jakarta Commons-HttpClient/3.1",
"uri": "/nxxxxxxx/senxxxxxxxxail.php",
"matches": [
{
"rule_id": "bic",
"source": "bic",
"action": "drop"
}
],
"occurred_at": "2019-08-06T03:02:52Z"
}
当我 运行 filebeat -e 它应该创建一个名为 cloudflare-FW-%{+yyyy.MM.dd} 的索引并且应该将数据从 json 文件提取到索引.最后JSONkey应该是可以查询的字段。
但这并没有发生。任何帮助是极大的赞赏。请记住这是 filebeat 7.3.0
谢谢
I have placed my config in /etc/filebeat/modules.d/cloudflare-FW.conf directory
在您的 filebeat.yml 中,您指定了一个完全不同的路径:
filebeat.config.inputs:
enabled: true
path: "configs/*.yml" <--
reload.enabled: true
reload.period: 10s
在我看来你的配置甚至没有加载,因为它在错误的位置。
还要注意您指定的文件扩展名 (*.yml)。