来自 logstash-forwarder 的 Logstash 邮件事件
Logstash mail events from logstash-forwarder
如果 cron 在 /var/log/cron.log.
中写入错误,我的任务是发送电子邮件通知
我的logstash-forwarder.conf:
{
"network": {
"servers": [ "myserver.domain.com:5000" ],
"timeout": 15,
"ssl key": "/etc/logstash/logstash.key",
"ssl certificate": "/etc/logstash/logstash.crt",
"ssl ca": "/etc/logstash/ca.crt"
},
"files": [
{
"paths": [
"/var/log/syslog"
],
"fields": { "type": "syslog" }
},
{
"paths": [
"/var/log/cron.log"
],
"fields": { "type": "cron" }
}
]
}
logstash-input.conf:
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/ssl/private/logstash.crt"
ssl_key => "/etc/ssl/private/logstash.key"
}
}
logstash-filter.log:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
filter {
if [message] == "CRON" and [message] == "error" {
throttle {
key => "%{message}"
add_tag => "catched"
}
}
}
logstash-output.conf:
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
if "catched" in [tags] {
email {
from => "logstash@someserver.com"
to => "user@someserver.com"
subject => "Alert from %{path}, from %{host}"
body => "Message is: \n'%{message}'. \nLog file:\n %{path}:\n\n%{message}.\n More information can be viewed in Kibana"
}
}
}
现在所有活动都邮寄给我。我怎样才能只从 cron.log 获取错误事件?它们是否按 add_tag 部分过滤?
我不确定您 /var/log/cron.log 的内容。
我认为你有条件问题。试试这个:
if [type] == "cron" and [message] =~ /error/ {
throttle {
key => "%{message}"
add_tag => "catched"
}
}
如果 cron 在 /var/log/cron.log.
中写入错误,我的任务是发送电子邮件通知我的logstash-forwarder.conf:
{
"network": {
"servers": [ "myserver.domain.com:5000" ],
"timeout": 15,
"ssl key": "/etc/logstash/logstash.key",
"ssl certificate": "/etc/logstash/logstash.crt",
"ssl ca": "/etc/logstash/ca.crt"
},
"files": [
{
"paths": [
"/var/log/syslog"
],
"fields": { "type": "syslog" }
},
{
"paths": [
"/var/log/cron.log"
],
"fields": { "type": "cron" }
}
]
}
logstash-input.conf:
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "/etc/ssl/private/logstash.crt"
ssl_key => "/etc/ssl/private/logstash.key"
}
}
logstash-filter.log:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
filter {
if [message] == "CRON" and [message] == "error" {
throttle {
key => "%{message}"
add_tag => "catched"
}
}
}
logstash-output.conf:
output {
elasticsearch { host => localhost }
stdout { codec => rubydebug }
if "catched" in [tags] {
email {
from => "logstash@someserver.com"
to => "user@someserver.com"
subject => "Alert from %{path}, from %{host}"
body => "Message is: \n'%{message}'. \nLog file:\n %{path}:\n\n%{message}.\n More information can be viewed in Kibana"
}
}
}
现在所有活动都邮寄给我。我怎样才能只从 cron.log 获取错误事件?它们是否按 add_tag 部分过滤?
我不确定您 /var/log/cron.log 的内容。
我认为你有条件问题。试试这个:
if [type] == "cron" and [message] =~ /error/ {
throttle {
key => "%{message}"
add_tag => "catched"
}
}