如何将字段映射到SBR记帐日志上的消息,其格式如下所示。
"Date","Time","RAS-Client","Record-Type","Full-Name","Auth-Type","User-Name","Framed-IP-Address","Calling-Station-ID","Called-Station-ID","Framed-Interface-Id","Delegated-IPv6-Prefix","NAS-Identifier","NAS-IP-Address","NAS-Port","NAS-Port-Type","NAS-Port-ID","Filter-ID","Acct-Termination-Cause","Acct-Session-Id","Acct-Session-Time","Acct-Status-Type","Acct-Delay-Time","Acct-Input-Octets","Acct-Output-Octets","Acct-Authentic","Acct-Input-Packets","Acct-Output-Packets","Acct-Multi-Session-Id","Acct-Input-Gigawords","Acct-Output-Gigawords","Event-Timestamp","Service-Type","Framed-Protocol","Connect-Info","Idle-Timeout","Session-Timeout","HW-Connect-ID","HW-Domain-Name"
“xxx”和空字段都以逗号(,)分隔。
例如,
“2016年3月7日”, “十七点○○分00秒”, “ABC” ,,, “XYZ”,......
我的配置.yml文件过滤器是这样的。
filter {
mutate {
# replace all comma with space
gsub => [ "message", ",", " " ]
}
grok {
match => [ "message", "(%{DATE:date})? (%{TIME:time})? (%{WORD:bras})? (%{WORD:recordtype})? (%{WORD:fullname})? (%{WORD:authtype})? (%{WORD:username})? (%{IP:ipaddress})? (%{MAC:callingstationid})? (%{MAC:calledstationid})? %{GREEDYDATA:message}" ]
}
}
但现在看起来不行。
PS。我只是ELK堆栈的初学者,对不起我的英语不好。