Syslog
為什麼 logstash syslog_pri 過濾器看不到 syslog 消息中的優先級
我正在執行 LS 2.0.0,我注意到 syslog_pri 過濾器在我的系統日誌開始時沒有檢測到優先級的問題。我的過濾器配置如下:
filter { if [type] == "relp" { syslog_pri { } grok { match => { "message" => "%{SYSLOG5424PRI}(?:%{POSINT} |-)+(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +%{GREEDYDATA:syslog5424_msg}" } add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{syslog5424_host}" ] tag_on_failure => "gpf_relp" } date { match => [ "syslog5424_ts", "ISO8601" ] } } }
這應該能夠從以下日誌中提取 PRI,但它失敗了,並恢復到所有消息的預設 (13) 優先級:
{ "_index": "logstash-2015.11.10", "_type": "relp", "_id": "AVDxXHq4lzuNTbjDHPbE", "_score": null, "_source": { "message": "<86>1 2015-11-10T12:26:20.429088+00:00 integration-gw3 sshd 2587 - - pam_unix(sshd:session): session closed for user sftpuser\n", "@version": "1", "@timestamp": "2015-11-10T12:26:20.429Z", "type": "relp", "host": "10.10.11.23:39532", "syslog_severity_code": 5, "syslog_facility_code": 1, "syslog_facility": "user-level", "syslog_severity": "notice", "syslog5424_pri": "86", "syslog5424_ts": "2015-11-10T12:26:20.429088+00:00", "syslog5424_host": "integration-gw3", "syslog5424_app": "sshd", "syslog5424_msg": "2587 - - pam_unix(sshd:session): session closed for user sftpuser\n", "received_at": "2015-11-10T12:26:20.430Z", "received_from": "integration-gw3" }, "fields": { "@timestamp": [ 1447158380429 ] }, "sort": [ 1447158380429 ] }
如您所見,PRI 設置為 86,我的 grok 過濾器選擇了它,但 syslog_pri 不會更改這些預設值:
"syslog_facility": "user-level", "syslog_severity": "notice",
誰能建議我做錯了什麼?
在查看過濾器的文件時,
syslog_pri
它似乎在一個名為 的欄位中尋找優先級syslog_pri
,而不是原始消息。鑑於您在摸索行之前執行該過濾器,它在該欄位中沒有任何內容,因此返回優先級 13(user.notice),如上面的文件中所述。
為了讓它按照你想要的方式工作,你需要在 grok之後
syslog_pri
移動過濾器並將其更改為:syslog_pri { syslog_pri_field_name => "syslog5424_pri" }