logstash 2.4.0:grok在自定义模式上无声地失败

时间:2016-10-25 13:57:42

标签: elasticsearch logstash logstash-grok

我正在尝试(并且失败)获取自定义模式以使用logstash 2.4.0。以下是conf文件的相关部分:

private void button4_Click(object sender, EventArgs e)
{
    int suma = 0;
    var listOfTextBoxesPanel1 = new List<string>();
    var listOfTextBoxesPanel2 = new List<string>();
    foreach (Control w1 in panel1.Controls.OfType<TextBox>())
    {
        listOfTextBoxesPanel1.Add(w1.text);
    }
    foreach (Control w2 in panel2.Controls.OfType<TextBox>())
    {
        listOfTextBoxesPanel2.Add(w2.text);
    }

    for (int i = 0; i < listOfTextBoxesPanel1.Count; i++)
    {
       suma = suma + (int.Parse(listOfTextBoxesPanel1[i])* int.Parse(listOfTextBoxesPanel2[i])));
    }
    textBox3.Text = "" + suma; 
}

(完整配置在最后) - 模式目录仅包含文件sendmail.grok:

#some parsing happens above...
    grok {
       patterns_dir => ["/config_dir/patterns"]
       match => [ "syslog_message", "%{QID:qid}:" ]
    }

运行这个我得到(重新格式化的例外):

#########
QID a

此异常与patterns / sendmail.grok的内容不变。这是一个PatternError,但它没有告诉我错误发生的位置/原因。但是,如果我评论匹配线,一切都很好(下面的示例输出):

{:exception=>"Grok::PatternError",
 :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.3/lib/grok-pure.rb:123:in `compile'",
              "org/jruby/RubyKernel.java:1479:in `loop'",
              "/opt/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.3/lib/grok-pure.rb:93:in `compile'",
              "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:264:in `register'",
              "org/jruby/RubyArray.java:1613:in `each'",
              "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:259:in `register'",
              "org/jruby/RubyHash.java:1342:in `each'",
              "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:255:in `register'",
              "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:182:in `start_workers'",
              "org/jruby/RubyArray.java:1613:in `each'",
              "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:182:in `start_workers'",
              "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:136:in `run'",
              "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/agent.rb:491:in `start_pipeline'"],
 :level=>:error,
 :file=>"logstash/agent.rb",
 :line=>"493",
 :method=>"start_pipeline"
}

想法?

TIA, ALF

完整配置:

{
                 "message" => "Oct 25 13:18:27 alpha opendkim[1160]: u9PBIMwu011394: authsmtp79.register.it [195.110.122.164] not internal",
                "@version" => "1",
              "@timestamp" => "2016-10-25T11:25:35.072Z",
                    "path" => "/log/maillog",
                    "host" => "93fe70f98023",
    "syslog_severity_code" => 5,
    "syslog_facility_code" => 1,
         "syslog_facility" => "user-level",
         "syslog_severity" => "notice",
                    "tags" => [
        [0] "syslog_message_unparsed",
        [1] "syslog_relay"
    ],
        "syslog_timestamp" => "Oct 25 13:18:27",
             "syslog_host" => "alpha",
                 "program" => "opendkim",
                     "pid" => "1160",
          "syslog_message" => "u9PBIMwu011394: authsmtp79.register.it [195.110.122.164] not internal",
         "syslog_fullhost" => "alpha"
}

2 个答案:

答案 0 :(得分:0)

grok过滤器匹配有问题我认为是异常。你可以改变你的比赛并检查:

grok {
        patterns_dir => [""]
        match => { "message" => "" }            
    }

在conf文件中实际使用它们之前,您可以尝试测试您的grok过滤器here

来源:grok

答案 1 :(得分:0)

好的,所以托管我的docker容器(CentOS7 VM)的环境似乎有问题。我在FC24(非VM)机器(较新的docker,相同的容器等)上重建了相同的环境,异常就消失了。

经验教训:

  • 从表面上看,通过集装箱化将自己从环境依赖中解放出来的梦想是一种妄想。 Ghost错误/ execptions可以 - 并且确实 - 由于容器主机环境而出现,而没有告诉你太多,因此比以往更难以理解。
  • Logstash(well gork's)异常记录不太理想。无论导致原始异常的原因(如果我不得不打赌,我打赌文件系统和/或SELinux问题,但我真的还不知道)最强调模式问题

感谢所有那些<罢工>打扰(甚至)阅读浪费时间的人。