堆栈内存溢出
  简体   繁体   English

用于标记退回邮件的 Logstash grok 过滤器

[英]Logstash grok filter to tag bounced messages

 原文  2013-02-01 15:10:29       elasticsearch/ logstash/ logstash-grok

问题描述

Summary: I've a few outbound smtp servers and centralized mail logs via rsyslog to a server on which i'm Using logstash, outputting to elasticsearch, searching with kibana.摘要:我有一些出站 smtp 服务器和通过 rsyslog 将邮件日志集中到我正在使用 logstash 的服务器,输出到 elasticsearch,使用 kibana 搜索。

I would like to tag as "BOUNCED" for Postfix mail log entries like:我想将 Postfix 邮件日志条目标记为“BOUNCED”,例如:

2013-02-01T16:50:14+02:00 XXSMTPXX postfix/smtp[10879]: BC54A65BD4: to=<xxxx.yyyyyy@zzzz.com.t>, relay=none, delay=0.3, delays=0.01/0/0.29/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=gozdesigorta.com.t type=AAAA: Host not found)

the grok filter i've used in logstash.conf is like:我在 logstash.conf 中使用的 grok 过滤器是这样的:

grok {
    patterns_dir => "/etc/logstash/patterns"
    tags    => "postfix/bounce"
    pattern => "%{POSTFIXBOUNCE}"
    add_tag => "BOUNCED"
    named_captures_only => true
}

patterns file i'm using is https://gist.github.com/4691822我正在使用的模式文件是https://gist.github.com/4691822

I could not manage to tag those log lines as BOUNCED... What am i missing?我无法将这些日志行标记为 BOUNCED ...我错过了什么?

2 个解决方案

解决方案1
 1 已采纳  2013-02-02 22:23:22

I changed the pattern as: 我将模式更改为: 

%{TIMESTAMP_ISO8601} %{HOST} %{SYSLOGPROG}: %{QUEUEID}: to=<%{EMAILADDRESS:to}>, relay=%{RELAY}, delay=%{POSREAL:delay}, delays=%{DELAYS}, dsn=%{DSN}, status=%{STATUS} %{GREEDYDATA:reason}

Now i can grok ;) 现在我可以grok;)

解决方案2
 0  2022-03-16 20:23:45

Can you paste the complete logstash.conf please?您可以粘贴完整的 logstash.conf 吗? I get the following error:我收到以下错误:

Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line 20, column 19 (byte 558) after filter {        \n  grok {\n      patterns_dir => \"/etc/logstash/conf.d/patterns\"\n      tags    => \"postfix/bounce\"\n      pattern => \"%{POSTFIXBOUNCE}\"\n      add_tag => \"%{TIMESTAMP_ISO8601} %{HOST} %{SYSLOGPROG}: %{QUEUEID}: to=<%{EMAILADDRESS:to}>, relay=%{RELAY}, delay=%{POSREAL:delay}, delays=%{DELAYS}, dsn=%{DSN}, status=%{STATUS} %{GREEDYDATA:reason}\"\n      named_captures_only => true\n  }\n\noutput {\n    elasticsearch ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:189:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:383:in `block in converge_state'"]}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Logstash grok 过滤器来标记接收和退回的消息 - Logstash grok filter to tag received and bounced messages Logstash grok过滤整数 - Logstash grok filter integer 使用grok的Logstash过滤器 - Logstash filter using grok Logstash Grok过滤器模式 - logstash grok filter pattern 用于自定义日志的Logstash筛选器Grok - Logstash Filter Grok for custom log 自定义GROK过滤器-Logstash-&gt; Elasticsearch - Custom GROK filter - Logstash -> Elasticsearch Logstash JSON Grok 过滤器问题 - Logstash JSON Grok filter issue 如果语句不适用于 grok 过滤器 logstash - If statement not working on grok filter logstash Logstash grok 过滤器 apache 模式 - Logstash grok filter apache pattern 为什么我的 grok 过滤器不解析我的 filebeats 消息? 我看不到 Kibana (ELK) 中的 logstash 解析字段 - Why is my grok filter not parsing my filebeats messages ? I cannot see the logstash parsed field in Kibana (ELK)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM