Logstash COMMONAPACHELOG模式解析问题
Logstash COMMONAPACHELOG pattern parsing problem
我正在尝试解析以下类型的日志消息:
111.22.333.444 - - [08/Jan/2020:11:50:15 +0100] [https://awdasfe.asfeaf.cas:111] "POST /VFQ3P/asfiheasfhe/v2/safiehjafe/check HTTP/1.1" 204 0 "-" "-" (rt=0.555 urt=0.555 uct=0.122 uht=0.11)
我的 logstash 配置文件:
beats {
port => 5044
}
}
filter {
grok { match => { "message" => "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \[%{NOTSPACE:referrer}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" } }
geoip { source => "clientip" }
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "my_index5"
}
}
我使用的模式与 COMMONAPACHELOG 的 github 模式库几乎相同。当我在 Kibana 中通过 grok 调试器放置代码时,它按我想要的方式工作,但是当我尝试在机器上执行它时,logstash 抛出一个错误,指出在 "(?:%{WORD:verb} 部分之前应该有一个符号,并且当我在那里添加\仍然有问题。
有人对解决问题有什么建议吗?
提前致谢!
您必须使用 \ 转义模式中的双引号 ("),如下所示:
"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \[%{NOTSPACE:referrer}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"
使用您提供的日志消息,结果将是:
{
"@version":"1",
"auth":"-",
"host":"******",
"message":"111.22.333.444 - - [08/Jan/2020:11:50:15 +0100] [https://awdasfe.asfeaf.cas:111] \"POST /VFQ3P/asfiheasfhe/v2/safiehjafe/check HTTP/1.1\" 204 0 \"-\" \"-\" (rt=0.555 urt=0.555 uct=0.122 uht=0.11)\r",
"timestamp":"08/Jan/2020:11:50:15 +0100",
"httpversion":"1.1",
"@timestamp":"2020-01-09T13:32:27.442Z",
"verb":"POST",
"response":"204",
"clientip":"111.22.333.444",
"referrer":"https://awdasfe.asfeaf.cas:111",
"ident":"-",
"request":"/VFQ3P/asfiheasfhe/v2/safiehjafe/check",
"bytes":"0"
}
我正在尝试解析以下类型的日志消息:
111.22.333.444 - - [08/Jan/2020:11:50:15 +0100] [https://awdasfe.asfeaf.cas:111] "POST /VFQ3P/asfiheasfhe/v2/safiehjafe/check HTTP/1.1" 204 0 "-" "-" (rt=0.555 urt=0.555 uct=0.122 uht=0.11)
我的 logstash 配置文件:
beats {
port => 5044
}
}
filter {
grok { match => { "message" => "%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \[%{NOTSPACE:referrer}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" } }
geoip { source => "clientip" }
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "my_index5"
}
}
我使用的模式与 COMMONAPACHELOG 的 github 模式库几乎相同。当我在 Kibana 中通过 grok 调试器放置代码时,它按我想要的方式工作,但是当我尝试在机器上执行它时,logstash 抛出一个错误,指出在 "(?:%{WORD:verb} 部分之前应该有一个符号,并且当我在那里添加\仍然有问题。
有人对解决问题有什么建议吗?
提前致谢!
您必须使用 \ 转义模式中的双引号 ("),如下所示:
"%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \[%{NOTSPACE:referrer}\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"
使用您提供的日志消息,结果将是:
{
"@version":"1",
"auth":"-",
"host":"******",
"message":"111.22.333.444 - - [08/Jan/2020:11:50:15 +0100] [https://awdasfe.asfeaf.cas:111] \"POST /VFQ3P/asfiheasfhe/v2/safiehjafe/check HTTP/1.1\" 204 0 \"-\" \"-\" (rt=0.555 urt=0.555 uct=0.122 uht=0.11)\r",
"timestamp":"08/Jan/2020:11:50:15 +0100",
"httpversion":"1.1",
"@timestamp":"2020-01-09T13:32:27.442Z",
"verb":"POST",
"response":"204",
"clientip":"111.22.333.444",
"referrer":"https://awdasfe.asfeaf.cas:111",
"ident":"-",
"request":"/VFQ3P/asfiheasfhe/v2/safiehjafe/check",
"bytes":"0"
}