Logstash grok解析器(在%{IPORHOST:syslog_server}中意外为空)HAproxy
以下日志:Logstash grok解析器(在%{IPORHOST:syslog_server}中意外为空)HAproxy,logstash,haproxy,grok,Logstash,Haproxy,Grok,以下日志: Jul 25 07:45:12 tst-proxy202 haproxy[1104]: 10.64.111.222:36635 [25/Jul/2016:07:45:12.479] promocloud~ promocloud/tst-service-proxy203 32/0/1/27/60 200 664 - - ---- 0/0/0/0/0 0/0 {} {} "POST /RTI HTTP/1.1" 使用${haproxyhtp}grok模式解析 %{SYSLOGTIMES
Jul 25 07:45:12 tst-proxy202 haproxy[1104]: 10.64.111.222:36635 [25/Jul/2016:07:45:12.479] promocloud~ promocloud/tst-service-proxy203 32/0/1/27/60 200 664 - - ---- 0/0/0/0/0 0/0 {} {} "POST /RTI HTTP/1.1"
使用${haproxyhtp}grok模式解析
%{SYSLOGTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_server} %{SYSLOGPROG}: %{IP:client_ip}:%{INT:client_port} \[%{HAPROXYDATE:accept_date}\] %{NOTSPACE:frontend_name} %{NOTSPACE:backend_name}/%{NOTSPACE:server_name} %{INT:time_request}/%{INT:time_queue}/%{INT:time_backend_connect}/%{INT:time_backend_response}/%{NOTSPACE:time_duration} %{INT:http_status_code} %{NOTSPACE:bytes_read} %{DATA:captured_request_cookie} %{DATA:captured_response_cookie} %{NOTSPACE:termination_state} %{INT:actconn}/%{INT:feconn}/%{INT:beconn}/%{INT:srvconn}/%{NOTSPACE:retries} %{INT:srv_queue}/%{INT:backend_queue} (\{%{HAPROXYCAPTUREDREQUESTHEADERS}\})?( )?(\{%{HAPROXYCAPTUREDRESPONSEHEADERS}\})?( )?"(<BADREQ>|(%{WORD:http_verb} (%{URIPROTO:http_proto}://)?(?:%{USER:http_user}(?::[^@]*)?@)?(?:%{URIHOST:http_host})?(?:%{URIPATHPARAM:http_request})?( HTTP/%{NUMBER:http_version})?))?"
知道问题出在哪里吗?如果我理解正确,那么您正在尝试删除该空值。空值的出现是因为HAPROXYHTTP模式的最后一部分(它说
?(?:%{URIHOST:http_host})(?:%{URIPATHPARAM:http_request})(http/%{NUMBER:http_version})?“
)。它以某种方式添加了一个空主机名。幸运的是,这不是一个严重的问题,原因如下:
grok筛选器的默认选项包括named_captures_only=>true
()和keep_empty_captures=>false
()。在grok调试器中尝试这两个选项,您的输出看起来非常干净。在logstash中,您无需更改任何内容
如果logstash误解了主机名,请尝试自己从grok值中检索主机名(例如,使用):
如果您还有其他问题,请告诉我
"syslog_server": [
[
"tst-proxy202"
]
],
"HOSTNAME": [
[
"tst-proxy202",
null <<<<<<<<<
]
],
"IP": [
[
null,
null
]
],
"IPV6": [
[
null,
null,
null
]
],
"IPV4": [
[
null,
"10.64.111.222",
null
]
],
tst-proxy202
%{IPORHOST:syslog_server}
{
"syslog_server": [
[
"tst-proxy202"
]
],
"HOSTNAME": [
[
"tst-proxy202"
]
],
"IP": [
[
null
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
null
]
]
}
filter {
mutate {
replace => { "HOSTNAME" => "%{syslog_server}" }
}
}