我有以下json輸入,我想轉儲到logstash(最終在elasticsearch/kibana中搜索/儀表板)。輸入json到logstash - config的問題?
{"vulnerabilities":[
{"ip":"10.1.1.1","dns":"z.acme.com","vid":"12345"},
{"ip":"10.1.1.2","dns":"y.acme.com","vid":"12345"},
{"ip":"10.1.1.3","dns":"x.acme.com","vid":"12345"}
]}
我使用
input {
file {
path => "/tmp/logdump/*"
type => "assets"
codec => "json"
}
}
output {
stdout { codec => rubydebug }
elasticsearch { host => localhost }
}
輸出
{
"message" => "{\"vulnerabilities\":[\r",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.788Z",
"type" => "assets",
"host" => "av12612sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
{
"message" => "{\"ip\":\"10.1.1.30\",\"dns\":\"z.acme.com\",\"vid\":\"12345\"},\r",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.838Z",
"type" => "assets",
"host" => "av12612sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
{
"message" => "{\"ip\":\"10.1.1.31\",\"dns\":\"y.acme.com\",\"vid\":\"12345\"},\r",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.870Z",
"type" => "shellshock",
"host" => "av1261wag2sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
{
"ip" => "10.1.1.32",
"dns" => "x.acme.com",
"vid" => "12345",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.884Z",
"type" => "assets",
"host" => "av12612sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
明顯logstash正在處理的每一行作爲一個事件和其認爲{"vulnerabilities":[
以下logstash配置是一個事件,我猜測2個後續節點上的尾隨逗號會搞亂解析,並且最後一個節點看起來是正確的。我如何告訴logstash解析漏洞數組內的事件並忽略行尾的逗號?
更新:2014-11-05 根據Magnus的建議,我添加了json過濾器,它的工作完美。但是,如果沒有在文件輸入塊中指定start_position => "beginning"
,它不會正確解析json的最後一行。任何想法爲什麼不呢?我知道它會默認解析自下而上,但是會預期mutate/gsub能夠順利處理這個問題嗎?
file {
path => "/tmp/logdump/*"
type => "assets"
start_position => "beginning"
}
}
filter {
if [message] =~ /^\[?{"ip":/ {
mutate {
gsub => [
"message", "^\[{", "{",
"message", "},?\]?$", "}"
]
}
json {
source => "message"
remove_field => ["message"]
}
}
}
output {
stdout { codec => rubydebug }
elasticsearch { host => localhost }
}