Logstash grokparsefailure在日志存储配置中的某些过滤器之后
我有一些来自网络设备的日志。 日志发送到日志存储 在使用日志进行一些筛选之后,我得到了“grokparsefailure” logstash形态Logstash grokparsefailure在日志存储配置中的某些过滤器之后,logstash,logstash-grok,grok,Logstash,Logstash Grok,Grok,我有一些来自网络设备的日志。 日志发送到日志存储 在使用日志进行一些筛选之后,我得到了“grokparsefailure” logstash形态 grok { match => { "message" => "^[a-z0-9,]* %{GREEDYDATA:message}" } overwrite => [ "message" ] } multiline {
grok {
match => { "message" => "^[a-z0-9,]* %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
multiline {
source => "message"
pattern => "^(TCP)|(first L2TP)"
negate => false
what => next
max_age => "2"
}
mutate {
gsub => ["message", "\n", " "]
}
# message from susseful PPTP VPN client login
if ( [message] =~ /^TCP.*(logged\sin,)/) {
grok {
match => { "message" => " %{PPTPVPNCLIENTIN} " }
add_field => { "[microtik][vpnclientauth]" => "login susseful" }
}
}
PPTPVPNCLIENTIN TCP connection established from %{IPV4:[microtik][vpnclientsourceip]} %{USERNAME:[microtik][username]} logged in, %{IPV4:[microtik][vpnclientinternalip]}
"pptp,info TCP connection established from realIP"
"pptp,ppp,info,account username logged in, localIP"
{
"message" => "TCP connection established from reaiIP username logged in, localIP",
"@version" => "1",
"@timestamp" => "date/time",
"type" => "mtsl",
"host" => "ip",
},
"tags" => [
[0] "multiline",
[1] "_grokparsefailure"
]
}