[root@localhost snort-2.9.20]# sudo /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/snort-logstash.conf
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs errors to the console
[INFO ] 2025-05-16 11:06:04.632 [main] runner - Starting Logstash {"logstash.version"=>"7.17.28", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.26+4 on 11.0.26+4 +indy +jit [linux-x86_64]"}
[INFO ] 2025-05-16 11:06:04.636 [main] runner - JVM bootstrap flags: [-Xms1g, -Xmx1g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djdk.io.File.enableADS=true, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -Djruby.regexp.interruptible=true, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true]
[WARN ] 2025-05-16 11:06:04.817 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2025-05-16 11:06:05.485 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9601, :ssl_enabled=>false}
[INFO ] 2025-05-16 11:06:06.392 [Converge PipelineAction::Create<main>] Reflections - Reflections took 43 ms to scan 1 urls, producing 119 keys and 419 values
[WARN ] 2025-05-16 11:06:06.920 [Converge PipelineAction::Create<main>] json - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2025-05-16 11:06:06.957 [Converge PipelineAction::Create<main>] file - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2025-05-16 11:06:07.101 [Converge PipelineAction::Create<main>] plain - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2025-05-16 11:06:07.125 [Converge PipelineAction::Create<main>] elasticsearch - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2025-05-16 11:06:07.257 [[main]-pipeline-manager] elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["http://localhost:9200"]}
[INFO ] 2025-05-16 11:06:07.459 [[main]-pipeline-manager] elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[WARN ] 2025-05-16 11:06:07.601 [[main]-pipeline-manager] elasticsearch - Restored connection to ES instance {:url=>"http://localhost:9200/"}
[INFO ] 2025-05-16 11:06:07.610 [[main]-pipeline-manager] elasticsearch - Elasticsearch version determined (7.17.28) {:es_version=>7}
[WARN ] 2025-05-16 11:06:07.611 [[main]-pipeline-manager] elasticsearch - Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>7}
[INFO ] 2025-05-16 11:06:07.649 [Ruby-0-Thread-10: :1] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[INFO ] 2025-05-16 11:06:07.650 [[main]-pipeline-manager] elasticsearch - Config is not compliant with data streams. `data_stream => auto` resolved to `false`
[WARN ] 2025-05-16 11:06:07.654 [[main]-pipeline-manager] json - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2025-05-16 11:06:07.661 [[main]-pipeline-manager] grok - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2025-05-16 11:06:07.683 [Ruby-0-Thread-10: :1] elasticsearch - Using a default mapping template {:es_version=>7, :ecs_compatibility=>:disabled}
[INFO ] 2025-05-16 11:06:07.806 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/etc/logstash/conf.d/snort-logstash.conf"], :thread=>"#<Thread:0x5d6da427 run>"}
[INFO ] 2025-05-16 11:06:08.357 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.55}
[INFO ] 2025-05-16 11:06:08.388 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2025-05-16 11:06:08.413 [[main]<file] observingtail - START, creating Discoverer, Watch with file and sincedb collections
[INFO ] 2025-05-16 11:06:08.417 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[WARN ] 2025-05-16 11:06:08.560 [[main]<file] json - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[ERROR] 2025-05-16 11:06:08.594 [[main]<file] json - JSON parse error, original data now in message field {:message=>"Unexpected character ('*' (code 42)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false')\n at [Source: (String)\"[**] [1:1000001:1] HTTP Traffic Detected [**]\"; line: 1, column: 3]", :exception=>LogStash::Json::ParserError, :data=>"[**] [1:1000001:1] HTTP Traffic Detected [**]"}
[ERROR] 2025-05-16 11:06:08.613 [[main]<file] json - JSON parse error, original data now in message field {:message=>"Unrecognized token 'Priority': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')\n at [Source: (String)\"[Priority: 0] \"; line: 1, column: 10]", :exception=>LogStash::Json::ParserError, :data=>"[Priority: 0] "}
[ERROR] 2025-05-16 11:06:08.615 [[main]<file] json - JSON parse error, original data now in message field {:message=>"Invalid numeric value: Leading zeroes not allowed\n at [Source: (String)\"05/12-11:19:15.076019 192.168.208.17:56626 -> 128.112.18.21:80\"; line: 1, column: 2]", :exception=>LogStash::Json::ParserError, :data=>"05/12-11:19:15.076019 192.168.208.17:56626 -> 128.112.18.21:80"}
[ERROR] 2025-05-16 11:06:08.616 [[main]<file] json - JSON parse error, original data now in message field {:message=>"Unrecognized token 'TCP': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false')\n at [Source: (String)\"TCP TTL:64 TOS:0x0 ID:15629 IpLen:20 DgmLen:40 DF\"; line: 1, column: 4]", :exception=>LogStash::Json::ParserError, :data=>"TCP TTL:64 TOS:0x0 ID:15629 IpLen:20 DgmLen:40 DF"}
[ERROR] 2025-05-16 11:06:08.616 [[main]<file] json - JSON parse error, original data now in message field {:message=>"Unexpected character ('*' (code 42)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false')\n at [Source: (String)\"***A**** Seq: 0xEFEA3D49 Ack: 0x16551DAE Win: 0x7210 TcpLen: 20\"; line: 1, column: 2]", :exception=>LogStash::Json::ParserError, :data=>"***A**** Seq: 0xEFEA3D49 Ack: 0x16551DAE Win: 0x7210 TcpLen: 20"}
[WARN ] 2025-05-16 11:06:08.730 [[main]>worker2] json - Error parsing json {:source=>"message", :raw=>"[**] [1:1000001:1] HTTP Traffic Detected [**]", :exception=>#<LogStash::Json::ParserError: Unexpected character ('*' (code 42)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false')
at [Source: (byte[])"[**] [1:1000001:1] HTTP Traffic Detected [**]"; line: 1, column: 3]>}
{
"host" => "localhost.localdomain",
"message" => "05/12-11:19:15.076019 192.168.208.17:56626 -> 128.112.18.21:80",
"path" => "/var/log/snort/alert",
"tags" => [
[0] "_jsonparsefailure",
[1] "_grokparsefailure"
]
}
{
"host" => "localhost.localdomain",
"message" => "[**] [1:1000001:1] HTTP Traffic Detected [**]",
"path" => "/var/log/snort/alert",
"tags" => [
[0] "_jsonparsefailure"
]
}
{
"host" => "localhost.localdomain",
"message" => "TCP TTL:64 TOS:0x0 ID:15629 IpLen:20 DgmLen:40 DF",
"path" => "/var/log/snort/alert",
"tags" => [
[0] "_jsonparsefailure",
[1] "_grokparsefailure"
]
}
{
"host" => "localhost.localdomain",
"priority" => "0",
"message" => "[Priority: 0] ",
"path" => "/var/log/snort/alert",
"tags" => [
[0] "_jsonparsefailure"
]
}
{
"host" => "localhost.localdomain",
"message" => "***A**** Seq: 0xEFEA3D49 Ack: 0x16551DAE Win: 0x7210 TcpLen: 20",
"path" => "/var/log/snort/alert",
"tags" => [
[0] "_jsonparsefailure",
[1] "_grokparsefailure"
]
}
本文介绍了解决Jackson在解析JSON配置时遇到的数值前导零问题的方法。通过在配置文件中设置spring.jackson.parser.allow-numeric-leading-zeros=true,可以有效避免因前导零导致的解析错误。
扫一扫
591
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
