Syslog

為什麼 logstash syslog_pri 過濾器看不到 syslog 消息中的優先級

  • November 10, 2015

我正在執行 LS 2.0.0,我注意到 syslog_pri 過濾器在我的系統日誌開始時沒有檢測到優先級的問題。我的過濾器配置如下:

filter {
 if [type] == "relp" {
   syslog_pri { }
   grok {
     match => { "message" => "%{SYSLOG5424PRI}(?:%{POSINT} |-)+(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +%{GREEDYDATA:syslog5424_msg}" }
     add_field => [ "received_at", "%{@timestamp}" ]
     add_field => [ "received_from", "%{syslog5424_host}" ]
     tag_on_failure => "gpf_relp"
   }
   date {
     match => [ "syslog5424_ts", "ISO8601" ]
   }
 }
}

這應該能夠從以下日誌中提取 PRI,但它失敗了,並恢復到所有消息的預設 (13) 優先級:

{
 "_index": "logstash-2015.11.10",
 "_type": "relp",
 "_id": "AVDxXHq4lzuNTbjDHPbE",
 "_score": null,
 "_source": {
   "message": "<86>1 2015-11-10T12:26:20.429088+00:00 integration-gw3 sshd 2587 - -  pam_unix(sshd:session): session closed for user sftpuser\n",
   "@version": "1",
   "@timestamp": "2015-11-10T12:26:20.429Z",
   "type": "relp",
   "host": "10.10.11.23:39532",
   "syslog_severity_code": 5,
   "syslog_facility_code": 1,
   "syslog_facility": "user-level",
   "syslog_severity": "notice",
   "syslog5424_pri": "86",
   "syslog5424_ts": "2015-11-10T12:26:20.429088+00:00",
   "syslog5424_host": "integration-gw3",
   "syslog5424_app": "sshd",
   "syslog5424_msg": "2587 - -  pam_unix(sshd:session): session closed for user sftpuser\n",
   "received_at": "2015-11-10T12:26:20.430Z",
   "received_from": "integration-gw3"
 },
 "fields": {
   "@timestamp": [
     1447158380429
   ]
 },
 "sort": [
   1447158380429
 ]
}

如您所見,PRI 設置為 86,我的 grok 過濾器選擇了它,但 syslog_pri 不會更改這些預設值:

   "syslog_facility": "user-level",
   "syslog_severity": "notice",

誰能建議我做錯了什麼?

在查看過濾器的文件時syslog_pri它似乎在一個名為 的欄位中尋找優先級syslog_pri,而不是原始消息。

鑑於您在摸索行之前執行該過濾器,它在該欄位中沒有任何內容,因此返回優先級 13(user.notice),如上面的文件中所述。

為了讓它按照你想要的方式工作,你需要在 grok之後syslog_pri移動過濾器並將其更改為:

syslog_pri { 
 syslog_pri_field_name => "syslog5424_pri"
}

引用自:https://serverfault.com/questions/735230