LDAP - 389ds - FluentD - 过滤器插件 - 类型 record_transformer - 它可以有多个 <record> 节条目吗?

问题描述 投票:0回答:1

FluentD 1.16.3/+ 可以在类型 record_transformer 的过滤器插件中拥有多个记录条目吗?

我有以下配置,但它似乎只保留最后一个记录条目。

  <filter authentication>
    @type record_transformer
    enable_ruby
    remove_keys log
    <record>
      message ${record["log"]}
      audit.category Login
      audit.event ${if record["log"].include? "Invalid credentials"; 'Failed'; else; 'Successful' end;} Login
      audit.dashboards.authentication true
    </record>
    <record>
      message ${record["log"]}
      audit.category Anonymous_Login
      audit.event ${if record["log"].include? "Anonymous access not allowed"; 'LDAP Anonymous Access Attempted'; end;}
      audit.dashboards.authentication true
    </record>
    <record>
      message ${record["log"]}
      audit.category LDAP_Search
      audit.event ${if record["log"].include? "SRCH base="; 'LDAP Search Action'; end;}
      audit.dashboards.authentication true
    </record>
    <record>
      message ${record["log"]}
      audit.category LDAP_Search_Result
      audit.event ${if record["log"].include? "RESULT err="; 'LDAP Search Result'; end;}
      audit.dashboards.authentication true
    </record>
  </filter>

我尝试将所有这些 if 语句放入通用的 LOGIN 类别中,但 elsif 对我的情况没有帮助,就好像 elsif 条件之一变为 TRUE 一样,其余的将不会被检查。

  <filter authentication>
    @type record_transformer
    enable_ruby
    <record>
      message ${record["log"]}
      audit.category Login
      audit.event ${if record["log"].include? "Invalid credentials"; 'Failed Login'; elsif record["log"].include? "Anonymous access not allowed"; 'LDAP Anonymous Access Attempted'; elsif record["log"].include? "SRCH base="; 'LDAP Search Action'; elsif record["log"].include? "RESULT err="; 'LDAP Search Result'; end;} 
      audit.dashboards.authentication true
    </record>
    remove_keys log
  </filter>
ldap redhat openldap fluentd 389ds
1个回答
0
投票

解决了。

必须使用 IF-THEN-ELSIF-ELSE 语句设置audit.category 和audit.event 字段。

多个 块没有按预期工作(如果我想将它们分开。请注意,ELK 中缺少一些记录(日志行)(在 Kibana UI > 发现 > 给定时间窗口中查看)。

  <filter authentication>
    @type record_transformer
    enable_ruby
    <record>
      message ${record["log"]}
      audit.category ${if record["log"].include? "Invalid credentials"; 'Login'; elsif record["log"].include? "Anonymous access not allowed"; 'Anonymous Login'; elsif record["log"].include? "SRCH base="; 'LDAP Event'; elsif record["log"].include? "RESULT err="; 'LDAP Event'; end;}
      audit.event ${if record["log"].include? "Invalid credentials"; 'Failed Login'; elsif record["log"].include? "Anonymous access not allowed"; 'LDAP Anonymous Access Attempted'; elsif record["log"].include? "SRCH base="; 'LDAP Search Action'; elsif record["log"].include? "RESULT err="; 'LDAP Search Result'; end;} 
      audit.dashboards.authentication true
    </record>
    remove_keys log
  </filter>
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.