2

我们可以将电子邮件通知发送到特定的电子邮件地址,但我想根据日志中的某些模式将电子邮件发送到不同的邮寄地址。

例如说我有三个用户的电子邮件地址

  1. userOne@something.com 接收邮件 id 日志包含 [userOneModule]
  2. userTwo@something.com 接收邮件 id 日志包含 [userTwoModule]
  3. userThree@something.com 接收邮件 id 日志包含 [userThreeModule

使用的 Logstash 版本是 1.3.3 如果在 logstash 中可能有任何帮助或任何解决方法来实现类似的东西。

这是我的配置,虽然“安全”和“门户”都匹配,但电子邮件只发送给一个。

当我只保留一种日志说安全日志或门户日志时,它可以工作,但是当我保留两种日志时,它只会向其中一个发送电子邮件。 

output { 

if [module] == "Security"{
    email { 
   to => "userOne@somemail.com" 
   from => "dummy2161@somemail.com"
    match =>["%{message}","severity,ERROR"]
   subject => "Error Occured" 
   body => "%{message}" 
   via => "smtp" 
   options => { 
     starttls => "true" 
     smtpIporHost => "smtp.gmail.com" 
     port => "587" 
     userName => "dummy2161@somemail.com" 
    password => "*******"  
     authenticationType => "plain" 
   } 
 }
 }
 if [module] == "Portal"{
    email { 
   to => "userTwo@somemail.com" 
   from => "dummy2161@gmail.com"
    match =>["%{message}","severity,ERROR"]
   subject => "Error Occured" 
   body => "%{message}" 
   via => "smtp" 
   options => { 
     starttls => "true" 
     smtpIporHost => "smtp.gmail.com" 
     port => "587" 
     userName => "dummy2161@somemail 
    password => "*****"  
     authenticationType => "plain" 
   } 
 }
 }

}

谢谢

4

1 回答 1

0

您可以将收件人电子邮件地址存储在一个字段中(使用条件或 grok 过滤器来分配值)并在电子邮件输出的to参数中引用该字段,或者您可以将多个电子邮件输出包装在条件中。

使用字段存储地址:

filter {
  # If the module name is the same as the recipient address's local part
  mutate {
    add_field => { "recipient" => "%{modulename}@example.com" }
  }

  # Otherwise you might have to use conditionals.
  if [modulename] == "something" {
    mutate {
      add_field => { "recipient" => "someuser@example.com" }
    }
  } else {
    mutate {
      add_field => { "recipient" => "otheruser@example.com" }
    }
  }
}

output {
  email {
    to => "%{recipient}"
    ...
  }
}

在条件中包装输出:

output {
  if [modulename] == "something" {
    email {
      to => "someuser@example.com"
      ...
    }
  } else {
    email {
      to => "otheruser@example.com"
      ...
    }
  }
}
于 2015-06-03T10:12:31.063 回答