问题描述

几天前我发现了Filebeat.如果我在filebeat.yml中将主题名称硬编码，则可以直接将数据发送到Kafka.但我似乎无法弄清楚如何根据suricata事件类型动态计算主题名称.我已启用filebeat suricata模块，并尝试了filebeat.yml主题值中的许多操作，例如:

I discovered Filebeat a couple days ago. I have it sending data to Kafka directly if I hard code the topic name in filebeat.yml. But I can't seem to figure out how to dynamically compute the topic name based on suricata event type. I've enabled the filebeat suricata module, and tried a number of things in the filebeat.yml topic value, like:

topic: 'suricata-%{[fields.suricata.eve.event_type]}'

但我总是在日志中收到此错误:

But I always get this error in the log:

2020-01-14T23:44:49.550Z        INFO    kafka/log.go:53 kafka message: Initializing new client
2020-01-14T23:44:49.551Z        INFO    kafka/log.go:53 kafka message: Successfully initialized new client
2020-01-14T23:44:49.551Z        INFO    pipeline/output.go:105  Connection to kafka(somehost:9092) established
2020-01-14T23:44:49.551Z        ERROR   kafka/client.go:144     Dropping event: no topic could be selected
2020-01-14T23:44:49.551Z        ERROR   kafka/client.go:144     Dropping event: no topic could be selected
2020-01-14T23:44:49.551Z        ERROR   kafka/client.go:144     Dropping event: no topic could be selected

您如何做到的?根据suricata事件类型，围绕该路径的任何示例filebeat.yml文件都可以到达不同的主题吗?

How do you do it? Any sample filebeat.yml files around that route to different topics based on suricata event-type?

推荐答案

如果地球上还有其他人对此感兴趣，我会在这里找到答案:

In case there is another person on earth interested in this, I got an answer that works here:

https://discuss.elastic.co/t/suricata-logs-to-filebeat-to-kafka-topics-by-event-type/215179

topic: 'suricata-%{[suricata.eve.event_type]}'

这篇关于Suricata到Filebeat到Kafka，按事件类型路由到主题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！