elasticsearch - logstash geoip不适用于IPv4

标签 elasticsearch logstash

我正在使用logstash [版本2.2]将syslog索引到elasticsearch中,我也在使用geoip获取源地址和目标地址,但是在某些日志中,geoip似乎不起作用

**config file:** 

input {
        tcp {
                type => syslog
                port => 8001
        }
        udp {
                type => syslog
                port => 8001
        }


filter {
  if [type] == "syslog" {
     grok {
         match => {
            "message" => "\<%{NUMBER:number}\>%{timestamp:timestamp} %{WORD:logType}: %{NUMBER:ruleNumber},%{NUMBER:subRuleNumber}%{DATA}%{NUMBER:tracker},%{WORD:realinterface},%{WORD:reasonForTheLogEntry},%{WORD:actionTakenThatResultedInTheLogEntry},%{WORD:directionOfTheTraffic},%{NUMBER:IPversion},%{DATA:class},%{DATA:flowLabel},%{NUMBER:hopLimit},%{WORD:protocol},%{NUMBER:protocolID},%{NUMBER:length},%{IPV6:srcIP},%{IPV6:destIP},%{NUMBER:srcPort},%{NUMBER:destPort},%{NUMBER:dataLength}"

                }
       add_field => { "event" => "name" }
     }

  }
geoip {
   source => "srcIP"
   target => "geoSrc"
 }
geoip {
   source => "destIP"
   target => "geoDest"
 }
geoip {
   source => "icmpDetinationIP"
   target => "icmpDest"
 }

}
output {
    csv {
    fields => "message"
    path => "/data/streamed-logs/%{[host]}-%{+YYYY-MM-dd}.log"
    }
    stdout {
        codec => "rubydebug"
    }
    elasticsearch {
         hosts => "address"

  }
}

**address having problem with geoIP:**

我无法获得以下格式的地址的geoIP:e80::c0d3:531b:f0cf:f546

最佳答案

您需要使用IPV6 grok模式而不是IPV4

 grok {
     match => {
        "message" => "...%{IPV6:srcIP},%{IPV6:destIP},%{IPV6:icmpDetinationIP}..."
                              ^             ^              ^
                              |             |              |
                            here           here       and here
     }
 }

关于elasticsearch - logstash geoip不适用于IPv4,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/35497807/

上一篇:powershell - 如何修剪广告搜索结果?

下一篇:android - 从Google Glass应用程序捕获音频

相关文章:

elasticsearch - Elasticsearch 查询字符串Java api对所有结果给出相同的分数

elasticsearch - logstash 输出到 elasticsearch 索引和映射

performance - Elasticsearch - 许多小文档与更少的大文档?

elasticsearch - 从 mysql 错误导入数据 - 管道已终止

elasticsearch - Logstash和Elasticsearch,可能会丢失数据

Logstash--基于logstash转发器中设置的字段的动态索引

curl - 范围查询不支持Elasticsearch字段

datetime - Logstash配置文件中的日期解析错误

c# - 使用 NEST 客户端获取 Elasticsearch 类型映射名称

elasticsearch - 使用logstash将日志发送到elasticsearch

©2024 IT工具网  联系我们