即使是不成熟的尝试,也胜于胎死腹中的策略。

Logstash 解析防火墙日志

Logstash | 作者 shaonianliang | 发布于2021年09月24日 | 阅读数:1924

有大神能帮忙看看为什么吗?解析防火墙日志。
 
日志内容:
 
"ngtos" "V3.2242.22099_NGFW.1" "2020-08-07 13:41:43" "TopsecOS" "6" "ac" "ac" "1050"  "0" vsys_name="root_vsys" policyid="24683" policyname="fw701103521" protoname="TCP" src="10.60.201.46" sport="1605" dst="10.60.193.150" dport="80" action="拒绝" appname="unknown" user="unknown" 
 
规则:
"%{DATA:dev1}" "%{DATA:dev2}" "%{DATA:dev3}" "%{DATA:dev4}" "%{DATA:dev5}" "%{DATA:dev6}" "%{DATA:dev7}" "%{DATA:dev8}" "%{DATA:dev9}" vsys_name="%{DATA:vsys_name}" policyid="%{DATA:policyid}" policyname="%{DATA:policyname}" protoname="%{DATA:protoname}" src="%{DATA:src}" sport="%{DATA:sport}" dst="%{DATA:dst}" dport="%{DATA:dport}" action="%{DATA:action}" appname="%{DATA:appname}" user="%{DATA:user}" 
 
解析内容
 
{
  "dst": "10.60.193.150",
  "src": "10.60.201.117",
  "dev9": "0",
  "dev7": "ac",
  "dev8": "1050",
  "dev5": "6",
  "dev6": "ac",
  "dev3": "2020-08-07 13:41:43",
  "dport": "80",
  "dev4": "TopsecOS",
  "dev1": "ngtos",
  "dev2": "V3.2242.22099_NGFW.1",
  "policyid": "24683",
  "appname": "unknown",
  "action": "允许",
  "policyname": "fw701103521",
  "vsys_name": "root_vsys",
  "sport": "53551",
  "user": "unknown",
  "protoname": "TCP"
}
 
但是logstash 入库 不按照上面解析入库
{
      "policyid" => "24683",
          "user" => "unknown",
          "type" => "topsecfirewall",
     "vsys_name" => "root_vsys",
      "@version" => "1",
          "tags" => [
        [0] "_grokparsefailure"
    ],
     "protoname" => "TCP",
    "@timestamp" => 2021-09-25T02:59:01.176Z,
           "src" => "10.60.203.27",
        "action" => "允许",
         "sport" => "57676",
    "policyname" => "fw701103521",
       "appname" => "unknown",
         "dport" => "80",
       "message" => "\"ngtos\" \"V3.2242.22099_NGFW.1\" \"2020-08-07 13:42:34\" \"TopsecOS\" \"6\" \"ac\" \"ac\" \"1050\"  \"0\" vsys_name=\"root_vsys\" policyid=\"24683\" policyname=\"fw701103521\" protoname=\"TCP\" src=\"10.60.203.27\" sport=\"57676\" dst=\"10.60.193.150\" dport=\"80\" action=\"允许\" appname=\"unknown\" user=\"unknown\" ",
           "dst" => "10.60.193.150"
}
 
 
 
 
 
 
 
已邀请:

mcliang1000

赞同来自:

"1050"  "0" 这中间有2个空格

要回复问题请先登录注册