ELK LDAP日志过滤-Java 学习之路

两件事：我们的日志看起来像这样 -
May 11 06:51:31 ldap slapd[6694]: conn=1574001 op=1 SRCH base="cn=s_02,ou=users,o=meta" scope=0 deref=0 filter="(...)"

我需要1）拿出时间戳并将其设置在Kibana的左栏"time" 's discover panel and 2) take the number after connection and make it a field so as to be able to order them by number. I'花了一整天研究和日期和变异似乎很有希望，但我无法正确实施它们 .

配置文件如下所示：

input {
   file {
      path => "/Desktop/logs/*.log"
      type => "log"
      sincedb_path => "/dev/null"
   }
}

output {

  elasticsearch {
    hosts => "127.0.0.1"
    index => "logstash-%{type}-%{+YYYY.MM.dd}"
  }

  file {
    path => "/home/logsOut/%{type}.%{+yyyy.MM.dd.HH.mm}"
  }
}

1 回答

如果你只需要这两个作为单独的字段：

filter {
    grok {
        match => { 
            "message" => [ "%{SYSLOGBASE} conn=%{INT:conn}" ]
        }
    }

    date {
        match => [ "timestamp", "MMM dd HH:mm:ss" ]
        target => "time"
    }

    mutate {
        convert => { "conn" => "integer" }
    }
}

回复于 2024-05-05T02:17:32+08:00

ELK LDAP日志过滤

1 回答

相关问题