Question

我将Logstash（ELK）设置为我们的中央日志记录服务器，到目前为止，我们已经通过简单的过滤器获得了好运，但是这个最新的过滤器并不容易。这是典型的线条：

<179>12600: [syslog@9 s_id =\"SWITCH1:5143\"]: <ios-log-msg><facility>LINK</facility><severity>3</severity><msg-id>UPDOWN</msg-id><time>Jul 15 09:03:04</time><args><arg id=\"0\">GigabitEthernet1/0/32</arg><arg id=\"1\">up</arg></args></ios-log-msg>

这是我正在研究的模式之一：

<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg></args></ios-log-msg>

我有两个关键问题：

[syslog @ 9 s_id = \＆＃34; BRD-STACK ：5143 \＆＃34;]部分包含交换机的主机名。其他一切都是静态信息，我想丢弃（非粗体）。
接近结束时，＆＃34; args＆＃34; section可以有一个可变数量的＆＃34; arg＆＃34;元素。这个有2个，我也看过1和3，这取决于消息。我需要每个中包含的信息。

有什么想法吗？

对于它的价值，这里是我上次玩的整个过滤器：

        grok {
        match => [
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg><arg id=\"2\">%{DATA:arg_2}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args>%{DATA:args}</args></ios-log-msg>"
        ]
    }

Answer 1

神奇的组合是：

        match => [
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg><arg id=\"2\">%{DATA:arg_2}</arg><arg id=\"3\">%{DATA:arg_3}</arg><arg id=\"4\">%{DATA:arg_4}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg><arg id=\"2\">%{DATA:arg_2}</arg><arg id=\"3\">%{DATA:arg_3}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg><arg id=\"2\">%{DATA:arg_2}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args>%{DATA:args}</args></ios-log-msg>"
        ]

使用Logstash挖掘思科交换机

1 个答案: