我在docker中使用elk(elasticsearch,logstash和kibana)。在logstash中,我有input.conf和output.conf。一切正常,但我没有添加任何grok过滤器..如果我尝试将其添加到input.conf或创建新文件“filter.conf”但logstash看不到这些过滤器。
我的input.conf
input {
file {
type => "test"
path => [
"/host/var/log/test.log"
]
}
}
我的output.conf
output {
elasticsearch {
hosts => ["localhost"]
}
}
我的过滤器:
filter {
grok {
type => "test"
match => [ "%{IP:client}, "%{WORD:method}", "%{URIPATHPARAM:request}", "%{NUMBER:bytes}", "%{NUMBER:duration}" ]
}
}
日志示例,保存在test.log中:echo 51.0.50.1 POST /index.html 15824 0.049>>无功/日志/ test.log中
此配置有什么问题?
答案 0 :(得分:0)
您的grok模式格式不正确,应该如下所示,即在开头和结尾都有双引号而且没有逗号:
filter {
grok {
match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
}
}
将此过滤器与样本日志行51.0.50.1 POST /index.html 15824 0.049一起使用,我得到下面的事件似乎是正确的:
{
"message" => "51.0.50.1 POST /index.html 15824 0.049",
"@version" => "1",
"@timestamp" => "2016-01-13T17:07:15.274Z",
"host" => "iMac.local",
"client" => "51.0.50.1",
"method" => "POST",
"request" => "/index.html",
"bytes" => "15824",
"duration" => "0.049"
}