[错误] %1 (%2) %3 错误的页面链接 (错误 %4) 在 B 树中检测到 (ObjectId：%5，PgnoRoot：%6) 的数据库 %7 (%8 => %9，%10)。
标记：%11
致命： %12

---------------input 输入模块-----------------------

input{
beats{ #winlogbeat为数据源，使用beats插件
type => "winlog_security" #输入数据打上winlog_security 类型
host => "0.0.0.0" #接收任意主机数据
port => 6515 #定义端口，需和采集器配置一致
codec => plain{ charset => "UTF-8" }
}
}

---------------filter 过滤模块-----------------------

filter{
if [type] == "winlog_security" { #此文件的数据源才过滤处理
date{
match => ["event.time","dd/MMM/yyyy:HH:mm:ss Z"]
}
ruby{
code => "event.set('event.time', event.get('@timestamp').time.localtime + 86060)"

     }
     mutate{							#删除不需要的字段
             copy => {"[@metadata][ip_address]" => "serverip"}
             
            #  remove_field => ["[agent]","@version","[process]","tags"]
            #  remove_field => ["task","api","keywords","record_id"]
            #  remove_field => ["[ecs]","[log]","[winlog_channel]"]
            #  remove_field => ["[keywords]","provider_guid"]
            #  remove_field => ["[os]","opcode","id","related","kind","message","[event]"]
     }
    #  if ([winlog][event_data][LogonType] == "3") {    #由于只是需要用户安全登录日志，将一些系统的登录日志删除
    #          drop {}
    #  }
    #  if ([winlog][event_data][LogonType] == "5") {
    #         drop {}
    # }
    #    if ([user][domain] == "Window Manager") {
    #         drop {}
    # }
  }

}

---------------output 输出模块-----------------------

output{
if [type] == "winlog_security" {
elasticsearch { #输出到es
hosts => ["192.168.21.33:9200"]
index => "winlog_security-%{+yyyy.MM.dd}" #创建索引
}
}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.