Suricata 到 Filebeat 到 Kafka,按事件类型路由到主题
Suricata to Filebeat to Kafka, routing to topics by event-type
几天前我发现了 Filebeat。如果我在 filebeat.yml 中硬编码主题名称,我可以直接将数据发送到 Kafka。但我似乎无法弄清楚如何根据 suricata 事件类型动态计算主题名称。我已经启用了 filebeat suricata 模块,并在 filebeat.yml 主题值中尝试了很多东西,比如:
topic: 'suricata-%{[fields.suricata.eve.event_type]}'
但我总是在日志中收到此错误:
2020-01-14T23:44:49.550Z INFO kafka/log.go:53 kafka message: Initializing new client
2020-01-14T23:44:49.551Z INFO kafka/log.go:53 kafka message: Successfully initialized new client
2020-01-14T23:44:49.551Z INFO pipeline/output.go:105 Connection to kafka(somehost:9092) established
2020-01-14T23:44:49.551Z ERROR kafka/client.go:144 Dropping event: no topic could be selected
2020-01-14T23:44:49.551Z ERROR kafka/client.go:144 Dropping event: no topic could be selected
2020-01-14T23:44:49.551Z ERROR kafka/client.go:144 Dropping event: no topic could be selected
你是怎么做到的?根据 suricata 事件类型,围绕该路由到不同主题的任何示例 filebeat.yml 文件?
如果地球上还有其他人对此感兴趣,我在这里找到了一个有效的答案:
https://discuss.elastic.co/t/suricata-logs-to-filebeat-to-kafka-topics-by-event-type/215179
topic: 'suricata-%{[suricata.eve.event_type]}'
几天前我发现了 Filebeat。如果我在 filebeat.yml 中硬编码主题名称,我可以直接将数据发送到 Kafka。但我似乎无法弄清楚如何根据 suricata 事件类型动态计算主题名称。我已经启用了 filebeat suricata 模块,并在 filebeat.yml 主题值中尝试了很多东西,比如:
topic: 'suricata-%{[fields.suricata.eve.event_type]}'
但我总是在日志中收到此错误:
2020-01-14T23:44:49.550Z INFO kafka/log.go:53 kafka message: Initializing new client
2020-01-14T23:44:49.551Z INFO kafka/log.go:53 kafka message: Successfully initialized new client
2020-01-14T23:44:49.551Z INFO pipeline/output.go:105 Connection to kafka(somehost:9092) established
2020-01-14T23:44:49.551Z ERROR kafka/client.go:144 Dropping event: no topic could be selected
2020-01-14T23:44:49.551Z ERROR kafka/client.go:144 Dropping event: no topic could be selected
2020-01-14T23:44:49.551Z ERROR kafka/client.go:144 Dropping event: no topic could be selected
你是怎么做到的?根据 suricata 事件类型,围绕该路由到不同主题的任何示例 filebeat.yml 文件?
如果地球上还有其他人对此感兴趣,我在这里找到了一个有效的答案:
https://discuss.elastic.co/t/suricata-logs-to-filebeat-to-kafka-topics-by-event-type/215179
topic: 'suricata-%{[suricata.eve.event_type]}'