Grok模式不返回结果

发布于 2025-01-25 11:34:51 字数 1381 浏览 5 评论 0原文

我对麋鹿非常新，我一直坚持提取字段。below是示例数据

Dec 9 06:36:01 s-login-01 CRON[2436102]: pam_unix(cron:session): session closed for user mXXt

Dec 9 06:34:07 s-login-01 sshd[2424671]: Disconnected from user sw 10.xx.1x.xx port 4000

Dec 9 06:34:05 s-login-01 systemd-logind[2405]: Session 20923 logged out. Waiting for processes to exit.

，我有上述示例数据，我想知道如何为此编写.conf文件。我尝试使用以下.conf，但没有提取字段。

input {
file {
path => "/../syslog.log"
type => "syslog"
start_position => beginning
sincedb_path => "/dev/null"
}
}
filter {
grok {

    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}" }
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}.?*%{WORD:User}" }
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}.?*%{WORD:User}.?*%{IP:IP}.?*%{NUMBER:Port}" }
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}.?*%{NUMBER:Session_ID}" }
}
}
output {
Elasticsearch {
hosts => ["localhost:9200"]
index => "sample_"
}
}

原文

I am very new to ELK and I am stuck at extracting fields.Below is the sample data

Dec 9 06:36:01 s-login-01 CRON[2436102]: pam_unix(cron:session): session closed for user mXXt

Dec 9 06:34:07 s-login-01 sshd[2424671]: Disconnected from user sw 10.xx.1x.xx port 4000

Dec 9 06:34:05 s-login-01 systemd-logind[2405]: Session 20923 logged out. Waiting for processes to exit.

I have the above sample data I want to know how to write the .conf file for this .I tried using the below .conf but It did not extract the fields.

input {
file {
path => "/../syslog.log"
type => "syslog"
start_position => beginning
sincedb_path => "/dev/null"
}
}
filter {
grok {

    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}" }
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}.?*%{WORD:User}" }
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}.?*%{WORD:User}.?*%{IP:IP}.?*%{NUMBER:Port}" }
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{SPACE}%{NOTSPACE:HOST}%{SPACE}%{NOTSPACE:PROCESS}\[%{NUMBER:PID}\]\:%{GREEDYDATA:activity}.?*%{NUMBER:Session_ID}" }
}
}
output {
Elasticsearch {
hosts => ["localhost:9200"]
index => "sample_"
}
}

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

池木 2025-02-01 11:34:51

这是满足您提供的所有示例数据的单个grok模式：

%{SYSLOGTIMESTAMP:TIMESTAMP} %{DATA:HOST} %{DATA:PROCESS}\[%{BASE10NUM:PID}\]: %{GREEDYDATA:MSG}

我使用 grok debugger Grok模式。

这是输出：

在下面找到单个样本数据的Grok模式：

DEC 9 06:34:07 S-LOGIN-01 SSHD [2424671]：与用户SW 10.xx.1x.xx端口断开连接4000

%{SYSLOGTIMESTAMP:TIMESTAMP} %{DATA:HOST} %{DATA:PROCESS}\[%{BASE10NUM:PID}\]: %{DATA:ACTIVITY} %{DATA:msg} user %{DATA:USER} %{IP:IPADDRESS} %{DATA:msg} %{BASE10NUM:PORT}

12月9日06:36:01 S-Login-01 Cron [2436102]：PAM_UNIX（cron：session）：会话为USER MXXT

%{SYSLOGTIMESTAMP:TIMESTAMP} %{DATA:HOST} %{DATA:PROCESS}\[%{BASE10NUM:PID}\]: %{GREEDYDATA:ACTIVITY} user %{WORD:USER}

12月9日06:34： 05 S-Login-01 SystemD-Logind [2405]：Session 20923登录。等待流程退出。

%{SYSLOGTIMESTAMP:TIMESTAMP} %{DATA:HOST} %{DATA:PROCESS}\[%{BASE10NUM:PID}\]: Session %{BASE10NUM:SESSION_ID} %{GREEDYDATA:ACTIVITY}

Here is the single grok pattern that satisfies all the sample data you provided:

%{SYSLOGTIMESTAMP:TIMESTAMP} %{DATA:HOST} %{DATA:PROCESS}\[%{BASE10NUM:PID}\]: %{GREEDYDATA:MSG}

I have used the GROK DEBUGGER to create the grok pattern.

