拥有以下logstash配置文件:
filter {
if [type] == "TACACS_log" {
grok {
match => { "message" => "%{CISCOTIMESTAMP:JsonTimestamp} %{IP:LogonTo} \s* %{USERNAME:User} \s* %{WORD:Port} \s* %{IP:LogonFrom} %{DATA} cmd=%{GREEDYDATA:command}" }
match => { "message" => "%{CISCOTIMESTAMP:JsonTimestamp} %{IP:LogonTo} \s* %{USERNAME:User} %{WORD:Port} %{DATA} cmd=%{GREEDYDATA:command}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{LogonTo}" ]
}
date {
match => [ "CISCOTIMESTAMP", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
日志通过logstash转发器传入,且CISCOTIMESTAMP不匹配。示例日志文件:
Jun 11 11:32:38 192.168.2.49 user tty1 10.1.250.5 stop task_id = 176 timezone = EDT service = shell start_time = 1434036772 priv-lvl = 15 cmd = show running-config
答案 0 :(得分:0)
问题在于日志条目的格式,您可以在_message字段中看到:{“message”:“Jun 2 14:43:24 \ t222.168.2.53 \ tadmintest \ ttty1 \ t10.1.250。 6 \ tstop \ ttask_id = 133 \ ttimezone = EDT \ tservice = shell \ tstart_time = 1433270604 \ tpriv-lvl = 15 \ tcmd = logging trap warnings“,”@ version“:”1“,”@ timestamp“:”2015- 06-12T10:14:30.493Z“,”type“:”TACACS_log“,”host“:”ELK“,”path“:”/ tmp / tac_plus_acct.log“,”JsonTimestamp“:”Jun 2 14:43: 24“,”LogonTo“:”192.168.2.53“,”用户“:”admintest“,”端口“:”tty1“,”LogonFrom“:”10.1.250.6“,”命令“:”记录陷阱警告“} < / p>
有几个字段是制表符分隔的,但不是全部。有效的陈述是:
match =&gt; {“message”=&gt; “%{CISCOTIMESTAMP:JsonTimestamp} \ S *%{IP:LogonTo} \ S *%{USERNAME:用户} \ S *%{WORD:端口} \ S *%{IP:LogonFrom}%{GREEDYDATA} CMD =% {GREEDYDATA:command}“}