消息为空

时间:2018-03-08 14:55:32

标签: elasticsearch logstash

logstash 5.3.0

filter {
  grok {
    patterns_dir => ["/etc/logstash/patterns"]
    match => [
               "message", "%{NGINXACCESS} %{GREEDYDATA:message}",
               "message", "%{NGINXACCESSAUTH}%{GREEDYDATA:message}",
               "message", "%{NGINXERROR}",
               "message", "%{PHPLOG}%{GREEDYDATA:message}",
               "message", "%{FPMERROR}%{GREEDYDATA:message}",
               "message", "%{SYSLOG5424PRI}%{SYSLOGBASE2} %{GREEDYDATA:message}"
    ]
    overwrite => [ "message" ]
  }

我在这里遇到一个问题,我在这里为NGINXACCESSAUTH提供了一个完整的解析,这让我得到%{GREEDYDATA:message}的空结果,并且这不会重写消息字段为空,让我的消息字段的结果很混乱完整的rsyslog源消息以及解析的所有标记。

program:nginx
logsource:ppdlweb005 
nginx_client:10.175.37.27 
nginx_auth:- 
nginx_time:08/Mar/2018:14:16:24 +0000 
nginx_ident:- 
nginx_response:200
message:<141>Mar 8 14:16:33 ppdlweb005 nginx 10.175.37.27 - - - [08/Mar/2018:14:16:24 +0000] "HEAD /?_=havemercy11 HTTP/1.1" 200 0 "-" "AppleWebkit/534.1 (KHTML) HbbTV/1.4.1 (+DRM;SureSoft-Browser-3.0;T3;0010;1.0;Manhattan-FVPlay;) FVC/2.0(SureSoft-Browser-3.0;Manhattan-FVPlay;)" SUCCESS 0.001 
nginx_bytes:0 
http_user_agent:AppleWebkit/534.1 (KHTML) HbbTV/1.4.1 (+DRM;SureSoft-Browser-3.0;T3;0010;1.0;Manhattan-FVPlay;) FVC/2.0(SureSoft-Browser-3.0;Manhattan-FVPlay;) 
nginx_httpversion:1.1 
@timestamp:March 8th 2018, 14:16:33.000 
nginx_verb:HEAD 
nginx_processing_time:0.001 
fvc_role:auth 
http_referer:- 
fvc_env:staging 
syslog5424_pri:141 
@version:1 
host:ppdlweb005 
nginx_ssl_verify:SUCCESS 
nginx_request:/?_=havemercy11 
timestamp:Mar 8 14:16:33 
_id:AWIF-Hov00VaJHdB36R2 
_type:logs 
_index:logstash-2018.03.08 
_score: -

除了删除部分模式之外,还有什么想法可以解决这个问题,以便GREEDYDATA可以解析一些内容吗?

1 个答案:

答案 0 :(得分:0)

使用keep_empty_captures => true保留空消息