我可以通过使用logstash过滤器将具有相同标识符的多个日志行组合成一个日志行吗?
2024-11-19T13:31:43+00:00 10.xx.xx.xx mail_logs: Info: Start MID 1253473 ICID 24103922
2024-11-19T13:31:43+00:00 10.xx.xx.xx mail_logs: Info: MID 1253473 ICID 24103922 From: <[email protected]>
2024-11-19T13:31:43+00:00 10.xx.xx.xx mail_logs: Info: MID 1253473 SDR: Domains for which SDR is requested: reverse DNS host: mail.example.co.id, helo: mail.example.co.id, env-from: example.co.id, header-from: Not Present, reply-to: Not Present
2024-11-19T13:31:43+00:00 10.xx.xx.xx mail_logs: Info: MID 1253473 SDR: Consolidated Sender Threat Level: Neutral, Threat Category: N/A, Suspected Domain(s) : N/A (other reasons for verdict). Sender Maturity: 30 days (or greater) for domain: mail.example.co.id
2024-11-19T13:31:43+00:00 10.xx.xx.xx mail_logs: Info: MID 1253473 ICID 24103922 To: <[email protected]> Rejected by Receiving Control
2024-11-19T13:31:43+00:00 10.xx.xx.xx mail_logs: Info: MID 1253473 ICID 24103922 To: <[email protected]> Rejected by Receiving Control
2024-11-19T13:31:43+00:00 10.xx.xx.xx mail_logs: Info: MID 1253473 Subject ""
2024-11-19T13:31:43+00:00 10.xx.xx.xx mail_logs: Info: Message aborted MID 1253473 Receiving aborted by sender
2024-11-19T13:31:43+00:00 10.xx.xx.xx mail_logs: Info: Message finished MID 1253473 aborted
例如,我有来自 Cisco IronPort 设备的日志,当它们都是一整行日志时,每行发送这些日志。
我尝试过使用聚合但证据仍然不行,还有其他建议吗
是的,您可以使用 logstash 多行编解码器插件 或 filebeat 多行解析器。