我的网络设备有一些日志。 日志发送到Logstash 在使用log过滤后,我有“grokparsefailure”。
logstash conf
grok {
match => { "message" => "^[a-z0-9,]* %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
multiline {
source => "message"
pattern => "^(TCP)|(first L2TP)"
negate => false
what => next
max_age => "2"
}
mutate {
gsub => ["message", "\n", " "]
}
# message from susseful PPTP VPN client login
if ( [message] =~ /^TCP.*(logged\sin,)/) {
grok {
match => { "message" => " %{PPTPVPNCLIENTIN} " }
add_field => { "[microtik][vpnclientauth]" => "login susseful" }
}
}
grok模式
PPTPVPNCLIENTIN TCP connection established from %{IPV4:[microtik][vpnclientsourceip]} %{USERNAME:[microtik][username]} logged in, %{IPV4:[microtik][vpnclientinternalip]}
原始日志
"pptp,info TCP connection established from realIP"
"pptp,ppp,info,account username logged in, localIP"
rubydebug输出
{
"message" => "TCP connection established from reaiIP username logged in, localIP",
"@version" => "1",
"@timestamp" => "date/time",
"type" => "mtsl",
"host" => "ip",
},
"tags" => [
[0] "multiline",
[1] "_grokparsefailure"
]
}
我认为这是我在语法上的简单错误,但无法找到它。