帶有 json 數據的流利過濾器正則表達式

Question

我正在嘗試僅過濾（保留）oauth 經過身份驗證的審核日志，但它不起作用。 當我將模式設置為 /.*/ 時，所有內容都會出現在 Kibana 中。 如果我設置 /oauth/ 或 /.*oauth.*/ 什么都不會出現。 我究竟做錯了什么？

我要過濾的日志文件中的行：

{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2020-07-17T20:06:49Z"},"level":"Metadata","timestamp":"2020-07-17T20:06:49Z","auditID":"cf56d61e-30b3-486c-a513-6bd9e96fb592","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-logging/pods?limit=500","verb":"list","user":{"username":"user","uid":"388e0232-c5bb-11ea-904d-7a59592b634f","groups":["system:authenticated:oauth","system:authenticated"],"extra":{"scopes.authorization.openshift.io":["user:full"]}},"sourceIPs":["10.0.72.20"],"objectRef":{"resource":"pods","namespace":"openshift-logging","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-07-17T20:06:49.918391Z","stageTimestamp":"2020-07-17T20:06:49.921475Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"registry-controller\" of ClusterRole \"cluster-admin\" to User \"user\""}}

流利的配置：

<source>
  @type tail
  @id in_tail_audit_logs
  multiline_flush_interval 5s
  path "/var/lib/origin/audit-ocp.log"
  tag "ocp-audit"
  <parse>
    @type "json"
    time_format "%Y-%m-%dT%T.%L%Z"
    time_type string
  </parse>
</source>
<filter ocp-audit>
  @type grep
  <regexp>
    key user.groups
    pattern /oauth/
  </regexp>
</filter>

Answer 1

為grep嘗試此配置：

<regexp>
  key user
  pattern /.*groups.*oauth/
</regexp>

或者，您可以像這樣安裝和配置fluent-plugin-json ：

<filter ocp-audit>
  @type json
  @id json_filter

  <check>
    pointer /user/groups/0    # point to 0th index of groups array
    pattern /.*:oauth/
  </check>
</filter>