elk日志解析,稍微复杂一些的日志
此日志中的json里字段非固定,6-20个不等,格式一致,日志模板如下
[2020-09-21 19:50:30.132] --- Recv data from SocketId=360559 Socket=82
POST /var/v2/slv/cuy_send HTTP/1.1
Connection: keep-alive
X-Real-IP: 0.0.0.0
X-Forwarded-For: 0.0.0.0
Host: 0.0.0.0
Content-Length: 109
Content-Type: application/json; charset=UTF-8
Content-Encoding: utf-8
User-Agent: Apache-HttpClient/4.5.8 (Java/1.7.0_79)
Accept-Encoding: gzip,deflate
{"abc":"X09","pdd":"123456","me":"12345678901","cnt":"%8825%D5%CB%BBD4%AA.%D3%E0%B6%EE%5B424.47%5D.%D4%AA","par":"292000","md":0,"rg":0}
使用的解析规则如下
grok
{
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp_log}\] --- Recv data from SocketId=%{NUMBER:socket_id} Socket=%{NUMBER:socket}\n%{WORD:http_method} %{DATA:http_request} %{GREEDYDATA:http_version}\nConnection: %{GREEDYDATA:Connection}\nX-Real-IP: %{GREEDYDATA:X-Real-IP}\nX-Forwarded-For: %{GREEDYDATA:X-Forwarded-For}\nHost: %{GREEDYDATA:Host}\nContent-Length: %{GREEDYDATA:Content-Length}\nContent-Type: %{GREEDYDATA:Content-Type}\nContent-Encoding: %{GREEDYDATA:Content-Encoding}\nUser-Agent: %{GREEDYDATA:User-Agent}\nAccept-Encoding: %{GREEDYDATA:Accept-Encoding}\n\s*\n%{GREEDYDATA:http_body}"}
}
json {
source => "http_body"
}
remove_field => ["socket_id","Connection","User-Agent","http_version","Host","Accept-Encoding","http_method","Content-Encoding","X-Forwarded-For","http_request","socket","Content-Length","X-Real-IP","Content-Type"]
解析规则可实现一层的解析,也可删除不要的字段,json解析未生效
需求:需要保留时间戳和json中的内容(内容需解析)
grok {
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp_log}\] --- Recv data from SocketId=%{NUMBER:socket_id} Socket=%{NUMBER:socket}\n%{WORD:http_method} %{DATA:http_request} %{GREEDYDATA:http_version}\nConnection: %{GREEDYDATA:Connection}\nX-Real-IP: %{GREEDYDATA:X-Real-IP}\nX-Forwarded-For: %{GREEDYDATA:X-Forwarded-For}\nHost: %{GREEDYDATA:Host}\nContent-Length: %{GREEDYDATA:Content-Length}\nContent-Type: %{GREEDYDATA:Content-Type}\nContent-Encoding: %{GREEDYDATA:Content-Encoding}\nUser-Agent: %{GREEDYDATA:User-Agent}\nAccept-Encoding: %{GREEDYDATA:Accept-Encoding}\n\s*\n%{GREEDYDATA:http_body}"}
}
json {
source => "http_body"
}
json {
source => "http_body"
remove_field => ["socket_id","Connection","User-Agent","http_version","Host","Accept-Encoding","http_method","Content-Encoding","X-Forwarded-For","http_request","socket","Content-Length","X-Real-IP","Content-Type"]
}
该回答通过自己思路及引用到GPTᴼᴾᴱᴺᴬᴵ搜索,得到内容具体如下。
根据提供的日志模板,可以使用以下的ELK解析规则来实现保留时间戳和JSON中的内容(内容需解析):
filter {
grok {
match => { "message" => "\[%{TIMESTAMP_ISO8601:timestamp_log}\] --- Recv data from SocketId=%{NUMBER:socket_id} Socket=%{NUMBER:socket}\n%{WORD:http_method} %{DATA:http_request} %{GREEDYDATA:http_version}\nConnection: %{GREEDYDATA:Connection}\nX-Real-IP: %{GREEDYDATA:X-Real-IP}\nX-Forwarded-For: %{GREEDYDATA:X-Forwarded-For}\nHost: %{GREEDYDATA:Host}\nContent-Length: %{GREEDYDATA:Content-Length}\nContent-Type: %{GREEDYDATA:Content-Type}\nContent-Encoding: %{GREEDYDATA:Content-Encoding}\nUser-Agent: %{GREEDYDATA:User-Agent}\nAccept-Encoding: %{GREEDYDATA:Accept-Encoding}\n\s*\n%{GREEDYDATA:http_body}" }
}
json {
source => "http_body"
remove_field => ["socket_id","Connection","User-Agent","http_version","Host","Accept-Encoding","http_method","Content-Encoding","X-Forwarded-For","http_request","socket","Content-Length","X-Real-IP","Content-Type"]
}
}
以上解析规则中,使用了Grok模式匹配来提取时间戳和JSON中的内容。使用JSON过滤器来解析JSON中的字段,并删除不需要的字段。这些过滤器都在Logstash的filter部分中定义。最后,通过在Logstash的output部分中定义输出目标,将解析后的日志数据发送到目标位置。
你可以将以上配置文件保存为logstash.conf文件,然后使用Logstash启动该配置文件。例如,可以使用以下命令启动Logstash:
bin/logstash -f logstash.conf
启动成功后,Logstash将会开始解析并处理日志数据。处理后的数据将会被发送到指定的输出目标。
如果以上回答对您有所帮助,点击一下采纳该答案~谢谢