Grok with Logstash - 来自 windows 和 linux 的日志 - 怎么样?
Grok with Logstash - Logs from windows and linux - how?
我的 LogStash Grok 过滤器:
bin/logstash -e '
input { stdin { } }
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
}
output { stdout { codec => rubydebug } }'
它非常适合我的 Linux 登录日志:
Mar 9 14:18:20 ServerName sshd[14160]: pam_unix(sshd:session): session opened for user root by (uid=0)
{
"message" => "Mar 9 14:18:20 ServerName sshd[14160]: pam_unix(sshd:session): session opened for user root by (uid=0)",
"@version" => "1",
"@timestamp" => "2015-03-09T15:08:39.189Z",
"host" => "elasticsearchservername",
"syslog_timestamp" => "Mar 9 14:18:20",
"syslog_hostname" => "ServerName",
"syslog_program" => "sshd",
"syslog_pid" => "14160",
"syslog_message" => "pam_unix(sshd:session): session opened for user root by (uid=0)"
}
问题是 windows 日志(没有括号),所以我无法获取 syslog_pid:
Mar 3 08:58:57 ServerName2 Security-Auditing: 4624: AUDIT_SUCCESS Se inici.. sesi..n correctamente en una cuenta. Sujeto: Id. de seguridad:
{
"message" => "Mar 3 08:58:57 ServerName2 Security-Auditing: 4624: AUDIT_SUCCESS Se inici.. sesi..n correctamente en una cuenta. Sujeto: Id. de seguridad:",
"@version" => "1",
"@timestamp" => "2015-03-09T15:22:50.351Z",
"host" => "elasticsearchservername",
"syslog_timestamp" => "Mar 3 08:58:57",
"syslog_hostname" => "ServerName2 ",
"syslog_program" => "Security-Auditing",
"syslog_message" => "4624: AUDIT_SUCCESS Se inici.. sesi..n correctamente en una cuenta. Sujeto: Id. de seguridad:"
}
如何更改两个日志(windows 和 linux)的 grok 过滤器并获得两个 syslog_pid?
谢谢?
您可以通过执行类似 [\[]* 和 [\]]*
的操作使括号可选
%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}[\[]*%{POSINT:syslog_pid}[\]]*: %{GREEDYDATA:syslog_message}
我的 LogStash Grok 过滤器:
bin/logstash -e '
input { stdin { } }
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
}
output { stdout { codec => rubydebug } }'
它非常适合我的 Linux 登录日志:
Mar 9 14:18:20 ServerName sshd[14160]: pam_unix(sshd:session): session opened for user root by (uid=0)
{
"message" => "Mar 9 14:18:20 ServerName sshd[14160]: pam_unix(sshd:session): session opened for user root by (uid=0)",
"@version" => "1",
"@timestamp" => "2015-03-09T15:08:39.189Z",
"host" => "elasticsearchservername",
"syslog_timestamp" => "Mar 9 14:18:20",
"syslog_hostname" => "ServerName",
"syslog_program" => "sshd",
"syslog_pid" => "14160",
"syslog_message" => "pam_unix(sshd:session): session opened for user root by (uid=0)"
}
问题是 windows 日志(没有括号),所以我无法获取 syslog_pid:
Mar 3 08:58:57 ServerName2 Security-Auditing: 4624: AUDIT_SUCCESS Se inici.. sesi..n correctamente en una cuenta. Sujeto: Id. de seguridad:
{
"message" => "Mar 3 08:58:57 ServerName2 Security-Auditing: 4624: AUDIT_SUCCESS Se inici.. sesi..n correctamente en una cuenta. Sujeto: Id. de seguridad:",
"@version" => "1",
"@timestamp" => "2015-03-09T15:22:50.351Z",
"host" => "elasticsearchservername",
"syslog_timestamp" => "Mar 3 08:58:57",
"syslog_hostname" => "ServerName2 ",
"syslog_program" => "Security-Auditing",
"syslog_message" => "4624: AUDIT_SUCCESS Se inici.. sesi..n correctamente en una cuenta. Sujeto: Id. de seguridad:"
}
如何更改两个日志(windows 和 linux)的 grok 过滤器并获得两个 syslog_pid?
谢谢?
您可以通过执行类似 [\[]* 和 [\]]*
%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}[\[]*%{POSINT:syslog_pid}[\]]*: %{GREEDYDATA:syslog_message}