logstash 2.4.0:grok在定制模式上無提示地失敗
[英]logstash 2.4.0: grok fails silently on custom patterns
問題描述
我正在嘗試(失敗)讓自定義模式與Logstash 2.4.0一起使用。 這是conf文件的相關部分:
#some parsing happens above...
grok {
patterns_dir => ["/config_dir/patterns"]
match => [ "syslog_message", "%{QID:qid}:" ]
}
(完整配置位於末尾)-模式目錄僅包含文件sendmail.grok:
#########
QID a
運行我得到(重新格式化的異常):
{:exception=>"Grok::PatternError",
:backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.3/lib/grok-pure.rb:123:in `compile'",
"org/jruby/RubyKernel.java:1479:in `loop'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.3/lib/grok-pure.rb:93:in `compile'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:264:in `register'",
"org/jruby/RubyArray.java:1613:in `each'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:259:in `register'",
"org/jruby/RubyHash.java:1342:in `each'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:255:in `register'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:182:in `start_workers'",
"org/jruby/RubyArray.java:1613:in `each'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:182:in `start_workers'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:136:in `run'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/agent.rb:491:in `start_pipeline'"],
:level=>:error,
:file=>"logstash/agent.rb",
:line=>"493",
:method=>"start_pipeline"
}
此異常與pattern / sendmail.grok的內容無關。 這是一個PatternError,但沒有告訴我錯誤發生的位置/原因。 但是,如果我將匹配行注釋掉,則一切都很好(下面的示例otput):
{
"message" => "Oct 25 13:18:27 alpha opendkim[1160]: u9PBIMwu011394: authsmtp79.register.it [195.110.122.164] not internal",
"@version" => "1",
"@timestamp" => "2016-10-25T11:25:35.072Z",
"path" => "/log/maillog",
"host" => "93fe70f98023",
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
"syslog_facility" => "user-level",
"syslog_severity" => "notice",
"tags" => [
[0] "syslog_message_unparsed",
[1] "syslog_relay"
],
"syslog_timestamp" => "Oct 25 13:18:27",
"syslog_host" => "alpha",
"program" => "opendkim",
"pid" => "1160",
"syslog_message" => "u9PBIMwu011394: authsmtp79.register.it [195.110.122.164] not internal",
"syslog_fullhost" => "alpha"
}
有想法嗎?
TIA,阿爾法
完整配置:
input {
file {
path => "/log/maillog"
}
}
filter {
syslog_pri {
}
mutate {
add_tag => [ "syslog_parsefailure", "syslog_message_unparsed" ]
}
grok {
match => [ "message", "%{CISCOTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_host} %{SYSLOGPROG}: %{GREEDYDATA:syslog_message}" ]
add_field => { "syslog_fullhost" => "%{syslog_host}" }
add_tag => [ "syslog_relay" ]
remove_tag => [ "syslog_parsefailure" ]
tag_on_failure => [ ]
}
if [program] == "sendmail" {
mutate {
add_tag => [ "sendmail_log" ]
}
grok {
patterns_dir => ["/config_dir/patterns"]
match => [ "syslog_message", "%{QID:qid}:" ]
}
}
}
output {
stdout { codec => rubydebug }
}
2 個解決方案
解決方案1
0 2016-10-26 11:53:27
解決方案2
0 2016-10-26 15:12:32
好的,因此托管我的Docker容器(CentOS7 VM)的環境似乎出現了問題。 我在FC24(非VM)計算機(新的docker,相同的容器等)上重建了完全相同的環境,但異常消失了。
得到教訓:
- 表面上,通過容器化將自己從環境依賴性中解放出來的夢想是一種幻想。 由於容器宿主環境的存在,鬼錯誤/執行可能而且確實會出現,而沒有告訴您太多有關它的信息,因此比以往任何時候都難以捉摸。
- Logstash(非常奇怪的)異常日志記錄不理想。 造成原始異常的原因(如果我必須打賭,我會打賭文件系統和/或SELinux問題,但我仍然仍然不知道),這絕不是模式問題
感謝所有
費心(甚至)閱讀
此事的人。
自定義日期時間相同,但在grok日期過濾器logstash中不匹配
[英]Custom date time is same but not matching in grok date filter logstash
Logstash / GROK:解析日志文件時創建自定義變量
[英]Logstash / GROK: Creating a custom Variable when parsing a log file
多個自定義的grok模式不匹配,但它們單獨成功匹配?
[英]Multiple custom grok patterns not matching, but they successfully match alone?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.