0

几天前我发现了 Filebeat。如果我在 filebeat.yml 中硬编码主题名称,我让它直接向 Kafka 发送数据。但我似乎无法弄清楚如何根据 suricata 事件类型动态计算主题名称。我启用了 filebeat suricata 模块,并在 filebeat.yml 主题值中尝试了很多东西,例如:

topic: 'suricata-%{[fields.suricata.eve.event_type]}'

但我总是在日志中收到此错误:

2020-01-14T23:44:49.550Z        INFO    kafka/log.go:53 kafka message: Initializing new client
2020-01-14T23:44:49.551Z        INFO    kafka/log.go:53 kafka message: Successfully initialized new client
2020-01-14T23:44:49.551Z        INFO    pipeline/output.go:105  Connection to kafka(somehost:9092) established
2020-01-14T23:44:49.551Z        ERROR   kafka/client.go:144     Dropping event: no topic could be selected
2020-01-14T23:44:49.551Z        ERROR   kafka/client.go:144     Dropping event: no topic could be selected
2020-01-14T23:44:49.551Z        ERROR   kafka/client.go:144     Dropping event: no topic could be selected

你怎么做呢?围绕该路由的任何示例 filebeat.yml 文件到基于 suricata 事件类型的不同主题?

4

1 回答 1

1

如果地球上还有其他人对此感兴趣,我得到的答案在这里有效:

https://discuss.elastic.co/t/suricata-logs-to-filebeat-to-kafka-topics-by-event-type/215179

topic: 'suricata-%{[suricata.eve.event_type]}'
于 2020-01-15T22:59:28.180 回答