我正在尝试在Graylog中映射两个字段。现在,我正在提取IIS日志,并希望在IP地址出现403. *错误时匹配IP地址上的搜索和仪表板
示例日志如下:
{"EventReceivedTime":"2018-08-13 08:01:03","SourceModuleName":"iis","SourceModuleType":"im_file","date":"2018-08-12","time":"20:01:00","s-sitename":"W3SVC1","s-computername":"Portal-IIS","s-ip":"192.168.1.3","cs-method":"GET","cs-uri-stem":"/something/resource","cs-uri-query":"X-ARR-CACHE-HIT=0&SERVER-ROUTED=192.168.2.4&X-ARR-LOG-ID=b56f1f43-9cac-4356-8f03-c51b0fd5bfa1&SERVER-STATUS=403","s-port":"443","c-ip":"1.1.1.1","cs(User-Agent)":"Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.3;+WOW64;+Trident/7.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729;+InfoPath.3)","cs(Referer)":"https://someURL/something/resource.htm","sc-status":200,"sc-substatus":0,"sc-win32-status":0,"time-taken":0,"EventTime":"2018-08-12 20:01:00","SourceName":"IIS"}
我曾尝试创建一个提取程序,以提取公共IP和sc状态,但是在使用regexr之类的工具时,它在Graylog中无法正常工作。
我应该如何解决这个问题?