在logstash中Sintax错误_grokparsefailure

时间:2017-01-17 16:23:10

标签: pattern-matching logstash logstash-grok

您好我有以下示例行与grok匹配,但它只生成此_grokparsefailure错误:

  

OSSEC - RULEID:“1484654377”; RULEID:“5402”; RULELEVEL:“3”; RULEGROUP:“syslog,sudo”; RULECOMMENT:“ROOT执行成功的sudo”; DSTUSER:“root”; SRCIP:“无”; HOSTNAME:“elk-stack-2”;位置:“/ var / log / auth.log”;事件:“[INIT] 1月17日09:59:36 elk-stack-2 sudo:root:TTY = pts / 1; PWD = / root; USER = root; COMMAND = / bin / su [END]”;

我的格言是:

filter {
    grok {
        match => { "message" => "OSSEC - RULEID: \"%{NUMBER:timestamp}\"; RULEID: \"${NUMBER:ruleid}\"; RULELEVEL: \"${NUMBER:rulelevel}\"; RULEGROUP: \"${GREEDYDATA:rulegroup}\"; RULECOMMENT: \"${DATA:rulecomment}\"; DSTUSER: \"${NOTSPACE:dstuser}\"; SRCIP: \"${NOTSPACE:srcip}\"; HOSTNAME: \"${NOTSPACE:hostname}\"; LOCATION: \"${NOTSPACE:location}\"; EVENT: \"[INIT]${DATA:event}[END]\";"
        }
    }
}

我哪里错了?

1 个答案:

答案 0 :(得分:0)

您混淆了语法:在上面的许多情况下(使用$),您使用了%而不是%{...}。此外,必须转义字符类外部的[以匹配文字[符号。我还建议在DATA字段中使用GREEDYDATA代替rulegroup

使用

OSSEC - RULEID: \"%{NUMBER:timestamp}\"; RULEID: \"%{NUMBER:ruleid}\"; RULELEVEL: \"%{NUMBER:rulelevel}\"; RULEGROUP: \"%{DATA:rulegroup}\"; RULECOMMENT: \"%{DATA:rulecomment}\"; DSTUSER: \"%{NOTSPACE:dstuser}\"; SRCIP: \"%{NOTSPACE:srcip}\"; HOSTNAME: \"%{NOTSPACE:hostname}\"; LOCATION: \"%{NOTSPACE:location}\"; EVENT: \"\[INIT\]%{DATA:event}\[END\]\";

此外,如果空格可能不同,您可以用\s+替换所有空格以简化匹配。

相关问题
最新问题