主页 / server / 问题 / 840465
Accepted
armani
Asked: 2017-03-25 11:09:35 +0800 CST

Graylog 流获取事件,但为空

  • 772

我已经开始将帕洛阿尔托日志发送到 Graylog,并且流规则通过在“标签”字段中匹配“帕洛阿尔托”来挑选它们(这就是我所有的流规则的方式;前端 Logstash 实例在之前进行标记运送到 Graylog)。

我知道 Graylog 节点正在网络接口上接收这些事件: 用于事件的 tcpdump

并且流显示它正在获取事件(注意“22 条消息/秒”):

请注意,它目前每秒收到 22 条消息

然而,当我单击流(或搜索 --> 标签:“Palo Alto”​​)时,找不到任何事件。

空流

我在网上看到的唯一常见问题是时区设置将这些事件置于未来,但我们的帕洛阿尔托全景发送器上的时间是正确的 (PST),并且在未来一天尝试绝对时间搜索什么也没有发现。

版本信息:

Graylog 2.2.2+691b4b7,代号 Stiegl

弹性搜索 2.4.4

Lucene 5.5.2

我还没有回答这个问题,即搜索功能无法正常工作以查找实际到达的事件。我怀疑它有任何关系,但为了完整起见,我会在这里包括它。

logging

1 个回答

  1. Best Answer

    在 Graylog 服务器节点的 /var/log/graylog-server/server.log 日志文件中,我注意到很多错误,例如:

    [54]:索引[graylog_2],类型[消息],id [edb8ec50-1320-11e7-92de-005056b541f6],消息[MapperParsingException[无法解析[ReceiveTime]];嵌套:IllegalArgumentException [无效格式:“2017/03/27 12:09:40”在“/03/27 12:09:40”处格式错误];]

    所以问题是这些消息可以很好地进入 Graylog,但无法被 Elasticsearch 索引。我最终放弃并改变了问题字段,直到 Graylog 喜欢它们。

    if "Palo Alto" in [tags] {
    grok {
        match => ["message", "<\d*>(?<patimestamp>\w* \d* \d*:\d*:\d*) (?<PanoramaHost>[^ ]*) (?<FutureUse0>[^,]*),(?<ReceiveTime>[^,]*),(?<SerialNumber>[^,]*),(?<PAType>[^,]*),%{GREEDYDATA:pamessage}"]
    }
    if [PAType] == "SYSTEM" {
        csv {source => "[pamessage]" columns => ["Subtype","FutureUse1","GeneratedTime","vsys","paEventID","Object","FutureUse2","FutureUse3","Module","Severity","Description","SeqNum","ActionFlags"]}
        mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]}
    } else if [PAType] == "TRAFFIC" {
        csv {source => "[pamessage]" columns => ["Threat-ContentType","ConfigVersion","GenerateTime","SrcAddress","DstAddress","NATSrcIP","NATDstIP","Rule","SrcUser","DstUser","App","VSys","SrcZone","DstZone","InboundInterface","OutboundInterface","LogAction","TimeLogged","SessionID","RepeatCount","SrcPort","DstPort","NATSrcPort","NATDstPort","Flags","Protocol","Action","Bytes","BytesSent","BytesReceived","Packets","StartTime","ElapsedTimeInSec","Category","Padding","SeqNum","ActionFlags","SrcCountry","DstCountry","cpadding","pkts_sent","pkts_received"]}
                    mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]}
    } else if [PAType] == "THREAT" {
        csv {source => "[pamessage]" columns => ["Subtype","FutureUse1","GeneratedTime","SrcIP","DstIP","NATSrcIP","NATDstIP","Rule","SrcUser","DstUser","App","vsys","SrcZone","DstZone","IngressInterface","EgressInterface","LogFwdProfile","FutureUse2","SessionID","RepeatCount","SrcPort","DstPort","NATSrcPort","NATDstPort","Flags","Protocol","Action","Misc","ThreatID","Category","Severity","Direction","SeqNum","ActionFlags","SrcLocation","DstLocation","FutureUse3","ContentType","pcapID","Filedigest","Cloud","FutureUse4","UserAgent","FileType","XForwardedFor","Referer","Sender","Subject","Recipient","ReportID"]}
                    mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]}
    } else if [PAType] == "CONFIG" {
        csv {source => "[pamessage]" columns => ["Subtype","FutureUse1","GeneratedTime","Host","vsys","Command","Admin","Client","Result","ConfigPath","SeqNum","ActionFlags","BeforeChangeDetail","AfterChangeDetail"]}
                    mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]}
    } else if [PAType] == "HIP-MATCH" {
        csv {source => "[pamessage]" columns => ["Subtype","FutureUse1","GeneratedTime","SrcUser","vsys","MachineName","OS","SrcAddress","HIPType","FutureUse2","FutureUse3","SeqNum","ActionFlags"]}
                    mutate {remove_field => ["ReceiveTime"] remove_field => ["GeneratedTime"] gsub => ["message", "/", "_"]}
    } else {
        mutate {add_tag => "Uncategorized"}
    }
}
    • 0

相关问题