Design patterns logstash grok模式未按预期运行_Design Patterns_Logging_Dns_Logstash_Grok

Design patterns logstash grok模式未按预期运行

design-patterns logging dns logstash

Design patterns logstash grok模式未按预期运行,design-patterns,logging,dns,logstash,grok,Design Patterns,Logging,Dns,Logstash,Grok,我有一个有趣的问题使用后效果很好。我发现下面的消息，虽然它在上面的站点上工作，并且对看似相同的消息也有效，但并没有像预期的那样工作这是一种模式： %{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} %{PROG:program}: %{LOGLEVEL:loglevel}: %{USER:from} %{IP:ip}\#%{INT:port} \(%{GREEDYDATA:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:dr

我有一个有趣的问题

使用后效果很好。我发现下面的消息，虽然它在上面的站点上工作，并且对看似相同的消息也有效，但并没有像预期的那样工作

这是一种模式：

%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} %{PROG:program}: %{LOGLEVEL:loglevel}: %{USER:from} %{IP:ip}\#%{INT:port} \(%{GREEDYDATA:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet}

这是输出：

{
"message" => "03-Feb-2014 21:33:51.867 queries: info: client 123.123.123.123#57710 (some.dns.server.1.1.1.1.in-addr.arpa): drop  response to 231.231.231.0/24",
"@version" => "1",
"@timestamp" => "2014-02-06T00:51:04.240Z",
"type" => "ns_query",
"host" => "ns2",
"path" => "/tmp/named-query.log.29"
}

我已经看到了它的预期功能，只是奇怪的是，这些特别是没有工作，如果任何人有任何想法，我可能正在做的是不正确的，请让我知道

在下面，您还将看到实际模式文件的内部结构，它将与之进行比较：

# Parse the time stamp whis is an odd time stamp
DNS_TIME_STAMP %{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}
# Create the Header, basically the beginning of each line of the log
DNS_HEADER %{DNS_TIME_STAMP:log_timestamp} %{PROG:program}: %{LOGLEVEL:loglevel}: %{USER:from} %{IP:ip}\#%{INT:port}
# The different queires
DNS_QUERY_1 %{DNS_HEADER} \(%{IPORHOST:request}\): %{WORD:stage}: %{IPORHOST:request2} %{WORD:rq_where} %{WORD:r_type} %{DATA:flags} \(%{IPORHOST:serviced_by}\)
DNS_QUERY_2 %{DNS_HEADER} \(%{GREEDYDATA:request}\): %{WORD:stage}: %{GREEDYDATA:request2} %{WORD:rq_where} %{WORD:r_type} %{DATA:flags} \(%{GREEDYDATA}:serviced_by\)
# The different drop/slip/etc
DNS_DROP_1 %{DNS_HEADER} \(%{IPORHOST:request}\): %{WORD:stage} %{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet} for %{IPORHOST:requester} %{GREEDYDATA:dr_type}  \(%{BASE16NUM:request_ID}\)
DNS_DROP_2 %{DNS_HEADER} \(%{IPORHOST:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet} %{GREEDYDATA:dr_type}  \(%{BASE16NUM:request_ID}\)
DNS_DROP_3 %{DNS_HEADER} \(%{IPORHOST:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet}
DNS_DROP_4 %{DNS_HEADER} \(%{GREEDYDATA:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet}
DNS_DROP_5 %{DNS_HEADER} \(%{GREEDYDATA:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet} %{GREEDYDATA:dr_type}  \(%{BASE16NUM:request_ID}\)
# Bringing them together for ease of use in Logstash
DNS_QUERY (%{DNS_QUERY_1}|%{DNS_QUERY_2})
DNS_DROP (%{DNS_DROP_1}|%{DNS_DROP_2}|%{DNS_DROP_3}|%{DNS_DROP_4}|%{DNS_DROP_5}|)
# The pattern we call in the logstash config
DNS (%{DNS_QUERY}|%{DNS_DROP})

在生成的日志事件文档中是否出现grok parse错误？否，日志事件中没有\u grokparseerror。是否仍然存在此问题？