Logstash和多线协同工作遇到一些困难
我正在使用Logspout容器将所有stdout日志条目作为syslog转发到logstash。
这是logstash收到的最终内容。这里有多行代表两个事件。
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: 2015-02-10 11:55:38.496 INFO 1 --- [tp1302304527-19] c.z.service.DefaultInvoiceService : Creating with DefaultInvoiceService started...
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: 2015-02-10 11:55:48.596 WARN 1 --- [tp1302304527-19] o.eclipse.jetty.servlet.ServletHandler :
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]:
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.dao.DataAccessResourceFailureException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]; nested exception is com.mongodb.MongoTimeoutException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978)
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)
每个日志行都以syslog head开头。
根据上面的日志内容我创建了logstash配置文件。
input {
udp {
port => 5000
type => syslog
}
}
filter {
multiline {
pattern => "^<%{NUMBER}>%{TIMESTAMP_ISO8601} %{SYSLOGHOST:container_name} %{DATA}(?:\[%{POSINT}\])?:%{SPACE}%{TIMESTAMP_ISO8601}"
negate => true
what => "previous"
stream_identity => "%{container_name}"
}
grok {
match => [ "message", "(?m)^<%{NUMBER}>%{TIMESTAMP_ISO8601} %{SYSLOGHOST} %{DATA:container_name}(?:\[%{POSINT}\])?:%{SPACE}%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{NUMBER}%{SPACE}---%{SPACE}(?:\[%{DATA:threadname}\])?%{SPACE}%{JAVACLASS:clas
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSS" ]
remove_field => ["timestamp"]
}
if !("_grokparsefailure" in [tags]) {
mutate {
replace => [ "source_host", "%{container_name}" ]
replace => [ "raw_message", "%{message}" ]
replace => [ "message", "%{logmessage}" ]
remove_field => [ "logmessage", "host", "source_host" ]
}
}
mutate {
strip => [ "threadname" ]
}
}
output {
elasticsearch { }
}
现在,当上述事件到来时,第一个事件被正确解析并显示:
message = "Creating with DefaultInvoiceService started..."
第二个事件包含此消息,其中包含三个问题:
<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]:
<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.dao.DataAccessResourceFailureException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]; nested exception is com.mongodb.MongoTimeoutException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]
<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978)
<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)
<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)
<14>2015-02-10T12:59:09Z logspout dev_nginx_1[1]: 192.168.59.3 - - [10/Feb/2015:12:59:09 +0000] "POST /api/invoice/ HTTP/1.1" 500 1115 "http://192.168.59.103/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36" "-"
每行包含前缀。 <14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]:
每一行都有一个额外的新行
问题。 为什么 dev_nginx_1 条目本身不是一个事件。为什么它被认为属于前一个? 如何在消息的每一行中删除syslog前缀。 如何摆脱额外的新线?
答案 0 :(得分:0)
对于(1),您在多行中使用container_name。这是时间戳之后的字段。在您的示例中,他们全部&#34; logspout&#34;。似乎对我来说。
对于(2),每行都带有前缀和时间戳,所以你可以预期它们默认存在。您正在mutate{}使用message替换log_message,但我没有看到您正在设置log_message。那你怎么看待前缀和时间戳被删除了呢?
答案 1 :(得分:0)
对于(1),将多行模式中的%{SYSLOGHOST:container_name} %{DATA}替换为%{SYSLOGHOST} %{DATA:container_name}(正如您在grok中使用的那样)。
对于(2)和(3),你可以尝试这样的事情:
mutate {
gsub => [ "message", "<\d+>.*?:\s", "", "message", "\n(\n)", "\1" ]
}
此处,gsub设置正在执行两项操作:
\1组的(\n)后退来执行替换,因为如果您尝试使用\n本身,Logstash实际上会将其替换为\\n,而不是工作