Regex 日志存储解析日志字段
我试图从后缀日志中解析Regex 日志存储解析日志字段,regex,parsing,logstash,postfix,Regex,Parsing,Logstash,Postfix,我试图从后缀日志中解析@message字段,并将其提取到多个字段中 消息: <22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
@message<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)
{
"@source": "syslog://192.244.100.42/",
"@tags": [
"_grokparsefailure"
],
"@fields": {
"priority": 13,
"severity": 5,
"facility": 1,
"facility_label": "user-level",
"severity_label": "Notice"
},
"@timestamp": "2013-09-17T17:12:06.958Z",
"@source_host": "192.244.100.42",
"@source_path": "/",
"@message": "<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)",
"@type": "syslog"
}
filter {
if [type] == "postfix" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP} %{SYSLOGPROG}: %{POSTFIX_SMTP_DELIVERY}" }
}
}
}
{
"postfix_queueid" => "28D40A036B",
"@timestamp" => 2017-02-23T08:15:32.546Z,
"postfix_smtp_response" => "250 2.0.0 Ok: queued as 9030A15D0",
"port" => 50228,
"postfix_keyvalue_data" => "to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent",
"syslog5424_pri" => "22",
"@version" => "1",
"host" => "10.0.2.2",
"pid" => "18852",
"program" => "postfix/smtp",
"message" => "<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)"
}
Sep 17 19:12:14 postfix/smtp[18852]:28D40A036B:to=,relay=192.244.100.25[192.244.100.25]:25,delay=0.13,delays=0.01/0.01/0.09/0.02,dsn=2.0.0,status=sent(250 2.0.0.0确定:排队为9030A15D0)
<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)
{
"@source": "syslog://192.244.100.42/",
"@tags": [
"_grokparsefailure"
],
"@fields": {
"priority": 13,
"severity": 5,
"facility": 1,
"facility_label": "user-level",
"severity_label": "Notice"
},
"@timestamp": "2013-09-17T17:12:06.958Z",
"@source_host": "192.244.100.42",
"@source_path": "/",
"@message": "<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)",
"@type": "syslog"
}
filter {
if [type] == "postfix" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP} %{SYSLOGPROG}: %{POSTFIX_SMTP_DELIVERY}" }
}
}
}
{
"postfix_queueid" => "28D40A036B",
"@timestamp" => 2017-02-23T08:15:32.546Z,
"postfix_smtp_response" => "250 2.0.0 Ok: queued as 9030A15D0",
"port" => 50228,
"postfix_keyvalue_data" => "to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent",
"syslog5424_pri" => "22",
"@version" => "1",
"host" => "10.0.2.2",
"pid" => "18852",
"program" => "postfix/smtp",
"message" => "<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)"
}
{
“@source”:”syslog://192.244.100.42/",
“@tags”:[
“_grokparsefailure”
],
“@fields”:{
“优先”:13,
“严重性”:5,
“设施”:1,
“设施标签”:“用户级”,
“严重性标签”:“注意”
},
“@时间戳”:“2013-09-17T17:12:06.958Z”,
“@source_host”:“192.244.100.42”,
“@source_path”:“/”,
“@message:“9月17日19:12:14 postfix/smtp[18852]:28D40A036B:to=,relay=192.244.100.25[192.244.100.25]:25,delay=0.13,delays=0.01/0.01/0.09/0.02,dsn=2.0.0,status=sent(250 2.0.0.0确定:排队为9030A15D0)”,
@type:“系统日志”
}
@message解析
@message
:这与RFC5424系统日志非常接近,但缺少ver(version)字段Sep 17 19:12:14 postfix/smtp[18852]:- SYSLOG5424PRI:优先级值
- 系统日志时间戳:不言自明
- SYSLOGPROG:应用程序的名称
