logstash geoip 不适用于 IPv4
logstash geoip not working for IPv4
我正在使用 logstash[version 2.2] 将 syslogs 索引到 elasticsearch 中,我也在使用 geoip 来获取源地址和目标地址,但在某些日志中,geoip 似乎不起作用
**config file:**
input {
tcp {
type => syslog
port => 8001
}
udp {
type => syslog
port => 8001
}
filter {
if [type] == "syslog" {
grok {
match => {
"message" => "\<%{NUMBER:number}\>%{timestamp:timestamp} %{WORD:logType}: %{NUMBER:ruleNumber},%{NUMBER:subRuleNumber}%{DATA}%{NUMBER:tracker},%{WORD:realinterface},%{WORD:reasonForTheLogEntry},%{WORD:actionTakenThatResultedInTheLogEntry},%{WORD:directionOfTheTraffic},%{NUMBER:IPversion},%{DATA:class},%{DATA:flowLabel},%{NUMBER:hopLimit},%{WORD:protocol},%{NUMBER:protocolID},%{NUMBER:length},%{IPV6:srcIP},%{IPV6:destIP},%{NUMBER:srcPort},%{NUMBER:destPort},%{NUMBER:dataLength}"
}
add_field => { "event" => "name" }
}
}
geoip {
source => "srcIP"
target => "geoSrc"
}
geoip {
source => "destIP"
target => "geoDest"
}
geoip {
source => "icmpDetinationIP"
target => "icmpDest"
}
}
output {
csv {
fields => "message"
path => "/data/streamed-logs/%{[host]}-%{+YYYY-MM-dd}.log"
}
stdout {
codec => "rubydebug"
}
elasticsearch {
hosts => "address"
}
}
**address having problem with geoIP:**
我无法获取采用这种格式的地址的 geoIP e80::c0d3:531b:f0cf:f546
您需要使用 IPV6 grok 模式而不是 IPV4
grok {
match => {
"message" => "...%{IPV6:srcIP},%{IPV6:destIP},%{IPV6:icmpDetinationIP}..."
^ ^ ^
| | |
here here and here
}
}
我正在使用 logstash[version 2.2] 将 syslogs 索引到 elasticsearch 中,我也在使用 geoip 来获取源地址和目标地址,但在某些日志中,geoip 似乎不起作用
**config file:**
input {
tcp {
type => syslog
port => 8001
}
udp {
type => syslog
port => 8001
}
filter {
if [type] == "syslog" {
grok {
match => {
"message" => "\<%{NUMBER:number}\>%{timestamp:timestamp} %{WORD:logType}: %{NUMBER:ruleNumber},%{NUMBER:subRuleNumber}%{DATA}%{NUMBER:tracker},%{WORD:realinterface},%{WORD:reasonForTheLogEntry},%{WORD:actionTakenThatResultedInTheLogEntry},%{WORD:directionOfTheTraffic},%{NUMBER:IPversion},%{DATA:class},%{DATA:flowLabel},%{NUMBER:hopLimit},%{WORD:protocol},%{NUMBER:protocolID},%{NUMBER:length},%{IPV6:srcIP},%{IPV6:destIP},%{NUMBER:srcPort},%{NUMBER:destPort},%{NUMBER:dataLength}"
}
add_field => { "event" => "name" }
}
}
geoip {
source => "srcIP"
target => "geoSrc"
}
geoip {
source => "destIP"
target => "geoDest"
}
geoip {
source => "icmpDetinationIP"
target => "icmpDest"
}
}
output {
csv {
fields => "message"
path => "/data/streamed-logs/%{[host]}-%{+YYYY-MM-dd}.log"
}
stdout {
codec => "rubydebug"
}
elasticsearch {
hosts => "address"
}
}
**address having problem with geoIP:**
我无法获取采用这种格式的地址的 geoIP e80::c0d3:531b:f0cf:f546
您需要使用 IPV6 grok 模式而不是 IPV4
grok {
match => {
"message" => "...%{IPV6:srcIP},%{IPV6:destIP},%{IPV6:icmpDetinationIP}..."
^ ^ ^
| | |
here here and here
}
}