我想通过logstash导入aws cloudtrail事件时间。运行良好,但无法获得事件时间。
- 我的日志存储. conf**
input {
s3 {
bucket => "xxxxx"
prefix => "xxxxx"
sincedb_path => "/etc/logstash/sincedb/cloudtrail"
temporary_directory => "/etc/logstash/tmp"
region => "xxxxx"
type => "cloudtrail"
codec => "cloudtrail"
}
}
filter {
if [type] == "cloudtrail" {
mutate {
gsub => [ "eventSource", "\.amazonaws\.com$", "" ]
}
if [eventSource] == "elasticloadbalancing" and [eventName] == "describeInstanceHealth" and [userIdentity.userName] == "secret_username" {
drop {}
}
}
date {
match => ["eventTime", "ISO8601"]
}
}在Kibana中,可以检查其他表,但找不到eventTime。
1条答案
按热度按时间iecba09b1#
The cloudtrail codec removes eventTime from the event and assigns this to the events @timestamp. See: https://github.com/logstash-plugins/logstash-codec-cloudtrail/blob/4486ce2f986bc4778562060bbaf9d6dfd99ab84e/lib/logstash/codecs/cloudtrail.rb#L22