logstash 5.3.0
filter {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => [
"message", "%{NGINXACCESS} %{GREEDYDATA:message}",
"message", "%{NGINXACCESSAUTH}%{GREEDYDATA:message}",
"message", "%{NGINXERROR}",
"message", "%{PHPLOG}%{GREEDYDATA:message}",
"message", "%{FPMERROR}%{GREEDYDATA:message}",
"message", "%{SYSLOG5424PRI}%{SYSLOGBASE2} %{GREEDYDATA:message}"
]
overwrite => [ "message" ]
}
我在这里遇到一个问题,我在这里为NGINXACCESSAUTH提供了一个完整的解析,这让我得到%{GREEDYDATA:message}的空结果,并且这不会重写消息字段为空,让我的消息字段的结果很混乱完整的rsyslog源消息以及解析的所有标记。
program:nginx
logsource:ppdlweb005
nginx_client:10.175.37.27
nginx_auth:-
nginx_time:08/Mar/2018:14:16:24 +0000
nginx_ident:-
nginx_response:200
message:<141>Mar 8 14:16:33 ppdlweb005 nginx 10.175.37.27 - - - [08/Mar/2018:14:16:24 +0000] "HEAD /?_=havemercy11 HTTP/1.1" 200 0 "-" "AppleWebkit/534.1 (KHTML) HbbTV/1.4.1 (+DRM;SureSoft-Browser-3.0;T3;0010;1.0;Manhattan-FVPlay;) FVC/2.0(SureSoft-Browser-3.0;Manhattan-FVPlay;)" SUCCESS 0.001
nginx_bytes:0
http_user_agent:AppleWebkit/534.1 (KHTML) HbbTV/1.4.1 (+DRM;SureSoft-Browser-3.0;T3;0010;1.0;Manhattan-FVPlay;) FVC/2.0(SureSoft-Browser-3.0;Manhattan-FVPlay;)
nginx_httpversion:1.1
@timestamp:March 8th 2018, 14:16:33.000
nginx_verb:HEAD
nginx_processing_time:0.001
fvc_role:auth
http_referer:-
fvc_env:staging
syslog5424_pri:141
@version:1
host:ppdlweb005
nginx_ssl_verify:SUCCESS
nginx_request:/?_=havemercy11
timestamp:Mar 8 14:16:33
_id:AWIF-Hov00VaJHdB36R2
_type:logs
_index:logstash-2018.03.08
_score: -
除了删除部分模式之外,还有什么想法可以解决这个问题,以便GREEDYDATA可以解析一些内容吗?
答案 0 :(得分:0)
使用keep_empty_captures => true
保留空消息