导致logstash + grok和multiline与perl堆栈跟踪一起使用

时间:2016-04-28 19:18:15

标签: perl logstash-grok logstash-configuration

我正在使用multiline + grok来解析perl错误日志,而我无法使它包含堆栈跟踪作为一个条目的一部分(第3-5行)。正如你所看到的,我正在过滤掉包装括号和换行符(没有尝试过)并使用Mon | Tues | Wed | Thurs | Fri | Sat | Sun作为表示新条目的模式

这是日志示例:

[Tue Apr 26 06:59:32 2016] [notice] Apache/2.2.29 (Unix) mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 configured -- resu$
[Tue Apr 26 15:47:45 2016] [error] [client 108.180.255.92] HASH(0x52c4ec0), referer: https://host/admin/profile/job/17844412
[/home/user/bricolage2/lib/Bric/Util/Job.pm:1107]
[/home/user/bricolage2/lib/Bric/App/Callback/Profile/Job.pm:31]
[/usr/lib64/perl5/vendor_perl/5.10.1/Params/CallbackRequest.pm:296]
[Wed Apr 27 06:59:30 2016] [notice] Graceful restart requested, doing restart

以及我运行时的结果(时间戳与日志时间不一样 - 这就是我运行它时):

Pipeline main started
{
    "@timestamp" => "2016-04-28T18:43:31.627Z",
       "message" => "Tue Apr 26 06:59:32 2016 notice Apache/2.2.29 (Unix) mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations Tue Apr 26 15:47:45 2016 error client 108.180.255.92 HASH(0x52c4ec0), referer: https://host/admin/profile/job/17844412 /home/user/bricolage2/lib/Bric/Util/Job.pm:1107",
      "@version" => "1",
          "tags" => [
        [0] "multiline"
    ],
          "path" => "/var/home/user/logstash/short_error_log",
          "host" => "host",
     "datestamp" => "Tue",
         "month" => "Apr",
           "day" => "26",
          "time" => "06:59:32",
          "type" => "notice",
         "error" => "Apache/2.2.29 (Unix) mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations Tue Apr 26 15:47:45 2016 error client 108.180.255.92 HASH(0x52c4ec0), referer: https://host/admin/profile/job/17844412 /home/user/bricolage2/lib/Bric/Util/Job.pm:1107"
}
{
    "@timestamp" => "2016-04-28T18:43:31.673Z",
       "message" => "/home/user/bricolage2/lib/Bric/App/Callback/Profile/Job.pm:31",
      "@version" => "1",
          "path" => "/var/home/user/logstash/short_error_log",
          "host" => "host",
          "tags" => [
        [0] "_grokparsefailure"
    ]
}
{
    "@timestamp" => "2016-04-28T18:43:31.677Z",
       "message" => "/usr/lib64/perl5/vendor_perl/5.10.1/Params/CallbackRequest.pm:296",
      "@version" => "1",
          "path" => "/var/home/user/logstash/short_error_log",
          "host" => "host",
          "tags" => [
        [0] "_grokparsefailure"
    ]
}

这是我的配置

在输入下:

    file {
            path => "/var/home/user/logstash/short_error_log"
            start_position => beginning
            ignore_older => 0
            sincedb_path => "/dev/null"
                codec => multiline {
                    pattern => "(Mon|Tue|Wed|Thu|Fri)"
                    what => "next"
                     }
       }

 filter {

           mutate {
            gsub => [
        "message", "\n", " ",
        "message", "[\[\]]", ""
        ]
        }

        grok {
        match => { "message" => "%{DAY:datestamp} %{MONTH:month} %{MONTHDAY:day} %{TIME:time} %{YEAR} %{WORD:type} (?<error>.*)"}
# match => { "message" => "(?m)%{DAY:datestamp} %{MONTH:month} %{MONTHDAY:day} %{TIME:time} %{YEAR} %{WORD:type} %{GREEDYDATA:err$

        }

 }

0 个答案:

没有答案
相关问题
最新问题