elasticsearch Logstash JSON Grok筛选器问题
我已经设置了squid代理,通过Logstash将JSON格式的日志发送到Elastic。我正在尝试使用GROK过滤来解析日志。过滤器在Kiabana Grok调试器中工作,但在我重新启动Logstash时出现以下错误elasticsearch Logstash JSON Grok筛选器问题,elasticsearch,logstash,grok,elasticsearch,Logstash,Grok,我已经设置了squid代理,通过Logstash将JSON格式的日志发送到Elastic。我正在尝试使用GROK过滤来解析日志。过滤器在Kiabana Grok调试器中工作,但在我重新启动Logstash时出现以下错误 Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:squid_logs, :exception=>"LogStash::Configuration
Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:squid_logs,
:exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"
{\", \",\", \"]\" at line 10, column 62 (byte 137) after filter {\n grok {\n match => {\n
\"message\" => [ \"%{IPV4:vendor_ip}\", \"%{WORD:message}\"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'",
"org/logstash/execution/AbstractPipelineExt.java:184:in `initialize'",
"org/logstash/execution/JavaBasePipelineExt.java:69:in `initialize'",
"/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'",
"/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'",
"/usr/share/logstash/logstash-core/lib/logstash/agent.rb:389:in `block in converge_state'"]}
我有下面的GROK过滤器
"%{IPV4:vendor_ip}", "%{WORD:message}": "%{IPV4:clientip}", "%{WORD:message}": "%
{DATA:timestamp}", "%{WORD:message}": "%{WORD:verb}", "%{WORD:message}": "%{DATA:request}", "%
{WORD:message}": "%{URIPATHPARAM:path}"
在Kibana Grok调试器中,过滤器可以针对如下消息正常工作:
{ "vendor_ip": "x.x.x.x", "clientip": "x.x.x.x", "timestamp": "2021-04-09T13:58:38+0000",
"verb": "GET", "request": "https://domain", "path": "/somepath", "httpversion": "HTTP/1.1",
"response": 200, "bytes": 2518042, "referer": "-", "useragent": "Microsoft BITS/7.8",
"request_status": "HIER_DIRECT", "hierarchy_status": "HIER_DIRECT" }
日志存储配置如下:
input {
beats {
port => 5045
}
}
filter {
grok {
match => {
"message" => [ "%{IPV4:vendor_ip}", "%{WORD:message}": "%{IPV4:clientip}", "%{WORD:message}": "%{DATA:timestamp}", "%{WORD:message}": "%{WORD:verb}", "%{WORD:message}": "%{DATA:request}", "%{WORD:message}": "%{URIPATHPARAM:path}" ]
}
}
}
output {
elasticsearch {
hosts => ["x.x.x.x:9200"]
index => "squid_logs"
}
}
使用grok筛选器解析json消息是错误的方法,没有必要这样做,这将是一项大量的工作,因为您需要转义消息中的所有双引号,否则将出现配置错误,这就是您的情况 使用过滤器解析json消息 只需在管道中使用此选项:
filter {
json {
source => "message"
}
}
谢谢你,这比我想做的要简单得多。我看到这个问题已经得到了非常好的回答,但只是为了记录在案。。。上面的日志存储配置无效。。。具体来说,grok的
消息设置格式不正确。最好是像[“\{\”供应商ip\”:\“${IPV4:vendor\u ip}\”,“\'clientip\”:\”%{IPV4:clientip}\“,
…etc至少感谢您的评论。很高兴知道语法已关闭,即使grok debugger接受了它。我通常使用kibana builtin,而不是kibana。主要是因为这是我发现的第一个工具。这些问题似乎较少,但YMMV