我正在尝试使用lognorm / lognormalizer来测试我的.rb文件以与rsyslog mmnormalize模块一起使用。我的日志文件如下所示:
2017-08-19T17:00:12.52Z,john,26,engineer
2017-08-19T17:00:12.59Z,susan,28,doctor
我的rb文件如下:
version=2
rule=:%date:date-rfc3164%,%name:word%,%age:number%,%job:word%
运行lognormalizer时:
head -2 /home/debian/olas/test.log | /usr/lib/x86_64-linux-gnu/lognorm/lognormalizer -r /home/debian/olas/rule.rb -e json
我明白了:
{ "originalmsg": "2017-08-19T17:00:12.52Z,john,26,engineer", "unparsed-data": "2017-08-19T17:00:12.52Z,john,26,engineer" }
{ "originalmsg": "2017-08-19T17:00:13.56Z,susan,28,doctor", "unparsed-data": "2017-08-19T17:00:13.56Z,susan,28,doctor" }
这意味着rb脚本不正确。有谁知道我做错了什么?我猜的日期字段没有正确配置,我应该插入任何其他模块吗?我无法在网上找到任何东西。谢谢
答案 0 :(得分:0)
您可以使用此规则:
version=2
rule=:%date:char-to{"extradata":","}%,%name:char-to{"extradata":","}%,%age:number{"format":"number"}%,%job:rest%
使用Lognormalizer生成以下输出(漂亮打印):
{
"job": "engineer",
"age": 26,
"name": "john",
"date": "2017-08-19T17:00:12.52Z"
},
{
"job": "doctor",
"age": 28,
"name": "susan",
"date": "2017-08-19T17:00:12.59Z"
}
测试命令:
lognormalizer -P -H -r my.rule < mylog.log