Here is the output:

Find below the grok pattern for individual sample data:

Dec 9 06:34:07 s-login-01 sshd[2424671]: Disconnected from user sw 10.xx.1x.xx port 4000

%{SYSLOGTIMESTAMP:TIMESTAMP} %{DATA:HOST} %{DATA:PROCESS}\[%{BASE10NUM:PID}\]: %{DATA:ACTIVITY} %{DATA:msg} user %{DATA:USER} %{IP:IPADDRESS} %{DATA:msg} %{BASE10NUM:PORT}

Dec 9 06:36:01 s-login-01 CRON[2436102]: pam_unix(cron:session): session closed for user mXXt

%{SYSLOGTIMESTAMP:TIMESTAMP} %{DATA:HOST} %{DATA:PROCESS}\[%{BASE10NUM:PID}\]: %{GREEDYDATA:ACTIVITY} user %{WORD:USER}

Dec 9 06:34:05 s-login-01 systemd-logind[2405]: Session 20923 logged out. Waiting for processes to exit.

%{SYSLOGTIMESTAMP:TIMESTAMP} %{DATA:HOST} %{DATA:PROCESS}\[%{BASE10NUM:PID}\]: Session %{BASE10NUM:SESSION_ID} %{GREEDYDATA:ACTIVITY}

回复收藏 0 原文

橘亓 2025-02-01 11:34:51

你必须设置这样的我，我有匹配的模式你有错误

input {
        file {

        path => "/root/mult.log"
        start_position => "beginning"
        sincedb_path => "/dev/null"
        codec => multiline{

                 pattern => "^ -%{SPACE}%{TIMESTAMP_ISO8601}"
                 negate => true
                 what => "previous"
        }
}
 }
filter {
    grok {
     match => [
       "message", "(?m)^ -%{SPACE}%{TIMESTAMP_ISO8601:time} \[%{WORD:main}\] %{LOGLEVEL:loglevel}%{SPACE}\(%{JAVACLASS:class}\) %{DATA:mydata}\n(\t)?%{GREEDYDATA:stack}",
       "message", "^ -%{SPACE}%{TIMESTAMP_ISO8601:time} \[%{WORD:main}\] %{LOGLEVEL:loglevel}%{SPACE}\(%{JAVACLASS:class}\) %{GREEDYDATA:mydata}" ]
        break_on_match => false
 }
    date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z"]
 }
}

output {
  stdout { codec => rubydebug}
elasticsearch {
    host => "localhost"
  }
}

you must set such as this i thing the pattern of match you have mistake

input {
        file {

        path => "/root/mult.log"
        start_position => "beginning"
        sincedb_path => "/dev/null"
        codec => multiline{

                 pattern => "^ -%{SPACE}%{TIMESTAMP_ISO8601}"
                 negate => true
                 what => "previous"
        }
}
 }
filter {
    grok {
     match => [
       "message", "(?m)^ -%{SPACE}%{TIMESTAMP_ISO8601:time} \[%{WORD:main}\] %{LOGLEVEL:loglevel}%{SPACE}\(%{JAVACLASS:class}\) %{DATA:mydata}\n(\t)?%{GREEDYDATA:stack}",
       "message", "^ -%{SPACE}%{TIMESTAMP_ISO8601:time} \[%{WORD:main}\] %{LOGLEVEL:loglevel}%{SPACE}\(%{JAVACLASS:class}\) %{GREEDYDATA:mydata}" ]
        break_on_match => false
 }
    date {
    match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z"]
 }
}

output {
  stdout { codec => rubydebug}
elasticsearch {
    host => "localhost"
  }
}

回复收藏 0 原文

~没有更多了~