这些日志的grok模式应该是什么?

时间:2019-05-13 12:07:41

标签: kibana elastic-stack logstash-grok

我是Elasticsearch社区的新手,我真的需要有关Grok的帮助。所以我想配置一个ELK沙箱,所以我必须配置输入文件

我的日志看起来像(JSON):

{"_index":"logstash-2019-05-10","_type":"log"}
{"@timestamp":"2019-05-10T10:03:25.877Z","ip":"185.124.182.126","extension":"gif","response":"404","geo":{"coordinates":{"lat":36.518375,"lon":-86.05828083},"src":"PH","dest":"MM","srcdest":"PH:MM"},"@tags":["success","info"],"utc_time":"2019-05-10T09:03:25.877Z","referer":"http://twitter.com/error/william-shepherd","agent":"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1","clientip":"185.124.182.126","bytes":804,"host":"motion-media.theacademyofperformingartsandscience.org","request":"/canhaz/gemini-7.gif","url":"https://motion-media.theacademyofperformingartsandscience.org/canhaz/gemini-7.gif","@message":"185.124.182.126 - - [2019-05-10T09:03:25.877Z] \"GET /canhaz/gemini-7.gif HTTP/1.1\" 404 804 \"-\" \"Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110421 Firefox/6.0a1\"","spaces":"this   is   a   thing    with lots of     spaces       wwwwoooooo","xss":"<script>console.log(\"xss\")</script>","headings":["<h3>f-i-j-nl-ng</h5>","http://facebook.com/success/lodewijk-van-den-berg"],"links":["daniel-tani@facebook.com","http://nytimes.com/security/kathryn-sullivan","www.nytimes.com"],"relatedContent":[{"url":"http://www.laweekly.com/news/cbs-crew-rat-fink-2368032","og:type":"article","og:title":"CBS Crew Rat Fink","og:description":"Near a couple of auto body shops (and a sharp new Space Invader mosaic that we&#039;ll post soon) near Temple and Westmoreland is a CBS wall with a nice Rat ...","og:url":"http://www.laweekly.com/news/cbs-crew-rat-fink-2368032","article:published_time":"2008-01-14T08:05:26-08:00","article:modified_time":"2014-10-28T14:59:52-07:00","article:section":"News","article:tag":"Mark Mauer","og:image":"http://IMAGES1.laweekly.com/imager/cbs-crew-rat-fink/u/original/2430299/img_2049.jpg","og:image:height":"360","og:image:width":"480","og:site_name":"LA Weekly","twitter:title":"CBS Crew Rat Fink","twitter:description":"Near a couple of auto body shops (and a sharp new Space Invader mosaic that we&#039;ll post soon) near Temple and Westmoreland is a CBS wall with a nice Rat ...","twitter:card":"summary","twitter:image":"http://IMAGES1.laweekly.com/imager/cbs-crew-rat-fink/u/original/2430299/img_2049.jpg","twitter:site":"@laweekly"},{"url":"http://www.laweekly.com/news/push-and-retna-in-koreatown-2368043","og:type":"article","og:title":"Push and Retna in Koreatown","og:description":"Yeah, I originally had this posted this morning as Push &amp; Ayer - Sorry. It looked like a Retna piece, but I saw the Ayer in there and thought that must ...","og:url":"http://www.laweekly.com/news/push-and-retna-in-koreatown-2368043","article:published_time":"2008-01-29T07:28:32-08:00","article:modified_time":"2014-10-28T14:59:54-07:00","article:section":"News","article:tag":"Shelley Leopold","og:image":"http://IMAGES1.laweekly.com/imager/push-and-retna-in-koreatown/u/original/2430376/img_3671.jpg","og:image:height":"360","og:image:width":"480","og:site_name":"LA Weekly","twitter:title":"Push and Retna in Koreatown","twitter:description":"Yeah, I originally had this posted this morning as Push &amp; Ayer - Sorry. It looked like a Retna piece, but I saw the Ayer in there and thought that must ...","twitter:card":"summary","twitter:image":"http://IMAGES1.laweekly.com/imager/push-and-retna-in-koreatown/u/original/2430376/img_3671.jpg","twitter:site":"@laweekly"},{"url":"http://www.laweekly.com/news/asylm-ruets-pdb-on-santa-monica-2368012","og:type":"article","og:title":"Asylm, Ruets, PDB on Santa Monica","og:description":"Not a new piece, but a well-hidden gem a little south of Santa Monica Blvd. in an alley off of Heliotrope or Edgemont. I&#039;ve been sitting on this for a w...","og:url":"http://www.laweekly.com/news/asylm-ruets-pdb-on-santa-monica-2368012","article:published_time":"2008-04-22T15:11:15-07:00","article:modified_time":"2014-10-28T14:59:48-07:00","article:section":"News","article:tag":"Culture and Lifestyle","og:image":"http://images1.laweekly.com/imager/asylm-ruets-pdb-on-santa-monica/u/original/2430137/img_5027.jpg","og:image:height":"360","og:image:width":"480","og:site_name":"LA Weekly","twitter:title":"Asylm, Ruets, PDB on Santa Monica","twitter:description":"Not a new piece, but a well-hidden gem a little south of Santa Monica Blvd. in an alley off of Heliotrope or Edgemont. I&#039;ve been sitting on this for a w...","twitter:card":"summary","twitter:image":"http://images1.laweekly.com/imager/asylm-ruets-pdb-on-santa-monica/u/original/2430137/img_5027.jpg","twitter:site":"@laweekly"},{"url":"http://www.laweekly.com/news/laurence-tribe-tangles-with-cbs-and-la-city-hall-2396867","og:type":"article","og:title":"Laurence Tribe Tangles with CBS and L.A. City Hall","og:description":"The United States Court of Appeals for the Ninth Circuit&rsquo;s Courtroom 3 - a miniature auditorium with comfortable, smoked salmon-colored seats - wa...","og:url":"http://www.laweekly.com/news/laurence-tribe-tangles-with-cbs-and-la-city-hall-2396867","article:published_time":"2008-06-04T14:16:10-07:00","article:modified_time":"2014-11-26T14:43:59-08:00","article:section":"News","og:site_name":"LA Weekly","twitter:title":"Laurence Tribe Tangles with CBS and L.A. City Hall","twitter:description":"The United States Court of Appeals for the Ninth Circuit&rsquo;s Courtroom 3 - a miniature auditorium with comfortable, smoked salmon-colored seats - wa...","twitter:card":"summary","twitter:site":"@laweekly"}],"machine":{"os":"win xp","ram":3221225472},"@version":"1"}

