用于Cisco呼叫管理器日志的Logstash Grok
我正在将Call Manager日志放入logstash中,我需要一些关于日志的grok解析器的帮助。有人能帮我为以下日志条目提供一个grok模式吗:用于Cisco呼叫管理器日志的Logstash Grok,logstash,logstash-grok,cisco,Logstash,Logstash Grok,Cisco,我正在将Call Manager日志放入logstash中,我需要一些关于日志的grok解析器的帮助。有人能帮我为以下日志条目提供一个grok模式吗: <190>136768: Dec 23 2019 10:48:59.476 UTC : %UC_AUDITLOG-6-AdministrativeEvent: %[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][Re
<190>136768: Dec 23 2019 10:48:59.476 UTC : %UC_AUDITLOG-6-AdministrativeEvent: %[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][ResourceAccessed=CUCMServiceability][EventStatus=Success][CompulsoryEvent=No][AuditCategory=AdministrativeEvent][ComponentID=Cisco CCM Servicability][CorrelationID=][AuditDetails=Attempt to access data was successful.User is authorized to access alarmconfig][AppID=Cisco Tomcat][ClusterID=][NodeID=cm01.home.local]: Audit Event is generated by this application
136768:2019年12月23日10:48:59.476 UTC:%UC_AUDITLOG-6-AdministrativeEvent:%[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][ResourceAccessed=cucmservice][EventStatus=Success][强制事件=No][AuditCategory=AdministrativeEvent][ComponentID=Cisco CCM Servicability][CorrelationID=][AuditDetails=尝试访问数据成功。用户有权访问alarmconfig][AppID=Cisco Tomcat][ClusterID=][NodeID=cm01.home.local]:此应用程序生成审核事件
<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{DATA:gmt}:%{SPACE}%{PROG}:
%{NUMBER:internal_id}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{DATA:gmt}:%{SPACE}%{PROG}:
<190>136768: Dec 23 2019 10:48:59.476 UTC : %UC_AUDITLOG-6-AdministrativeEvent: %[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][ResourceAccessed=CUCMServiceability][EventStatus=Success][CompulsoryEvent=No][AuditCategory=AdministrativeEvent][ComponentID=Cisco CCM Servicability][CorrelationID=][AuditDetails=Attempt to access data was successful.User is authorized to access alarmconfig][AppID=Cisco Tomcat][ClusterID=][NodeID=cm01.home.local]: Audit Event is generated by this application
<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{DATA:gmt}%{SPACE}:%{SPACE}%{PROG}:%{SPACE}\%\[UserID=%{GREEDYDATA:UserID}\]\[ClientAddress=%{IP:ClientAddress}\]\[Severity=%{NUMBER:Severity}\]\[EventType=%{GREEDYDATA:EventType}\]\[ResourceAccessed=%{GREEDYDATA:ResourceAccessed}\]\[EventStatus=%{GREEDYDATA:EventStatus}\]\[CompulsoryEvent=%{GREEDYDATA:CompulsoryEvent}\]\[AuditCategory=%{GREEDYDATA:AuditCategory}\]\[ComponentID=%{GREEDYDATA:ComponentID}\]\[CorrelationID=%{GREEDYDATA:CorrelationID}\]\[AuditDetails=%{GREEDYDATA:AuditDetails}\]\[AppID=%{GREEDYDATA:AppID}\]\[ClusterID=%{GREEDYDATA:ClusterID}\]\[NodeID=%{GREEDYDATA:NodeID}\]:%{SPACE}%{GREEDYDATA:description}
{
"message_type_id": [
[
"190"
]
],
"BASE10NUM": [
[
"190",
"136768",
"6"
]
],
"internal_id": [
[
"136768"
]
],
"SPACE": [
[
" ",
" ",
" ",
" ",
" ",
" "
]
],
"cisco_timestamp": [
[
"Dec 23 2019 10:48:59.476"
]
],
"MONTH": [
[
"Dec"
]
],
"MONTHDAY": [
[
"23"
]
],
"YEAR": [
[
"2019"
]
],
"TIME": [
[
"10:48:59.476"
]
],
"HOUR": [
[
"10"
]
],
"MINUTE": [
[
"48"
]
],
"SECOND": [
[
"59.476"
]
],
"gmt": [
[
"UTC"
]
],
"PROG": [
[
"%UC_AUDITLOG-6-AdministrativeEvent"
]
],
"UserID": [
[
"administrator"
]
],
"ClientAddress": [
[
"192.168.1.5"
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
"192.168.1.5"
]
],
"Severity": [
[
"6"
]
],
"EventType": [
[
"UserAccess"
]
],
"ResourceAccessed": [
[
"CUCMServiceability"
]
],
"EventStatus": [
[
"Success"
]
],
"CompulsoryEvent": [
[
"No"
]
],
"AuditCategory": [
[
"AdministrativeEvent"
]
],
"ComponentID": [
[
"Cisco CCM Servicability"
]
],
"CorrelationID": [
[
""
]
],
"AuditDetails": [
[
"Attempt to access data was successful.User is authorized to access alarmconfig"
]
],
"AppID": [
[
"Cisco Tomcat"
]
],
"ClusterID": [
[
""
]
],
"NodeID": [
[
"cm01.home.local"
]
],
"description": [
[
"Audit Event is generated by this application "
]
]
}