如何实现logstash根据IP网段分流?
- By : Will
- Category : Elastic Stack
1 前言
一个问题,一篇文章,一出故事。
之前研究过logstash与交换机的继承,相见如下文档,
但是发现生产中有很多交换机不支持修改上传日志的端口,于是需要根据上传的交换机所在的IP网段分流日志,于是整理本章节。
如果有需要,请熟悉包含Elastersearch和基本Logstash环境配置,
2 最佳实践
2.1 创建配置
vim /etc/logstash/conf.d/network.cmdschool.org_514.conf
加入如下配置,
# Sample Logstash configuration for creating a simple # Beats -> Logstash -> Elasticsearch pipeline. input { syslog { port => 514 type => "514" } } filter { if [type] == "514" { cidr { add_tag => [ "dg-network" ] address => [ "%{[host][ip]}" ] network => [ "10.168.0.0/24", "10.168.1.0/24" ] } cidr { add_tag => [ "ca-network" ] address => [ "%{[host][ip]}" ] network => [ "10.168.2.0/24", "10.168.3.0/24" ] } cidr { add_tag => [ "hk-network" ] address => [ "%{[host][ip]}" ] network => [ "10.168.4.0/24" ] } if "dg-network" in [tags] { mutate { add_tag => ["dg-network"] } } else if "ca-network" in [tags] { mutate { add_tag => ["ca-network"] } } else if "hk-network" in [tags] { mutate { add_tag => ["hk-network"] } } else { mutate { add_tag => ["network"] } } } } output { if [type] == "514" { if "dg-network" in [tags] { elasticsearch { hosts => ["http://azelasticsearch01:9200", "http://azelasticsearch02:9200", "http://azelasticsearch03:9200", "http://azelasticsearch04:9200", "http://azelasticsearch05:9200"] index => "dg-network-%{+YYYY.MM.dd}" user => "elastic" password => "elasticpwd" } } else if "ca-network" in [tags] { elasticsearch { hosts => ["http://azelasticsearch01:9200", "http://azelasticsearch02:9200", "http://azelasticsearch03:9200", "http://azelasticsearch04:9200", "http://azelasticsearch05:9200"] index => "ca-network-%{+YYYY.MM.dd}" user => "elastic" password => "elasticpwd" } } else if "hk-network" in [tags] { elasticsearch { hosts => ["http://azelasticsearch01:9200", "http://azelasticsearch02:9200", "http://azelasticsearch03:9200", "http://azelasticsearch04:9200", "http://azelasticsearch05:9200"] index => "hk-network-%{+YYYY.MM.dd}" user => "elastic" password => "elasticpwd" } } else if "network" in [tags] { elasticsearch { hosts => ["http://azelasticsearch01:9200", "http://azelasticsearch02:9200", "http://azelasticsearch03:9200", "http://azelasticsearch04:9200", "http://azelasticsearch05:9200"] index => "network-%{+YYYY.MM.dd}" user => "elastic" password => "elasticpwd" } } } }
配置的处理逻辑如下:
如果logstash接收到的日志type字段值为“514”,则调用filter cidr插件判断host.ip所属的网段,
– 如果属于dg网段的,用filter mutate插件“{ add_tag => [“dg-network”] }”打上标记。
– 如果属于ca网段的,用filter mutate插件“{ add_tag => [“ca-network”] }”打上标记。
– 如果属于hk网段的,用filter mutate插件“{ add_tag => [“hk-network”] }”打上标记。
– 如果匹配不到网段的,用filter mutate插件“{ add_tag => [“network”] }”打上标记。
然后,根据[tags]值把日志分流到不同的索引,
– 如果[tags]值为”dg-network”就存储到elk的“dg-network-%{+YYYY.MM.dd}”索引。
– 如果[tags]值为”ca-network”就存储到elk的“ca-network-%{+YYYY.MM.dd}”索引。
– 如果[tags]值为”hk-network”就存储到elk的“hk-network-%{+YYYY.MM.dd}”索引。
– 如果[tags]值为”network”就存储到elk的“network-%{+YYYY.MM.dd}”索引。
配置创建后,建议你使用如下命令测试配置语法,
/usr/share/logstash/bin/logstash --config.test_and_exit --path.settings /etc/logstash -f /etc/logstash/conf.d/network.cmdschool.org_514.conf
2.2 重启服务使配置生效
systemctl restart logstash
参阅文档
==================
https://poe.com/s/myopb3dYAlFBKKBGqXut
Cidr filter plugin
————————-
https://www.elastic.co/guide/en/logstash/current/plugins-filters-cidr.html
Mutate filter plugin
————————–
https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html
Filter plugins
——————-
https://www.elastic.co/guide/en/logstash/current/filter-plugins.html
没有评论