我试图使用filebeat到logstash来从Windows机器解析典型的xml日志文件。
下面是我的xml示例。
<?xml-stylesheet alternate="yes" href="file://c:/drive/bin/event_log.xsl" type="text/xsl"?>
<EventLog SetMinutes="800" Id="8000" Process="Player.exe">
<Clock ClockId="CLk-21e21412414=4-1341341414141"/>
<Entry serial_no="0" mcycle="2132424124-4141" Thread="player" ThreadId="tester" Seconds="11231243241.354123" Severity="info" >Local player details - Receievd metrics
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 400 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 30 level and need to get an xp
player has reached 103 level and need to get an xp
player has reached 130 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 3300 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1300 level and need to get an xp
player has reached 103 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 400 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 30 level and need to get an xp
player has reached 103 level and need to get an xp
player has reached 130 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1000 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 3300 level and need to get an xp
player has reached 100 level and need to get an xp
player has reached to 70 level and need to get an xp
player has reached 1300 level and need to get an xp
player has reached 103 level and need to get an xp
player has reached to 733 level and need to get an xp
</Entry>
</Eventlog>
下面是我的文件拍多行配置。
multiline.pattern: '^<Entry|^=[a-z]'
multiline.negate : false
multiline.match: after
下面是我的losgtash.conf xml过滤器
input{
beats {
port => 5044
}
}
filter{
xml{
source => "message"
store_xml => true
target => "doc"
xpath => ["/Eventlog[@name='ThreadId']@value", "ThreadId",
"/Eventlog[@name='Thread']@value", "Thread",
"/Eventlog/Entry[@name='Secs']@value", "Seconds",
"/Eventlog/Entry[@name='ThreadId']@value", "ThreadID",
"/Eventlog/Entry/text()", "details"
]
}
有人可以帮忙吗?我在filebeat或logstash的配置中缺少任何内容吗?