我们需要将日志消息作为具有2个约束的syslog格式传递:
'括起来的Json的完整解析输入。输入消息样本:
2016-05-18T17:54:12.098+0000 I ACCESS [conn104] Successfully authenticated as principal __system on local
输出系统日志消息示例:
May 18 17:56:43 myhostname mongo[-]: some/prefix/I/need/to/show '{"version":"1.1","host":"myhostname","level":6,"@version":"1","@timestamp":"2016-05-18T17:56:43.515Z","source_host":"10.1.1.1","message":"2016-05-18T17:54:12.098+0000 I ACCESS [conn104] Successfully authenticated as principal __system on local","command":"/entrypoint.sh mongod --config /data/configdb/mongod.conf","container_id":"9f5217cf462bf90d4fd2d0ce2d713250637309e9964412421599bc50c8c84977","container_name":"mongo","created":"2016-05-18T17:10:05.720691937Z","image_id":"sha256:297b722a18ce154bd2aa21ddad2f128ea3025f38df2c5a87c7c10faabd4b32a2","image_name":"myregistry/mongodb:3.0","tag":"some/prefix/I/need/to/show"}'
我可以使用类似的东西获得第二点,但是我没有在'中添加json包含json。
input {
gelf { }
}
output {
syslog {
facility => "daemon"
host => "some.loghost.server"
port => 514
protocol => "tcp"
severity => "notice"
appname => "%{container_name}"
codec => json_lines
}
stdout {
codec => rubydebug
}
}
编辑2016-05-19: 我通过链接2个logstash获得了一些东西。 还有更好的方法吗?
会议1:
input {
gelf { }
}
output {
syslog {
facility => "daemon"
host => "127.0.0.1"
port => 1515
protocol => "tcp"
severity => "notice"
appname => "%{tag}"
codec => json_lines
}
stdout {
codec => rubydebug
}
}
会议2:
input {
syslog {
port => 1515
}
}
filter {
grok { pattern => "^%{DATA:tag}\[-\]: %{GREEDYDATA:jsonstring}" }
mutate { replace => [ "message", "%{jsonstring}" ] }
mutate { remove => "jsonstring" }
}
output {
syslog {
facility => "daemon"
host => "some.other.logserver"
port => 514
protocol => "tcp"
severity => "notice"
appname => ""
msgid => ""
message => "%{tag} '%{message}'"
}
stdout {
codec => rubydebug
}
}