Logstash:命名的 grok 模式(dns 查询日志)
Logstash: grok patterns for Named (dns-query logs)
我有这样的命名(绑定 4)dns 查询日志:
Sep 17 11:05:33 central.ns.1 named[13705]: 17-Sep-2020 11:05:33.399 client 10.127.0.9#50507 (19.img.avito.st): query: 19.img.avito.st IN A +EDC (10.127.4.28)
Sep 17 11:05:34 central.ns.2 named[16335]: 17-Sep-2020 11:05:33.411 client 10.127.0.8#54091 (api.aliradar.com): query: api.aliradar.com IN A +EDC (10.127.4.30)
我创建了一个这样的 grok 模式:
if [type] == "dns" {
grok {
match => { "message" => '%{MONTH:syslog_month} +%{MONTHDAY:syslog_day} %{TIME:syslog_time} %{IPORHOST:syslog_hostname} %{WORD:syslog_tag}: %{BIND9_TIMESTAMP:timestamp} client %{IP:clientip}#%{POSINT:clientport} \(%{GREEDYDATA:query_one}\): query: %{GREEDYDATA:query_two} IN %{GREEDYDATA:querytype} \(%{IP:dns}\)' }
}
但看起来这些模式不起作用。谁能分享 Named 的 grok 模式?
这是与您的日志匹配的 grok 模式:
%{SYSLOGTIMESTAMP:time} %{IPORHOST:syslog_hostname} %{DATA:syslog_tag}\: (?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}) client %{IP:clientip}#%{POSINT:clientport} \(%{DATA:query_one}\)\: query\: %{DATA:query_two} IN %{GREEDYDATA:querytype} \(%{IP:dns}\)
请查找输出的屏幕截图:
我有这样的命名(绑定 4)dns 查询日志:
Sep 17 11:05:33 central.ns.1 named[13705]: 17-Sep-2020 11:05:33.399 client 10.127.0.9#50507 (19.img.avito.st): query: 19.img.avito.st IN A +EDC (10.127.4.28)
Sep 17 11:05:34 central.ns.2 named[16335]: 17-Sep-2020 11:05:33.411 client 10.127.0.8#54091 (api.aliradar.com): query: api.aliradar.com IN A +EDC (10.127.4.30)
我创建了一个这样的 grok 模式:
if [type] == "dns" {
grok {
match => { "message" => '%{MONTH:syslog_month} +%{MONTHDAY:syslog_day} %{TIME:syslog_time} %{IPORHOST:syslog_hostname} %{WORD:syslog_tag}: %{BIND9_TIMESTAMP:timestamp} client %{IP:clientip}#%{POSINT:clientport} \(%{GREEDYDATA:query_one}\): query: %{GREEDYDATA:query_two} IN %{GREEDYDATA:querytype} \(%{IP:dns}\)' }
}
但看起来这些模式不起作用。谁能分享 Named 的 grok 模式?
这是与您的日志匹配的 grok 模式:
%{SYSLOGTIMESTAMP:time} %{IPORHOST:syslog_hostname} %{DATA:syslog_tag}\: (?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}) client %{IP:clientip}#%{POSINT:clientport} \(%{DATA:query_one}\)\: query\: %{DATA:query_two} IN %{GREEDYDATA:querytype} \(%{IP:dns}\)
请查找输出的屏幕截图: