我在处理来自客户端计算机的日志时遇到 Logstash 8 问题,而 Logstash 6 可以正确处理相同的日志。以下是日志样本:
日志示例 - Logstash 8(问题):
{"event":{"original":"<86>2023-08-03T11:50:57.876174+03:00 ansible-hcl-controler root[139012]:1212"},"received_at":"2023-08-03T08:50:58.167253528Z","@timestamp":"2023-08-03T08:50:57.876Z","process":{"name":"root","pid":139012},"received_from_ipv4":"ansible-hcl-controler","type":"syslog","message":"<86>2023-08-03T11:50:57.876174+03:00 ansible-hcl-controler root[139012]: 1212","syslog_hostname":"ansible-hcl-controler","log":{"syslog":{"severity":{"name":"notice","code":5},"facility":{"name":"user-level","code":1}}},"syslog_message":"1212","@version":"1","all_rsyslog_fields":"{\"original\"=>\"<86>2023-08-03T11:50:57.876174+03:00 ansible-hcl-controler root[139012]: 1212\"} 86 2023-08-03T11:50:57.876174+03:00 {\"name\"=>\"root\", \"pid\"=>139012} syslog <86>2023-08-03T11:50:57.876174+03:00 ansible-hcl-controler root[139012]: 1212 ansible-hcl-controler 1212 linux","source_type":"linux"}
日志示例 - Logstash 6(正确):
{"syslog_facility":"security/authorization","port":57044,"syslog_facility_code":10,"received_at":"2023-08-03T08:44:30.499Z","syslog_message":"12213","syslog_severity":"informational","lab_id":"7979","type":"syslog","received_from_hostname":"10-157-182-6.es-si-os-ohn-42.eecloud.nsn-net.net","message":"<86>2023-08-03T11:44:30.318073+03:00 ansible-hcl-controler root[138951]: 12213","@timestamp":"2023-08-03T08:44:30.318Z","syslog_hostname":"ansible-hcl-controler","program":"root","pid":"138951","@version":"1","tags":["siem"],"source_type":"linux","syslog_severity_code":6}
如上所示,“received_from_hostname”和“syslog_hostname”字段存在于基于 Logstash 6 的日志中,但在基于 Logstash 8 的日志中缺失。这表明 grok 设置可能存在问题。
以下是两个 Logstash 版本中使用的常见配置:
if [type] == "syslog" {
mutate
{
gsub => ["message", "\n", ""]
}
grok {
match => {
"message" => [ "(?m)<%{NONNEGINT:syslog_pri}>[\s]*(?:%{SYSLOGTIMESTAMP:syslog_timestamp}|%{TIMESTAMP_ISO8601:syslog_timestamp})[\s]*(%{SYSLOGHOST:syslog_hostname})?(_%{DATA})*[\s]+%{SYSLOGPROG}%{DATA}[\s\n]%{GREEDYDATA:syslog_message}" ] }
add_field => { "source_type" => "linux" }
}
ruby {
code => "event.set('received_at', event.get('@timestamp'))"
}
grok {
match => { "host" => "(?:%{IPV4:received_from_ipv4}|%{IPV6:received_from_ipv6}|%{HOSTNAME:received_from_hostname})(:%{POSINT})?" }
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "ISO8601", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
mutate {
remove_field => ["syslog_timestamp", "syslog_pri", "host"]
}
}
}
我正在寻求帮助来识别和解决 Logstash 8 中 grok 模式的问题,以确保正确提取“received_from_hostname”字段。任何有助于解决此问题的帮助将不胜感激。谢谢大家。
我在 Logstash 8 中遇到 grok 模式的问题,其中从“received_from_hostname”字段中提取 IP 会导致“_grokparsefailure”。我想解决这个问题。在我的 Logstash 配置中,我还希望 Logstash 8 中包含以下字段:
"received_from_hostname": "10-157-182-6.es-si-os-ohn-42.eecloud.nsn-net.net"
"syslog_hostname": "ansible-hcl-controler"
我希望 grok 模式能够成功从“received_from_hostname”字段中提取 IP 地址。但是,它没有按预期工作,我需要帮助来识别和纠正 grok 模式中的问题。我正在寻找适用于 Logstash 8 和更早版本的解决方案。谢谢您的帮助。