现在,我正在努力从许多OenWRT路由器收集日志,并能流畅地完成此任务。
不幸的是,我不知道为什么解析器无法正常工作。
例如,日志如下:
Aug 15 06:55:05 HOST123 daemon:warning Expiring: (mcpd_process_query_timer)
Aug 15 06:55:05 HOST123 daemon:warning Sending IGMPv2 query of len: 8
Aug 15 06:55:05 HOST123 daemon:warning MLD QUERY: MRT is 00:0a ifindex=15
Aug 15 06:55:05 HOST123 daemon:warning Sending Query size: 28
Aug 15 06:55:07 HOST123 daemon:notice iptv (8359): udhcpc: sending renew to 192.168.131.1
Aug 15 06:55:21 HOST123 daemon:notice data (8351): udhcpc: sending renew to 192.168.130.1
Aug 15 07:06:17 HOST123 daemon:notice voice (6262): udhcpc: sending renew to 192.168.117.1
Aug 15 07:06:17 HOST123 daemon:notice voice (6262): udhcpc: lease of 192.168.117.8 obtained, lease time 600
Aug 15 07:06:22 HOST123 daemon:notice mgmt (6263): udhcpc: sending renew to 192.168.121.1
Aug 15 07:06:22 HOST123 daemon:notice mgmt (6263): udhcpc: lease of 192.168.121.8 obtained, lease time 600
Aug 15 07:06:24 HOST123 daemon:notice iptv (6261): udhcpc: sending renew to 192.168.131.1
Aug 15 07:06:25 HOST123 daemon:notice iptv (6261): udhcpc: lease of 192.168.131.8 obtained, lease time 600
我的配置:
<source>
@type syslog
port 1514
tag scom
<parse>
@type syslog
expression /^(?<logtime>[^ ]) (?<host>HOST\d{4}) (?<facility>[^ ]*) (?<message>[\d\w\s\S\W]*)$/
time_key logtime
time_format "%b %d %T"
</parse>
</source>
或
<source>
@type syslog
port 1514
tag scom
expression /^\(?<time>[^ ]*) (?<host>[^ ]*) (?<facility>[^ ]*) (?<message>[\d\w\s\S\W]*)$/
time_format "%b %d %H:%M:%S"
</source>
没有一个解决方案在起作用。
怎么了?