:这是要后缀的域特定信息28D40A036B:to=,relay=192.244.100.25[192.244.100.25]:25,delay=0.13,delays=0.01/0.01/0.09/0.02,dsn=2.0.0,status=sent(250 2.0.0.0确定:作为9030A15D0排队)- 后缀键值数据:用作另一个筛选器的组件,以匹配键值数据(例如中继=…,延迟=…)
- 后缀\u队列ID:不言自明
- POSTFIX\u KEYVALUE:组合POSTFIX\u QUEUEID和POSTFIX\u KEYVALUE\u数据
- POSTFIX\u SMTP\u传递:使用POSTFIX\u KEYVALUE标识上述信息,直到status=,之后是SMTP响应
<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)
{
"@source": "syslog://192.244.100.42/",
"@tags": [
"_grokparsefailure"
],
"@fields": {
"priority": 13,
"severity": 5,
"facility": 1,
"facility_label": "user-level",
"severity_label": "Notice"
},
"@timestamp": "2013-09-17T17:12:06.958Z",
"@source_host": "192.244.100.42",
"@source_path": "/",
"@message": "<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)",
"@type": "syslog"
}
filter {
if [type] == "postfix" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP} %{SYSLOGPROG}: %{POSTFIX_SMTP_DELIVERY}" }
}
}
}
{
"postfix_queueid" => "28D40A036B",
"@timestamp" => 2017-02-23T08:15:32.546Z,
"postfix_smtp_response" => "250 2.0.0 Ok: queued as 9030A15D0",
"port" => 50228,
"postfix_keyvalue_data" => "to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent",
"syslog5424_pri" => "22",
"@version" => "1",
"host" => "10.0.2.2",
"pid" => "18852",
"program" => "postfix/smtp",
"message" => "<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)"
}
<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)
{
"@source": "syslog://192.244.100.42/",
"@tags": [
"_grokparsefailure"
],
"@fields": {
"priority": 13,
"severity": 5,
"facility": 1,
"facility_label": "user-level",
"severity_label": "Notice"
},
"@timestamp": "2013-09-17T17:12:06.958Z",
"@source_host": "192.244.100.42",
"@source_path": "/",
"@message": "<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)",
"@type": "syslog"
}
filter {
if [type] == "postfix" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{SYSLOG5424PRI}%{SYSLOGTIMESTAMP} %{SYSLOGPROG}: %{POSTFIX_SMTP_DELIVERY}" }
}
}
}
{
"postfix_queueid" => "28D40A036B",
"@timestamp" => 2017-02-23T08:15:32.546Z,
"postfix_smtp_response" => "250 2.0.0 Ok: queued as 9030A15D0",
"port" => 50228,
"postfix_keyvalue_data" => "to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent",
"syslog5424_pri" => "22",
"@version" => "1",
"host" => "10.0.2.2",
"pid" => "18852",
"program" => "postfix/smtp",
"message" => "<22>Sep 17 19:12:14 postfix/smtp[18852]: 28D40A036B: to=<test@gmail.com>, relay=192.244.100.25[192.244.100.25]:25, delay=0.13, delays=0.01/0.01/0.09/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 9030A15D0)"
}
{
“postfix_queueid”=>“28D40A036B”,
“@timestamp”=>2017-02-23T08:15:32.546Z,
“postfix_smtp_response”=>“250 2.0.0正常:排队为9030A15D0”,
“端口”=>50228,
“postfix_keyvalue_data”=>“to=,relay=192.244.100.25[192.244.100.25]:25,延迟=0.13,延迟=0.01/0.01/0.09/0.02,dsn=2.0.0,状态=sent”,
“syslog5424_pri”=>“22”,
“@version”=>“1”,
“主机”=>“10.0.2.2”,
“pid”=>“18852”,
“程序”=>“后缀/smtp”,
“邮件”=>“9月17日19:12:14 postfix/smtp[18852]:28D40A036B:to=,中继=192.244.100.25[192.244.100.25]:25,延迟=0.13,延迟=0.01/0.01/0.09/0.02,dsn=2.0.0,状态=已发送(250 2.0.0.0确定:作为9030A15D0排队)”
}