我有以下json输入,我想转储到logstash(最终在elasticsearch/kibana中搜索/仪表板)。输入json到logstash - config的问题?
{"vulnerabilities":[
{"ip":"10.1.1.1","dns":"z.acme.com","vid":"12345"},
{"ip":"10.1.1.2","dns":"y.acme.com","vid":"12345"},
{"ip":"10.1.1.3","dns":"x.acme.com","vid":"12345"}
]}
我使用
input {
file {
path => "/tmp/logdump/*"
type => "assets"
codec => "json"
}
}
output {
stdout { codec => rubydebug }
elasticsearch { host => localhost }
}
输出
{
"message" => "{\"vulnerabilities\":[\r",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.788Z",
"type" => "assets",
"host" => "av12612sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
{
"message" => "{\"ip\":\"10.1.1.30\",\"dns\":\"z.acme.com\",\"vid\":\"12345\"},\r",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.838Z",
"type" => "assets",
"host" => "av12612sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
{
"message" => "{\"ip\":\"10.1.1.31\",\"dns\":\"y.acme.com\",\"vid\":\"12345\"},\r",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.870Z",
"type" => "shellshock",
"host" => "av1261wag2sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
{
"ip" => "10.1.1.32",
"dns" => "x.acme.com",
"vid" => "12345",
"@version" => "1",
"@timestamp" => "2014-10-30T23:41:19.884Z",
"type" => "assets",
"host" => "av12612sn00-pn9",
"path" => "/tmp/logdump/stack3.json"
}
明显logstash正在处理的每一行作为一个事件和其认为{"vulnerabilities":[
以下logstash配置是一个事件,我猜测2个后续节点上的尾随逗号会搞乱解析,并且最后一个节点看起来是正确的。我如何告诉logstash解析漏洞数组内的事件并忽略行尾的逗号?
更新:2014-11-05 根据Magnus的建议,我添加了json过滤器,它的工作完美。但是,如果没有在文件输入块中指定start_position => "beginning"
,它不会正确解析json的最后一行。任何想法为什么不呢?我知道它会默认解析自下而上,但是会预期mutate/gsub能够顺利处理这个问题吗?
file {
path => "/tmp/logdump/*"
type => "assets"
start_position => "beginning"
}
}
filter {
if [message] =~ /^\[?{"ip":/ {
mutate {
gsub => [
"message", "^\[{", "{",
"message", "},?\]?$", "}"
]
}
json {
source => "message"
remove_field => ["message"]
}
}
}
output {
stdout { codec => rubydebug }
elasticsearch { host => localhost }
}