我尝试使用logstash 7.6.1来记录我的f5 waf/asm,当我尝试从我的f5远程日志收集一些日志时,我从我的elk服务器运行logstash -f f5.config。它说这句话并循环:
[[main]> worker 1]错误-分析KV时出现异常{:exception=>“Invalid FieldReference:`info tmm 2 [16492]:Rule /Common/myrule:source logreq:/mywebsitepath/"}
那么这里有什么问题以及如何解决呢?
这是我的f5.config:
input {
syslog {
port => 5144
}
}
filter {
kv {
field_split => ","
}
mutate {
split => { "attack_type" => "," }
split => { "sig_ids" => "," }
split => { "sig_names" => "," }
split => { "sig_cves" => "," }
split => { "staged_sig_ids" => "," }
split => { "staged_sig_names" => "," }
split => { "staged_sig_cves" => "," }
split => { "threat_campaign_names" => "," }
split => { "staged_threat_campaign_names" => "," }
split => { "violations" => "," }
split => { "sub_violations" => "," }
}
geoip {
source => "ip_client"
}
}
output {
elasticsearch {
hosts => ['myip:9200']
index => "waf-logs-%{+YYY.MM.dd}"
}
}字符串
这是kibana我用于可视化logstash:Project
先谢了。
2条答案
按热度按时间8e2ybdfx1#
默认情况下,KV解析器将[]特殊字符视为键。
字符串
您可以设置
型
来规避这个问题
yhxst69z2#
这应该适用于v4.7.0:
字符串