找不到logstash grok过滤器模式
[英]logstash grok filter pattern not found
问题描述
I've been attempting to create some custom grok patterns for logstash. 
我一直在尝试为logstash创建一些自定义的grok模式。 Most of them work fine, but one has got me stumped. 他们中的大多数人工作得很好,但其中一个让我感到困惑。 The pattern is: 模式是:
WINUSER (?<=User:\s)\w+
Here is a sample of the data that is being searched: 以下是正在搜索的数据的示例:
2015-04-14 14:06:18 exchange.ows1.osborneit.com INFO 1149 NT AUTHORITY\NETWORK SERVICE Remote Desktop Services: User authentication succeeded:
User: administrator
Domain: .
Source Network Address: 172.24.1.32
I have tested this on http://grokconstructor.appspot.com/do/match and it works correctly, but logstash seems to ignore it. 我已经在http://grokconstructor.appspot.com/do/match上对此进行了测试,它可以正常工作,但是Logstash似乎忽略了它。 I can't seem to figure out what I'm doing wrong. 我似乎无法弄清楚我在做什么错。
Below is my logstash configuration: 下面是我的logstash配置:
input {
udp {
type => "eventlog"
codec => json
port => 5140
tags => ['windows', 'eventlog']
}
}
filter {
if [type] == "eventlog" {
grok {
match => [
"message", "%{IP:client}",
"message", "%{WINUSER:username}"
]
}
}
}
output {
elasticsearch { host => localhost }
stdout { codec => json }
}
Update: It appears that the issue is not with the pattern, but with the order of the match. 更新:问题似乎不在于模式,而在于匹配的顺序。 If I move the WINUSER match above the IP match, it works, but the IP match doesn't. 如果我将WINUSER匹配项移到IP匹配项之上,则可以使用,但IP匹配项却无效。 Not sure why both don't match. 不确定为什么两者都不匹配。
1 个解决方案
解决方案1
0 2015-04-27 20:51:39
It turns out the issue was with the filter section of the config file. 原来问题出在配置文件的filter部分。 I had to split the grok matches into multiple lines, like below. 我不得不将希腊人比赛分成多行,如下所示。
filter {
if [type] == "eventlog" {
grok {
match => [ "message", "%{IPV4:client}" ]
}
grok {
match => [ "message", "%{WINUSER:username}" ]
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.