logstash使用prune{whielist_names}无数据
想通过logstash中prune{whitelist_names}设置白名单提取相关字段,但是设置后白名单中字段获取不到。
不使用prune的logstash.conf
input {
beats {
port => 5044
}
}
filter {
json {
source => "message"
remove_field => "message"
}
output {
if [filetype] == "wazuh_alert"{
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "wazuhalert111-%{+YYYY.MM.dd}"
#user => "elastic"
#password => "changeme"
}
查询得到的数据:
{
"took" : 4,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 2047,
"relation" : "eq"
},
"max_score" : 1.0,
"hits" : [
{
"_index" : "sdtalerts111-2021.12.14",
"_type" : "_doc",
"_id" : "Di3guH0BS36tsJnhov5-",
"_score" : 1.0,
"_source" : {
"input" : {
"type" : "log"
},
"rule" : {
"level" : 3,
"description" : "Ossec server started.",
"id" : "502",
"firedtimes" : 1,
"pci_dss" : [
"10.6.1"
],
"gdpr" : [
"IV_35.7.d"
],
"tsc" : [
"CC7.2",
"CC7.3"
],
"hipaa" : [
"164.312.b"
],
"nist_800_53" : [
"AU.6"
],
"groups" : [
"ossec"
],
"mail" : false,
"gpg13" : [
"10.1"
]
},
"id" : "1639484264.4555795",
"fileset" : {
"name" : "alerts"
},
"full_log" : "ossec: Ossec started.",
"location" : "wazuh-monitord",
"tags" : [
"beats_input_codec_plain_applied"
],
"host" : {
"name" : "lbw-ThinkPad"
},
"log" : {
"file" : {
"path" : "/var/ossec/logs/alerts/alerts.json"
},
"offset" : 6903410
},
"agent" : {
"name" : "lbw-ThinkPad",
"id" : "000"
},
"decoder" : {
"name" : "ossec"
},
"filetype" : "sdtalerts666",
"manager" : {
"name" : "lbw-ThinkPad"
},
"service" : {
"type" : "wazuh"
},
"@timestamp" : "2021-12-14T12:17:45.653Z",
"ecs" : {
"version" : "1.11.0"
},
"timestamp" : "2021-12-14T20:17:44.530+0800",
"event" : {
"dataset" : "wazuh.alerts",
"module" : "wazuh"
},
"@version" : "1"
}
},
{
"_index" : "sdtalerts111-2021.12.14",
"_type" : "_doc",
"_id" : "EC3guH0BS36tsJnhov6A",
"_score" : 1.0,
"_source" : {
"input" : {
"type" : "log"
},
"rule" : {
"level" : 7,
"description" : "Host-based anomaly detection event (rootcheck).",
"id" : "510",
"firedtimes" : 1,
"groups" : [
"ossec",
"rootcheck"
],
"gdpr" : [
"IV_35.7.d"
],
"mail" : false
},
"id" : "1639484266.4556047",
"fileset" : {
"name" : "alerts"
},
"full_log" : "File '/usr/local/zeek/spool/tmp/post-terminate-standalone-2021-07-14-19-01-55-25928-crash/.startup' is owned by root and has written permissions to anyone.",
"location" : "rootcheck",
"tags" : [
"beats_input_codec_plain_applied"
],
"host" : {
"name" : "lbw-ThinkPad"
},
"agent" : {
"name" : "lbw-ThinkPad",
"id" : "000"
},
"log" : {
"file" : {
"path" : "/var/ossec/logs/alerts/alerts.json"
},
"offset" : 6903891
},
"decoder" : {
"name" : "rootcheck"
},
"filetype" : "sdtalerts666",
"data" : {
"title" : "File is owned by root and has written permissions to anyone.",
"file" : "/usr/local/zeek/spool/tmp/post-terminate-standalone-2021-07-14-19-01-55-25928-crash/.startup"
},
"manager" : {
"name" : "lbw-ThinkPad"
},
"service" : {
"type" : "wazuh"
},
"@timestamp" : "2021-12-14T12:17:46.653Z",
"ecs" : {
"version" : "1.11.0"
},
"timestamp" : "2021-12-14T20:17:46.536+0800",
"event" : {
"dataset" : "wazuh.alerts",
"module" : "wazuh"
},
"@version" : "1"
}
},
kibana显示的字段:
使用prune:
input {
beats {
port => 5044
}
}
filter {
json {
source => "message"
remove_field => "message"
}
prune {
whitelist_names => [ "^agent" ]
}
}
output {
if [filetype] == "wazuh_alert"{
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "wazuhalert111-%{+YYYY.MM.dd}"
#user => "elastic"
#password => "changeme"
}
没有数据传送,显示结果没有数据:
这应该如何修改呢。
output 处少写了一个大括号
你好,我是有问必答小助手,非常抱歉,本次您提出的有问必答问题,技术专家团超时未为您做出解答
本次提问扣除的有问必答次数,已经为您补发到账户,我们后续会持续优化,扩大我们的服务范围,为您带来更好地服务。
自己写一下回答,output通过if判断filetype字段,然后将数据传送到es中,但在prune白名单将这个字段过滤掉了,因此,将下方if语句删除就可以了。