Graylog 流獲取事件,但為空
我已經開始將帕洛阿爾托日誌發送到 Graylog,並且流規則通過在“標籤”欄位中匹配“帕洛阿爾托”來挑選它們(這就是我所有的流規則的方式;前端 Logstash 實例在之前進行標記運送到 Graylog)。
我知道 Graylog 節點正在網路介面上接收這些事件:
並且流顯示它正在獲取事件(注意“22 條消息/秒”):
然而,當我點擊流(或搜尋 –> 標籤:“Palo Alto”)時,找不到任何事件。
我在網上看到的唯一常見問題是時區設置將這些事件置於未來,但我們的帕洛阿爾托全景發送器上的時間是正確的 (PST),並且嘗試在未來一天進行絕對時間搜尋沒有任何結果。
版本資訊:
Graylog 2.2.2+691b4b7,代號 Stiegl
彈性搜尋 2.4.4
Lucene 5.5.2
我還沒有回答這個問題,即搜尋功能無法正常工作以查找實際到達的事件。我懷疑它有任何關係,但為了完整起見,我會在這裡包括它。
在 Graylog 伺服器節點的 /var/log/graylog-server/server.log 日誌文件中,我注意到很多錯誤,例如:
$$ 54 $$: 指數$$ graylog_2 $$, 類型$$ message $$, ID $$ edb8ec50-1320-11e7-92de-005056b541f6 $$, 資訊 $$ MapperParsingException[failed to parse [ReceiveTime $$]; 嵌套:IllegalArgumentException$$ Invalid format: “2017/03/27 12:09:40” is malformed at “/03/27 12:09:40” $$;]
所以問題是這些消息可以很好地進入 Graylog,但無法被 Elasticsearch 索引。我最終放棄並改變了問題欄位,直到 Graylog 喜歡它們。
if "Palo Alto" in [tags] { grok { match => ["message", "<\d*>(?<patimestamp>\w* \d* \d*:\d*:\d*) (?<PanoramaHost>[^ ]*) (?<FutureUse0>[^,]*),(?<ReceiveTime>[^,]*),(?<SerialNumber>[^,]*),(?<PAType>[^,]*),%{GREEDYDATA:pamessage}"] } if [PAType] == "SYSTEM" { csv {source => "[pamessage]" columns => ["Subtype","FutureUse1","GeneratedTime","vsys","paEventID","Object","FutureUse2","FutureUse3","Module","Severity","Description","SeqNum","ActionFlags"]} mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]} } else if [PAType] == "TRAFFIC" { csv {source => "[pamessage]" columns => ["Threat-ContentType","ConfigVersion","GenerateTime","SrcAddress","DstAddress","NATSrcIP","NATDstIP","Rule","SrcUser","DstUser","App","VSys","SrcZone","DstZone","InboundInterface","OutboundInterface","LogAction","TimeLogged","SessionID","RepeatCount","SrcPort","DstPort","NATSrcPort","NATDstPort","Flags","Protocol","Action","Bytes","BytesSent","BytesReceived","Packets","StartTime","ElapsedTimeInSec","Category","Padding","SeqNum","ActionFlags","SrcCountry","DstCountry","cpadding","pkts_sent","pkts_received"]} mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]} } else if [PAType] == "THREAT" { csv {source => "[pamessage]" columns => ["Subtype","FutureUse1","GeneratedTime","SrcIP","DstIP","NATSrcIP","NATDstIP","Rule","SrcUser","DstUser","App","vsys","SrcZone","DstZone","IngressInterface","EgressInterface","LogFwdProfile","FutureUse2","SessionID","RepeatCount","SrcPort","DstPort","NATSrcPort","NATDstPort","Flags","Protocol","Action","Misc","ThreatID","Category","Severity","Direction","SeqNum","ActionFlags","SrcLocation","DstLocation","FutureUse3","ContentType","pcapID","Filedigest","Cloud","FutureUse4","UserAgent","FileType","XForwardedFor","Referer","Sender","Subject","Recipient","ReportID"]} mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]} } else if [PAType] == "CONFIG" { csv {source => "[pamessage]" columns => ["Subtype","FutureUse1","GeneratedTime","Host","vsys","Command","Admin","Client","Result","ConfigPath","SeqNum","ActionFlags","BeforeChangeDetail","AfterChangeDetail"]} mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]} } else if [PAType] == "HIP-MATCH" { csv {source => "[pamessage]" columns => ["Subtype","FutureUse1","GeneratedTime","SrcUser","vsys","MachineName","OS","SrcAddress","HIPType","FutureUse2","FutureUse3","SeqNum","ActionFlags"]} mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]} } else { mutate {add_tag => "Uncategorized"} } }