如何根据消息字段为主机名编写多输入和logstash过滤器

时间:2018-08-23 11:21:15

标签: logstash logstash-grok

作为logtash的新手,我想了解一下,因为我有两种类型的日志,一种是Linux系统日志,另一种是CISCO交换日志,现在我期待创建不同的input和{ {1}}。

我已将Linux日志的filter's定义为type,并将syslog开关的CISCO定义为APIC,并希望为filter定义and部分。我的CISCO日志样本如下所示,其中我的SWITCH NAME是消息中的第7个字段,因此想知道如何将第7个字段用作swiche的主机名。

Aug 23 16:36:58 Aug 23 11:06:58.830 mydc-leaf-3-5 %LOG_-1-SYSTEM_MSG [E4210472][transition][info][sys] sent user message to syslog group:Syslog_Elastic_Server:final

Blow是我的logstash-syslog.conf文件,该文件适用于syslog,但需要CISCO日志(即type => APIC .. 

# cat  logstash-syslog.conf
input {
  file {
    path => [ "/scratch/rsyslog/*/messages.log" ]
    type => "syslog"
  }
  file {
    path => [ "/scratch/rsyslog/Aug/messages.log" ]
    type => "APIC"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp } %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
  if [type] == "APIC" {
    grok {
      match => { "message" => "%{CISCOTIMESTAMP:syslog_timestamp} %{CISCOTIMESTAMP} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
   }
 }
}
output {
        #if "automount" in [message] or "ldap" in [message] {
        elasticsearch {
                hosts => "noida-elk:9200"
                index => "syslog-%{+YYYY.MM.dd}"
                #index => "%{[type]}-%{+YYYY.MM.dd}"
                #index => "%{index}-%{+YYYY.MM.dd}"
                #type => "%{type}
                document_type => "messages"
        }
}

过滤器对于以下消息正确工作,并且我正确获取了字段syslog_hostname,以防万一我可以获取linuxdev

Aug 24 10:34:02 linuxdev automount[1905]: key ".P4Config" not found in map source(s).

过滤器不适用于以下消息。

Aug 24 10:26:22 Aug 24 04:56:22.444 my-apic-1 %LOG_-3-SYSTEM_MSG [F1546][soaking_clearing][packets-dropped][minor][dbgs/ac/sdvpcpath-207-208-to-109-110/fault-F1546] 2% of packets were dropped during the last collection interval

1 个答案:

答案 0 :(得分:1)

经过一番摸索之后,这是我使用Cisco APIC syslog的模式:

%{SYSLOG5424PRI:initial_code}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{TZ}%{ISO8601_TIMEZONE}%{SPACE}%{URIHOST:uri_host}%{SPACE}%{SYSLOGPROG:syslog_prog}%{SPACE}%{SYSLOG5424SD:message_code}%{SYSLOG5424SD:message_type}%{SYSLOG5424SD:messa
ge_class}%{NOTSPACE:message_dn}%{SPACE}%{GREEDYDATA:message_content}

让我有一些需要改进的反馈。

相关问题
最新问题