我是一个新的Logstash用户,我开始编写一些grok规则来解析我的asa日志文件。我有一些规则正确触发,我无法得到一个正确解析事件,虽然我在grok调试器中测试它,它总是正确测试。此事件将始终具有_grokparsefailure
标记。
这是一个事件:
< 166>:Feb 26 23:44:14 PST:%ASA-session-6-305012:拆解动态TCP 从内部翻译:192.168.1.45/53838到 外:71.110.113.180/53838持续时间0:00:30
我的格言模式:
<%{POSINT:syslog_pri}>:%{CISCOTIMESTAMP:timestamp} PST: %ASA-session-6-305012: Teardown dynamic TCP translation from %{WORD:source_interface_name}:%{IP:source_ip}/%{POSINT:source_port} to %{WORD:destination_interface_name}:%{IP:destination_ip}/%{POSINT:destination_port} duration (?<translation_duration>\d+:\d+:\d+)
我的过滤器集如下:
filter {
grok {
match => ["message", "<%{POSINT:syslog_pri}>:% {CISCOTIMESTAMP:timestamp} PST: %ASA-session-6-305011: Built dynamic TCP translation from %{WORD:source_interface_name}:%{IP:source_ip}/%{POSINT:source_port} to %{WORD:destination_interface_name}:%{IP:destination_ip}/%{POSINT:destination_port}" ]
match => ["messgae", "<%{POSINT:syslog_pri}>:%{CISCOTIMESTAMP:timestamp} PST: %ASA-session-6-305012: Teardown dynamic TCP translation from %{WORD:source_interface_name}:%{IP:source_ip}/%{POSINT:source_port} to %{WORD:destination_interface_name}:%{IP:destination_ip}/%{POSINT:destination_port} duration (?<translation_duration>\d+:\d+:\d+)" ]
match => ["message", "<%{POSINT:syslog_pri}>:%{CISCOTIMESTAMP:timestamp} PST: %ASA-session-6-305011: Built dynamic UDP translation from %{WORD:source_interface_name}:%{IP:source_ip}/%{POSINT:source_port} to %{WORD:destination_interface_name}:%{IP:destination_ip}/%{POSINT:destination_port}" ]
match => ["message", "<%{POSINT:syslog_pri}>:%{CISCOTIMESTAMP:timestamp} PST: %ASA-session-6-305012: Teardown dynamic UDP translation from %{WORD:source_interface_name}:%{IP:source_ip}/%{POSINT:source_port} to %{WORD:destination_interface_name}:%{IP:destination_ip}/%{POSINT:destination_port} duration (?<translation_duration>\d+:\d+:\d+)" ]
}
geoip {
source => "source_ip"
}
geoip {
source => "destination_ip"
}
感谢任何指导。
答案 0 :(得分:0)
尝试使用内置的grok过滤器而不是最终的命名捕获,如下所示:
&lt;%{POSINT:syslog_pri}&gt;:%{CISCOTIMESTAMP:timestamp} PST:%ASA-session-6-305012:从%{WORD:source_interface_name}拆分动态TCP转换:%{IP:source_ip} / %{POSINT:source_port}到%{WORD:destination_interface_name}:%{IP:destination_ip} /%{POSINT:destination_port}持续时间%{NONNEGINT:dur_hour}:%{NONNEGINT:dur_min}:%{NONNEGINT:dur_sec}
您还可以尝试创建一个简单的test.conf,它只是用作输入:
stdin{}
并将输出设置为:
output { stdout { codec => rubydebug } }
如果你做logstash -f test.conf&lt; [您的测试数据]它应该为您提供有关正在发生的事情的其他信息。