您可以在数据之前找到字段的名称,所以我进行了很多研究,但我没有发现如何绕过这些字段并将数据存储到正确的字段中。

我在kibana上的映射如下:

PUT logstash-2019.05.10
{
  "mappings": {
    "doc": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "ip": {
          "type": "ip"
        },
        "extension": {
          "type": "text"
        },
        "response": {
          "type": "text"
        },
        "geo": {
          "properties": {
            "coordinates": {
              "type": "geo_point"
            },
            "src": {
              "type": "text"
            },
            "dest": {
              "type": "text"
            },
            "srcdest": {
              "type": "text"
            }
          }
        },
        "tags": {
          "type": "text"
        },
        "utc_time": {
          "type": "date"
        },
        "referer": {
          "type": "text"
        },
        "agent": {
          "type": "text"
        },
        "clientip": {
          "type": "ip"
        },
        "bytes": {
          "type": "integer"
        },
        "host": {
          "type": "text"
        },
        "request": {
          "type": "text"
        },
        "url": {
          "type": "text"
        },
        "@message": {
          "type": "text"
        },
        "spaces": {
          "type": "text"
        },
        "xss": {
          "type": "text"
        },
        "links": {
          "type": "text"
        },
        "relatedContent": {
          "properties": {
            "url": {
              "type": "text"
            },
            "og:type": {
              "type": "text"
            },
            "og:title": {
              "type": "text"
            },
            "og:description": {
              "type": "text"
            },
            "og:url": {
              "type": "text"
            },
            "article:published_time": {
              "type": "date"
            },
            "article:modified_time": {
              "type": "date"
            },
            "article:section": {
              "type": "keyword"
            },
            "article:tag": {
              "type": "text"
            },
            "og:image": {
              "type": "text"
            },
            "og:image:height": {
              "type": "integer"
            },
            "og:image:width": {
              "type": "integer"
            },
            "og:site_name": {
              "type": "text"
            },
            "twitter:title": {
              "type": "text"
            },
            "twitter:description": {
              "type": "text"
            },
            "twitter:card": {
              "type": "keyword"
            },
            "twitter:image": {
              "type": "text"
            },
            "twitter:site": {
              "type": "keyword"
            }
          }
        },
        "machine": {
          "properties": {
            "os": {
              "type": "text"
            },
            "ram": {
              "type": "integer"
            }
          }
        },
        "@version": {
          "type": "integer"
        }
      }
    }
  }
}

因此,我尝试了不更改默认默认grok的情况,虽然它不起作用,但我认为这很正常。

1)如何用grok绕过字段名称?

2)我应该在输入文档中放入什么(过滤器除外)

3)您是否知道为什么此配置在弹性搜索下无论如何都无法解析我的日志文件?

0 个答案:

没有答案