有大神能帮忙看看为什么吗?解析防火墙日志。
日志内容:
"ngtos" "V3.2242.22099_NGFW.1" "2020-08-07 13:41:43" "TopsecOS" "6" "ac" "ac" "1050" "0" vsys_name="root_vsys" policyid="24683" policyname="fw701103521" protoname="TCP" src="10.60.201.46" sport="1605" dst="10.60.193.150" dport="80" action="拒绝" appname="unknown" user="unknown"
规则:
"%{DATA:dev1}" "%{DATA:dev2}" "%{DATA:dev3}" "%{DATA:dev4}" "%{DATA:dev5}" "%{DATA:dev6}" "%{DATA:dev7}" "%{DATA:dev8}" "%{DATA:dev9}" vsys_name="%{DATA:vsys_name}" policyid="%{DATA:policyid}" policyname="%{DATA:policyname}" protoname="%{DATA:protoname}" src="%{DATA:src}" sport="%{DATA:sport}" dst="%{DATA:dst}" dport="%{DATA:dport}" action="%{DATA:action}" appname="%{DATA:appname}" user="%{DATA:user}"
解析内容
{
"dst": "10.60.193.150",
"src": "10.60.201.117",
"dev9": "0",
"dev7": "ac",
"dev8": "1050",
"dev5": "6",
"dev6": "ac",
"dev3": "2020-08-07 13:41:43",
"dport": "80",
"dev4": "TopsecOS",
"dev1": "ngtos",
"dev2": "V3.2242.22099_NGFW.1",
"policyid": "24683",
"appname": "unknown",
"action": "允许",
"policyname": "fw701103521",
"vsys_name": "root_vsys",
"sport": "53551",
"user": "unknown",
"protoname": "TCP"
}
但是logstash 入库 不按照上面解析入库
{
"policyid" => "24683",
"user" => "unknown",
"type" => "topsecfirewall",
"vsys_name" => "root_vsys",
"@version" => "1",
"tags" => [
[0] "_grokparsefailure"
],
"protoname" => "TCP",
"@timestamp" => 2021-09-25T02:59:01.176Z,
"src" => "10.60.203.27",
"action" => "允许",
"sport" => "57676",
"policyname" => "fw701103521",
"appname" => "unknown",
"dport" => "80",
"message" => "\"ngtos\" \"V3.2242.22099_NGFW.1\" \"2020-08-07 13:42:34\" \"TopsecOS\" \"6\" \"ac\" \"ac\" \"1050\" \"0\" vsys_name=\"root_vsys\" policyid=\"24683\" policyname=\"fw701103521\" protoname=\"TCP\" src=\"10.60.203.27\" sport=\"57676\" dst=\"10.60.193.150\" dport=\"80\" action=\"允许\" appname=\"unknown\" user=\"unknown\" ",
"dst" => "10.60.193.150"
}
日志内容:
"ngtos" "V3.2242.22099_NGFW.1" "2020-08-07 13:41:43" "TopsecOS" "6" "ac" "ac" "1050" "0" vsys_name="root_vsys" policyid="24683" policyname="fw701103521" protoname="TCP" src="10.60.201.46" sport="1605" dst="10.60.193.150" dport="80" action="拒绝" appname="unknown" user="unknown"
规则:
"%{DATA:dev1}" "%{DATA:dev2}" "%{DATA:dev3}" "%{DATA:dev4}" "%{DATA:dev5}" "%{DATA:dev6}" "%{DATA:dev7}" "%{DATA:dev8}" "%{DATA:dev9}" vsys_name="%{DATA:vsys_name}" policyid="%{DATA:policyid}" policyname="%{DATA:policyname}" protoname="%{DATA:protoname}" src="%{DATA:src}" sport="%{DATA:sport}" dst="%{DATA:dst}" dport="%{DATA:dport}" action="%{DATA:action}" appname="%{DATA:appname}" user="%{DATA:user}"
解析内容
{
"dst": "10.60.193.150",
"src": "10.60.201.117",
"dev9": "0",
"dev7": "ac",
"dev8": "1050",
"dev5": "6",
"dev6": "ac",
"dev3": "2020-08-07 13:41:43",
"dport": "80",
"dev4": "TopsecOS",
"dev1": "ngtos",
"dev2": "V3.2242.22099_NGFW.1",
"policyid": "24683",
"appname": "unknown",
"action": "允许",
"policyname": "fw701103521",
"vsys_name": "root_vsys",
"sport": "53551",
"user": "unknown",
"protoname": "TCP"
}
但是logstash 入库 不按照上面解析入库
{
"policyid" => "24683",
"user" => "unknown",
"type" => "topsecfirewall",
"vsys_name" => "root_vsys",
"@version" => "1",
"tags" => [
[0] "_grokparsefailure"
],
"protoname" => "TCP",
"@timestamp" => 2021-09-25T02:59:01.176Z,
"src" => "10.60.203.27",
"action" => "允许",
"sport" => "57676",
"policyname" => "fw701103521",
"appname" => "unknown",
"dport" => "80",
"message" => "\"ngtos\" \"V3.2242.22099_NGFW.1\" \"2020-08-07 13:42:34\" \"TopsecOS\" \"6\" \"ac\" \"ac\" \"1050\" \"0\" vsys_name=\"root_vsys\" policyid=\"24683\" policyname=\"fw701103521\" protoname=\"TCP\" src=\"10.60.203.27\" sport=\"57676\" dst=\"10.60.193.150\" dport=\"80\" action=\"允许\" appname=\"unknown\" user=\"unknown\" ",
"dst" => "10.60.193.150"
}
1 个回复
mcliang1000
赞同来自: