> For the complete documentation index, see [llms.txt](https://test-730.gitbook.io/openrasp-documents-old/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://test-730.gitbook.io/openrasp-documents-old/main/main/logstash.md).

# Logstash

本文讲解如何使用 Logstash 采集报警日志，并发送到 ElasticSearch 保存。

### 开始之前 <a href="#prepare" id="prepare"></a>

在开始之前，你需要知道如下信息:

* ElasticSearch 相关信息
  * 服务器地址和端口，这里是 `192.168.154.200:9200`
  * 要创建的索引名称，这里是 `rasp-%{+YYYY.MM.dd}`
  * 要使用的数据类型，这里是 `attack`
* 报警日志的绝对路径，请参考 [日志说明 - 存储路径](https://github.com/baidu-security/openrasp-docs-old/blob/main/setup/log/main.html) 文档

### 配置示例 <a href="#example" id="example"></a>

以某 tomcat 服务器为例，一个完整的 Logstash 配置示例如下:

```
input {
    file {
        path => ["/home/tomcat/rasp/logs/alarm/*.log*"]
        start_position => "beginning"
    }
}
filter {
    json {
         source => "message"
    }
}
output {
    stdout {
        codec => rubydebug
    }
}
output {
    elasticsearch {
        hosts => ["192.168.154.200:9200"]
        index => "rasp-%{+YYYY.MM.dd}"
    }
}
```

更多信息请求参考如下文档:

* [input file plugin 参数说明](https://www.elastic.co/guide/en/logstash/1.5/plugins-inputs-file.html)
* [output elasticsearch 参数说明](https://www.elastic.co/guide/en/logstash/1.5/plugins-outputs-elasticsearch.html)

### FAQ <a href="#faq" id="faq"></a>

#### 1. Kibana 里看不到数据 <a href="#faq-1" id="faq-1"></a>

**首先，确认 Elasticsearch 里是否有数据**

在命令行里，执行以下命令，

```
curl '192.168.154.200:9200/rasp-*/_count'
```

如果返回 `count` 字段，则说明 Elasticsearch 存在数据。请检查 Kibana 是否配置了错误的 Elasticsearch 地址?

```
{"count":420,"_shards":{"total":5,"successful":5,"failed":0}}
```

其他情况，比如返回 `error` 字段，e.g IndexMissingException，则说明 Elasticsearch 里没有数据，需要进一步查看原因。

```
{"error":"IndexMissingException[[attack] missing]","status":404}
```

**然后，检查 OpenRASP 是否工作正常**

检查 `<app_home>/rasp/logs/alarm/*.log*` 是否有报警日志？如果没有，可以通过攻击测试用例，来产生一些报警日志。

**最后，检查 Logstach 是否正常**

如果要采集的路径存在日志，但是 Elasticsearch 里却没有数据，则说明 Logstash 工作不正常。

1. input 配置的日志路径是否正确？
2. `<logstash_root>/logs` 下面是否有 `[ERROR]` 类型的日志?


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://test-730.gitbook.io/openrasp-documents-old/main/main/logstash.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.