使用Logstash Grok过滤器过滤系统日志消息
[英]Filter syslog message with logstash grok filter
问题描述
I have the following logs sent to logstash via syslog input (the logs come from docker containers sent to logstash via logspout) 
我有以下通过syslog输入发送到logstash的日志(日志来自通过logspout发送到logstash的docker容器)
So, in the following log sample, the first line is a php-fpm error and the second line is a nginx access log 因此,在以下日志示例中, 第一行是php-fpm错误 , 第二行是nginx访问日志
docker-nginx-php-composer|2015/03/17 16:31:28 [error] 9#0: *41 FastCGI sent in stderr: "PHP message: PHP Fatal error: Call to undefined function teetstst() in /var/www/index.php on line 3" while reading response header from upstream, client: 10.10.37.110, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "turing:49213"
docker-nginx-php-composer|10.10.37.110 - - [17/Mar/2015:16:31:28 +0100] "GET /favicon.ico HTTP/1.1" 200 134 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36"
``` ```
OK so now I want to filter all this mess so I can "tag" PHP-FPM logs for example or filter only the warning and errors of PHP-FPM ... 好的,所以现在我想过滤所有这些混乱的东西,以便例如可以“标记” PHP-FPM日志或仅过滤PHP-FPM的警告和错误...
I suppose I have to use the grok filter from logstash but I don't know exactly how ? 我想我必须使用grok从logstash过滤器,但我完全不知道怎么样?
let say I want to filter only PHP errors, put a "php" tag on it and also filter 404 and 500 errors from nginx, how can I achieve this easily with logstash/grok ? 假设我只想过滤PHP错误,在上面放一个“ php”标签,还可以过滤nginx的404和500错误,如何用logstash / grok轻松实现呢?
Any clues ? 有什么线索吗? examples ? 例子 ?
Thanks :) 谢谢 :)
1 个解决方案
解决方案1
0 2015-03-17 20:35:33
I would define two grok patterns: 我将定义两个grok模式:
- php-fpm that starts with a date 以日期开头的php-fpm
- nginx that starts with an ip 以ip开头的nginx
You can add_tag in each grok{} as desired. 您可以根据需要在每个grok {}中添加add_tag。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.