如何使用logstash解析捕获的数据?
问题描述:
我有赛博龙使用的麋鹿栈,我想分析与logstash这个消息,你可以帮我请:如何使用logstash解析捕获的数据?
"<30>date=2017-02-19 time=21:59:15 timezone=\"IST\" device_name=\"CR200iNG\" device_id=C20313272882-BQ2EUG log_id=010302602002 log_type=\"Firewall\" log_component=\"Appliance Access\" log_subtype=\"Denied\" status=\"Deny\" priority=Information duration=0 fw_rule_id=0 user_name=\"\" user_gp=\"\" iap=0 ips_policy_id=0 appfilter_policy_id=0 application=\"\" application_risk=0 application_technology=\"\" application_category=\"\" in_interface=\"PortF\" out_interface=\"\" src_mac=dd:dd:dd:02:1c:e4 src_ip=192.168.200.9 src_country_code= dst_ip=255.255.255.255 dst_country_code= protocol=\"UDP\" src_port=32771 dst_port=7423 sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype=\"\" srczone=\"\" dstzonetype=\"\" dstzone=\"\" dir_disp=\"\" connid=\"\" vconnid=\"\"",
要明确:
date=2017-02-19
time=21:59:15
timezone=\"IST\"
device_name=\"CR200iNG\"
device_id=C20313272882-BQ2EUG
log_id=010302602002
log_type=\"Firewall\"
log_component=\"Appliance Access\"
log_subtype=\"Denied\"
status=\"Deny\" priority=Information duration=0
fw_rule_id=0
user_name=\"\"
user_gp=\"\"
iap=0
ips_policy_id=0
appfilter_policy_id=0
application=\"\"
application_risk=0
application_technology=\"\"
application_category=\"\"
in_interface=\"PortF\"
out_interface=\"\"
src_mac=c4:04:15:02:1c:e4
src_ip=192.168.200.9
src_country_code=
dst_ip=255.255.255.255
dst_country_code=
protocol=\"UDP\"
src_port=32771
dst_port=7423
sent_pkts=0
recv_pkts=0
sent_bytes=0
recv_bytes=0
tran_src_ip=
tran_src_port=0
tran_dst_ip=
tran_dst_port=0
srczonetype=\"\"
srczone=\"\"
dstzonetype=\"\"
dstzone=\"\"
dir_disp=\"\"
connid=\"\"
vconnid=\"\""
,
并且可以告诉我如何使用logstash解析捕获的数据包,因为cyberoam中有能力捕获网络中的数据包,并将此数据发送到logstash,但logstash i不是显示kibana
问候
答
在格式看这里的数据,它看起来像the kv
filter是最合适的位置。
filter {
kv {
source => "message"
add_tag => [ 'cyberoam' ]
}
}
的kv
过滤器将分离出来key1=value key2=value
套在一个字符串,并将其转化领域。这看起来很适合你。钥匙你知道你不希望包括可与exclude_keys => [ 'key1', 'key2' ]
我使用指定下列: 千伏{ 源=>“syslog_message” } 发生变异{ 取代=> [“型”,“ %{syslog_program}“] remove_field => [”syslog_message“,”syslog_timestamp“] gsub => ['message','=','=''''] } – user136591