0

我正在将 Logstash (ELK) 设置为我们的中央日志记录服务器,到目前为止,我对简单的过滤器很满意,但是我们交换机的最新版本并不那么容易。这是一条典型的线路:

<179>12600: [syslog@9 s_id =\"SWITCH1:5143\"]: <ios-log-msg><facility>LINK</facility><severity>3</severity><msg-id>UPDOWN</msg-id><time>Jul 15 09:03:04</time><args><arg id=\"0\">GigabitEthernet1/0/32</arg><arg id=\"1\">up</arg></args></ios-log-msg>

这是我正在研究的模式之一:

<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg></args></ios-log-msg>

我挂了两个关键问题:

  1. [syslog@9 s_id =\" BRD-STACK :5143\"] 部分包含交换机的主机名。其他一切都是静态信息,我想丢弃(非粗体)。
  2. 在条目的末尾,“args”部分可以有可变数量的“arg”元素。这个有 2 个,根据消息,我也看到了 1 和 3。我需要其中包含的信息。

有任何想法吗?

对于它的价值,这是我上次玩的整个过滤器:

        grok {
        match => [
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg><arg id=\"2\">%{DATA:arg_2}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA} s_id=(?:.{2})%{HOSTNAME:hostname}:5143(?:.{3}): <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args>%{DATA:args}</args></ios-log-msg>"
        ]
    }
4

1 回答 1

0

神奇的组合是:

        match => [
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg><arg id=\"2\">%{DATA:arg_2}</arg><arg id=\"3\">%{DATA:arg_3}</arg><arg id=\"4\">%{DATA:arg_4}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg><arg id=\"2\">%{DATA:arg_2}</arg><arg id=\"3\">%{DATA:arg_3}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg><arg id=\"2\">%{DATA:arg_2}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg><arg id=\"1\">%{DATA:arg_1}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args><arg id=\"0\">%{DATA:arg_0}</arg></args></ios-log-msg>",
            "message", "<%{NUMBER:message_type_id}>%{NUMBER:internal_id}: %{GREEDYDATA}\"%{HOSTNAME:hostname}:5143\"\]: <ios-log-msg><facility>%{WORD:facility}</facility><severity>%{NUMBER:severity}</severity><msg-id>%{WORD:message_type}</msg-id><time>%{SYSLOGTIMESTAMP:message_timestamp}</time><args>%{DATA:args}</args></ios-log-msg>"
        ]
于 2014-07-16T19:15:44.570 回答