ELK - Logstash 排除主机
ELK - Logstash exclude host
这是我第一次使用 ELK 堆栈,我正在尝试通过 Logstash (v7.11) drop 函数过滤一些主机,但显然我做错了什么,因为尽管尝试使用变量:ip、主机名、类型似乎无论如何都会忽略它们
目前 json 看起来像这样:
{
"_index": "syslog-2021.02",
"_type": "_doc",
"_id": "w83syncB6OFB5F4c_Fkq",
"_version": 1,
"_score": null,
"_source": {
"host": {
"id": "2d716776-19df-4dfe-8022-497a1539bb58",
"name": "DOM1.contoso.com",
"hostname": "DOM1",
"architecture": "x86_64",
"ip": [
"fe80::247b:aa07:b20:a19",
"192.168.1.100"
],
"mac": [
"00:18:3a:4f:5d:4b"
],
"os": {
"kernel": "10.0.17763.1577 (WinBuild.160101.0800)",
"name": "Windows Server 2019 Standard",
"version": "10.0",
"platform": "windows",
"build": "17763.1577",
"family": "windows"
}
},
"log": {
"level": "information"
},
"tags": [
"beats_input_codec_plain_applied"
],
"agent": {
"version": "7.11.1",
"id": "0cf7eacf-d605-46d4-a9cb-b0f7b5991c97",
"hostname": "DOM1",
"ephemeral_id": "f702e826-9c20-4140-8a0b-5ba6a5c46050",
"name": "DOM1",
"type": "winlogbeat"
},
"ecs": {
"version": "1.7.0"
},
"winlog": {
"record_id": 144825686,
"keywords": [
"Audit Success"
],
"channel": "Security",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"opcode": "Info",
"event_id": 4634,
"computer_name": "DOM1.contoso.com",
"task": "Logoff",
"process": {
"thread": {
"id": 2664
},
"pid": 956
},
"event_data": {
"LogonType": "3",
"TargetUserName": "testuser",
"TargetDomainName": "CONTOSO",
"TargetLogonId": "0x5016a75e",
"TargetUserSid": "S-1-5-21-1960408961-362288127-682003330-2659"
}
},
"event": {
"code": 4634,
"action": "Logoff",
"provider": "Microsoft-Windows-Security-Auditing",
"created": "2021-02-22T18:07:41.305Z",
"kind": "event",
"outcome": "success"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-196040961-865488157-6821234550-3259\n\tAccount Name:\t\ttestuser\n\tAccount Domain:\t\tCONTOSO\n\tLogon ID:\t\t0x5016A75E\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"@version": "1",
"@timestamp": "2021-02-22T18:07:39.812Z"
},
"fields": {
"@timestamp": [
"2021-02-22T18:07:39.812Z"
],
"event.created": [
"2021-02-22T18:07:41.305Z"
]
},
"sort": [
1614017259812
]
}
配置文件如下所示:
input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == "winlogbeat" {
drop { }
}
if [hostname] == "DOM1" {
drop { }
}
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "syslog-%{+YYYY.MM}"
}
stdout {
codec => rubydebug
}
}
您的文档中没有名为 type 或 hostname 的字段,这就是您的条件不起作用的原因。
您有一个名为 agent.hostname 的字段,其值为 DOM1,还有一个名为 host.hostname 的字段具有相同的值,还有一个名为 agent.type 的字段对于值 winlogbeat,您需要在条件中使用这些字段之一。
以下条件应该有效。
if [agent][hostname] == "DOM1" {
drop {}
}
这是我第一次使用 ELK 堆栈,我正在尝试通过 Logstash (v7.11) drop 函数过滤一些主机,但显然我做错了什么,因为尽管尝试使用变量:ip、主机名、类型似乎无论如何都会忽略它们
目前 json 看起来像这样:
{
"_index": "syslog-2021.02",
"_type": "_doc",
"_id": "w83syncB6OFB5F4c_Fkq",
"_version": 1,
"_score": null,
"_source": {
"host": {
"id": "2d716776-19df-4dfe-8022-497a1539bb58",
"name": "DOM1.contoso.com",
"hostname": "DOM1",
"architecture": "x86_64",
"ip": [
"fe80::247b:aa07:b20:a19",
"192.168.1.100"
],
"mac": [
"00:18:3a:4f:5d:4b"
],
"os": {
"kernel": "10.0.17763.1577 (WinBuild.160101.0800)",
"name": "Windows Server 2019 Standard",
"version": "10.0",
"platform": "windows",
"build": "17763.1577",
"family": "windows"
}
},
"log": {
"level": "information"
},
"tags": [
"beats_input_codec_plain_applied"
],
"agent": {
"version": "7.11.1",
"id": "0cf7eacf-d605-46d4-a9cb-b0f7b5991c97",
"hostname": "DOM1",
"ephemeral_id": "f702e826-9c20-4140-8a0b-5ba6a5c46050",
"name": "DOM1",
"type": "winlogbeat"
},
"ecs": {
"version": "1.7.0"
},
"winlog": {
"record_id": 144825686,
"keywords": [
"Audit Success"
],
"channel": "Security",
"api": "wineventlog",
"provider_name": "Microsoft-Windows-Security-Auditing",
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"opcode": "Info",
"event_id": 4634,
"computer_name": "DOM1.contoso.com",
"task": "Logoff",
"process": {
"thread": {
"id": 2664
},
"pid": 956
},
"event_data": {
"LogonType": "3",
"TargetUserName": "testuser",
"TargetDomainName": "CONTOSO",
"TargetLogonId": "0x5016a75e",
"TargetUserSid": "S-1-5-21-1960408961-362288127-682003330-2659"
}
},
"event": {
"code": 4634,
"action": "Logoff",
"provider": "Microsoft-Windows-Security-Auditing",
"created": "2021-02-22T18:07:41.305Z",
"kind": "event",
"outcome": "success"
},
"message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-196040961-865488157-6821234550-3259\n\tAccount Name:\t\ttestuser\n\tAccount Domain:\t\tCONTOSO\n\tLogon ID:\t\t0x5016A75E\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
"@version": "1",
"@timestamp": "2021-02-22T18:07:39.812Z"
},
"fields": {
"@timestamp": [
"2021-02-22T18:07:39.812Z"
],
"event.created": [
"2021-02-22T18:07:41.305Z"
]
},
"sort": [
1614017259812
]
}
配置文件如下所示:
input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == "winlogbeat" {
drop { }
}
if [hostname] == "DOM1" {
drop { }
}
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "syslog-%{+YYYY.MM}"
}
stdout {
codec => rubydebug
}
}
您的文档中没有名为 type 或 hostname 的字段,这就是您的条件不起作用的原因。
您有一个名为 agent.hostname 的字段,其值为 DOM1,还有一个名为 host.hostname 的字段具有相同的值,还有一个名为 agent.type 的字段对于值 winlogbeat,您需要在条件中使用这些字段之一。
以下条件应该有效。
if [agent][hostname] == "DOM1" {
drop {}
}