从日志Logstach

时间:2015-11-06 08:44:31

标签: json elasticsearch logstash

我使用Logstach和logstach转发器来提取我的日志文件,我有一些包含JSON格式的日志文件:

[2015-11-05 17:39:22.200] [INFO] dashboard - request :{ "user": "admin", "headers": {"host":"localhost:0000","connection":"keep-alive","accept":"application/json, text/plain, */*","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36",
"referer":"http://localhost:0000/","accept-encoding":"gzip, deflate, sdch","accept-language":"fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4","cookie":"splunkweb_csrf_token_8000=0000000000000000; _ga=GA1.1.0000000.1445436724; connect.sid=s%3AmlK46TZsFa202R5o3nwuHTbmHjehmJiO.JxlNGOXWuY%2Fp0RenTWsxLLDZvVgt8aVQ%2FpKryJsGCpw"},
"method": "GET", "url" : "/count_event", "params" :{"_type":"twitter,facebook,forum","year":"2013,2014,2015","month":"January,February,March,April,May,June,July,August,September,October,November,December"}}

所以,我需要在ES中保存这些信息:

时间戳:2015-11-05 17:39:22.200 类型:INFO msg:JSON中的所有信息

这是我的logstach文件配置:

input {
   lumberjack {
      port => 5043
      type => "logs"
      ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
      ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
   }
}
filter {
    grok {
      patterns_dir => ["/home/logstash/logstach-2.0.0/pattern"]
      add_tag => [ "valid" ]
      match => { "message" => "^\[%{TIMESTAMP_ISO8601:timestamp}\]\[%{DATA:typemessage}\] %{DATA:appname} \- %{GREEDYDATA:msg}}
    }

   date {
     match => ["timestamp", "YYYY-MM-dd HH:mm:ss,SSS"]
     remove_field => ["timestamp"]
   }

    if "valid" not in [tags] {
      drop { }
    }
}
output {
   elasticsearch {
         hosts =>"192.168.1.153:9200"
         index =>"logs"
   }
   stdout { codec => rubydebug }
}

使用此配置,我在字段msg上获得了字符串格式。

1 个答案:

答案 0 :(得分:1)

您需要告诉logstash将字段解析为json。 json{} filter用于此目的。给它你的'msg'字段作为输入。

但是请注意,您的原始grok应该在'msg'字段中包含输入的“request:”部分,这是无效的json。你需要调整你的grok模式,只在你发送到json过滤器的字段中放入有效的json。