在我的logstash配置中的一些过滤器之后grokparsefailure

时间:2016-07-20 01:14:01

标签: logstash logstash-grok grok

我的网络设备有一些日志。 日志发送到Logstash 在使用log过滤后,我有“grokparsefailure”。

logstash conf

        grok {
                match => { "message" => "^[a-z0-9,]* %{GREEDYDATA:message}" }
                overwrite => [ "message" ]
        }

        multiline {
                source => "message"
                pattern => "^(TCP)|(first L2TP)"
                negate => false
                what => next
                max_age => "2"
        }
        mutate {
                gsub => ["message", "\n", " "]
        }
# message from susseful PPTP VPN client login
        if ( [message] =~ /^TCP.*(logged\sin,)/) {
                grok {
                        match => { "message" => " %{PPTPVPNCLIENTIN} " }
                        add_field => { "[microtik][vpnclientauth]" => "login susseful" }
                }
        }

grok模式

PPTPVPNCLIENTIN TCP connection established from %{IPV4:[microtik][vpnclientsourceip]} %{USERNAME:[microtik][username]} logged in, %{IPV4:[microtik][vpnclientinternalip]}

原始日志

"pptp,info TCP connection established from realIP"
"pptp,ppp,info,account username logged in, localIP"

ruby​​debug输出

{
       "message" => "TCP connection established from reaiIP username logged in, localIP",
      "@version" => "1",
    "@timestamp" => "date/time",
          "type" => "mtsl",
          "host" => "ip",
    },
          "tags" => [
        [0] "multiline",
        [1] "_grokparsefailure"
    ]
}

我认为这是我在语法上的简单错误,但无法找到它。

0 个答案:

没有答案