我安装了最新的 logstash (2.3),我想使用grok过滤器解析 syslog 。 所以,这是过滤器:
filter {
if [type] == "linux-syslog" {
grok {
match => { "message" => "^%{SYSLOGTIMESTAMP:syslog_timestamp}\s*%{SYSLOGHOST:syslog_hostname}\s*(%{PROG:syslog_program})?\s*(:?\[%{POSINT:syslog_pid}\])?:?\s*%{GREEDYDATA:syslog_message}[a-z]*\s*$" }
patterns_dir => ["/var/opt/logstash/patterns"]
add_tag => "syslog_everything"
keep_empty_captures => "true"
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
这是我从 logstash 尝试解析它时得到的:
"message" => "Apr 20 14:31:35 node1 ansible-service: Invoked with name=logstash pattern=None enabled=True state=restarted sleep=None arguments= runlevel=default ",
"@version" => "1",
"@timestamp" => "2016-04-20T14:31:35.000Z",
"path" => "/var/log/syslog",
"host" => "node1",
"type" => "linux-syslog",
"syslog_timestamp" => "Apr 20 14:31:35",
"syslog_hostname" => "node1",
"syslog_program" => "ansible-service:",
"syslog_pid" => nil,
"syslog_message" => "Invoked with name=logstash pattern=None enabled=True state=restarted sleep=None arguments= runlevel=default ",
"tags" => [
[0] "syslog_everything",
[1] "_grokparsefailure"
]
}
和...
{ "消息" => " Apr 20 14:35:10 node1 crontab [29052] :(流浪汉)END EDIT(流浪汉)", " @版本" => " 1&#34 ;, " @时间戳" => " 2016-04-20T14:35:10.000Z&#34 ;, "路径" => "在/ var / log / syslog的&#34 ;, "主机" => "节点1&#34 ;, "类型" => " Linux的系统日志&#34 ;, " syslog_timestamp" => " 4月20日14:35:10", " syslog_hostname" => "节点1&#34 ;, " syslog_program" => "的crontab&#34 ;, " syslog_pid" => " 29052&#34 ;, " syslog_message" => "(流浪汉)结束编辑(流浪汉)", "标记" => [ [0]" syslog_everything", [1]" _grokparsefailure" ] }
我在这里做错了什么?我使用 grokdebugger 进行了检查,结果很好......
答案 0 :(得分:0)
如果正在创建字段,则grok正在运行。你可能还有另一个失败的grok节。为每个添加一个不同的tag_on_failure。