¿Cuál es el significado del prefijo @ en los nombres de campo logstash?


8

La siguiente configuración de logstash se usa para aceptar los registros de eventos de Windows como json a través de una conexión TCP y luego, después de filtrar, reenviar el resultado a Elastic search (fuente: https://gist.github.com/robinsmidsrod/4215337 ):

input {
    tcp {
        type => "syslog"
        host => "127.0.0.1"
        port => 3514
    }
    tcp {
        type   => "eventlog"
        host   => "10.1.1.2"
        port   => 3515
        format => 'json'
    }
}

# Details at http://cookbook.logstash.net/recipes/syslog-pri/
filter {

# Incoming data from rsyslog
    grok {
        type      => "syslog"
        pattern   => [ "<%{POSINT:syslog_pri}>(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:syslog_timestamp8601}) %{SYSLOGHOST:syslog_hostname} %{PROG:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
        add_field => [ "received_at", "%{@timestamp}" ]
        add_field => [ "received_from", "%{@source_host}" ]
    }
    syslog_pri {
        type => "syslog"
    }
    date {
        type                 => "syslog"
        syslog_timestamp8601 => "ISO8601" # RSYSLOG_ForwardFormat
        syslog_timestamp     => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
    mutate {
        type         => "syslog"
        exclude_tags => "_grokparsefailure"
        replace      => [ "@source_host", "%{syslog_hostname}" ]
        replace      => [ "@message", "%{syslog_message}" ]
    }
    mutate {
        type   => "syslog"
        remove => [ "syslog_hostname", "syslog_message", "syslog_timestamp", "syslog_timestamp8601" ]
    }

# Incoming Windows Event logs from nxlog
    # The EventReceivedTime field must contain only digits, or it is an invalid message
    grep {
        type              => "eventlog"
        EventReceivedTime => "\d+"
    }
    mutate {
        # Lowercase some values that are always in uppercase
        type      => "eventlog"
        lowercase => [ "EventType", "FileName", "Hostname", "Severity" ]
    }
    mutate {
        # Set source to what the message says
        type   => "eventlog"
        rename => [ "Hostname", "@source_host" ]
    }
    date {
        # Convert timestamp from integer in UTC
        type              => "eventlog"
        EventReceivedTime => "UNIX"
    }
    mutate {
        # Rename some fields into something more useful
        type   => "eventlog"
        rename => [ "Message", "@message" ]
        rename => [ "Severity", "eventlog_severity" ]
        rename => [ "SeverityValue", "eventlog_severity_code" ]
        rename => [ "Channel", "eventlog_channel" ]
        rename => [ "SourceName", "eventlog_program" ]
        rename => [ "SourceModuleName", "nxlog_input" ]
        rename => [ "Category", "eventlog_category" ]
        rename => [ "EventID", "eventlog_id" ]
        rename => [ "RecordNumber", "eventlog_record_number" ]
        rename => [ "ProcessID", "eventlog_pid" ]
    }
    mutate {
        # Remove redundant fields
        type   => "eventlog"
        remove => [ "SourceModuleType", "EventTimeWritten", "EventTime", "EventReceivedTime", "EventType" ]
    }
}

output {
    elasticsearch {
        embedded => true
    }
    graphite {
        # Ping the graphite server every time a syslog message is received
        type => "syslog"
        port => 2023     # carbon-aggregator
        metrics => [ "syslog.received.%{@source_host}.count", "1" ]
    }
    graphite {
        # Ping the graphite server every time an eventlog message is received
        type => "eventlog"
        port => 2023     # carbon-aggregator
        metrics => [ "eventlog.received.%{@source_host}.count", "1" ]
    }
}

¿Cuál es el significado del @prefijo en algunos nombres de campo en las líneas 58 y 68? es decir @source_hosty @messageen estos mutatefiltros:

mutate {
    # Set source to what the message says
    type   => "eventlog"
    rename => [ "Hostname", "@source_host" ]
}

y

mutate {
    # Rename some fields into something more useful
    type   => "eventlog"
    rename => [ "Message", "@message" ]
    rename => [ "Severity", "eventlog_severity" ]
    rename => [ "SeverityValue", "eventlog_severity_code" ]
    rename => [ "Channel", "eventlog_channel" ]
    rename => [ "SourceName", "eventlog_program" ]
    rename => [ "SourceModuleName", "nxlog_input" ]
    rename => [ "Category", "eventlog_category" ]
    rename => [ "EventID", "eventlog_id" ]
    rename => [ "RecordNumber", "eventlog_record_number" ]
    rename => [ "ProcessID", "eventlog_pid" ]
}

Respuestas:


6

Creo que fue simplemente una decisión de espacio de nombres para evitar colisiones.

Se ha purgado principalmente de las versiones más nuevas de logstash. Solo quedan @timestamp y @version. Debería buscar actualizar logstash y sus cargadores.



2
Gracias por la respuesta. Estoy ejecutando lo último, pero algunos ejemplos de configuración todavía usan el @prefijo y no pude encontrar ninguna mención de él en los documentos / en otro lugar.
Kev

1
Logstash 1.5 agrega un @metadatacampo: elastic.co/guide/en/logstash/current/…
Miles
Al usar nuestro sitio, usted reconoce que ha leído y comprende nuestra Política de Cookies y Política de Privacidad.
Licensed under cc by-sa 3.0 with attribution required.