我正在使用 ELK 版本 8.10.2-1 来记录 Kong API 网关日志。我想配置logstash电子邮件插件以根据http状态代码发送电子邮件通知。
在 ELK Kong Logs 中,我有一个名为
[response.status][response.status]请问如何根据
[response.status]logstash配置文件:
input {
udp {
port => 9000
}
}
filter {
json {
source => "message"
add_tag => ["kong"]
}
##
if [response.status] == "401" {
mutate {
add_tag => [ "http_error_401" ]
}
}
##
}
output {
elasticsearch {
hosts => ["https://xx.xx.xx.xx:9200" , "https://xx.xx.xx.xx:9200" , "https://xx.xx.xx.xx:9200"]
user => "elastic_user"
password => "${elastic_password}"
ssl => true
ssl_certificate_verification => false
cacert => "/etc/logstash/http_ca.crt"
ilm_rollover_alias => "kong"
ilm_pattern => "{now/d}-000001"
ilm_policy => "kong-index-policy-example"
}
if "http_error_401" in [tags] {
email {
to => "[email protected]"
from => "[email protected]"
subject => "API-Error at %{@timestamp}"
body => "Tags: %{tags}\\n\\Content:\\n%{message}"
via => "smtp"
address => "mail.example.com"
port => 25
}
}
}
if [response.status] == "401"if [response][status] == "401"if [response][status] == 401解释如下:
[响应.状态]
Logstash 中的语法
if [response.status] == "401"[回复][状态] Logstash 中的语法
[response][status][response][status]如果您想查看,这里是官方文档:https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html
如果您想测试,这里有一个示例:
#logstash 配置:
input {
stdin {codec => json}
}
filter {
if [response][status] == 401 {
mutate {
add_tag => [ "http_error_401" ]
}
}
}
output {
if "http_error_401" in [tags] {
stdout {}
}
}
#数据:
{"response":{"status":401}}
#运行logstash
./logstash-7.16.2/bin/logstash -f email.conf
#输出:
{"response":{"status":401}}
{
"host" => "musab-mac.local",
"tags" => [
[0] "http_error_401"
],
"response" => {
"status" => 401
},
"@version" => "1",
"@timestamp" => 2023-12-18T14:27:40.534Z
}