我试图configurationlogstash发送电子邮件警报和日志输出在elasticsearch / kibana。
我有通过rsyslog成功同步的日志,但我运行时遇到以下错误
/opt/logstash-1.4.1/bin/logstash代理-f /opt/logstash-1.4.1/logstash.conf –configtest
错误:期望在第23行,第12列(字节387)之后的#,{,,,]过滤{if [program] ==“nginx-access”{
grok {match => [“message”,“%{IPORHOST:remote_addr} – %{USERNAME:remote_user} [%{HTTPDATE:time_local}]%{QS:request}%{INT:status}%{INT:body_bytes_sent} %{QS:http_referer}%{QS:http_user_agent}“]}}}
输出{stdout {} elasticsearch {embedded式=>假主机=>“
这是我的logstashconfiguration文件
input { syslog { type => syslog port => 5544 } } filter { if [program] == "nginx-access" { grok { match => [ "message" , "%{IPORHOST:remote_addr} - %{USERNAME:remote_user} \[% {HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}” ] } } } output { stdout { } elasticsearch { embedded => false host => "localhost" cluster => "cluster01" } email { from => "[email protected]" match => [ "Error 504 Gateway Timeout", "status,504", "Error 404 Not Found", "status,404" ] subject => "%{matchName}" to => "[email protected]" via => "smtp" body => "Here is the event line that occured: %{@message}" htmlbody => "<h2>%{matchName}</h2><br/><br/><h3>Full Event</h3><br/><br/><div align='center'>%{@message}</div>" } }
我已经检查了错误中引用的第23行,它看起来很好….我试着拿出filter,一切正常…没有改变这条线。
请帮忙
编辑
我现在改变了我的configuration
input { syslog { type => syslog port => 5544 } } filter { grok { type => "syslog" match => ["syslog_program","nginx-access"] match => [ "message","%{IPORHOST:remote_addr} - %{USERNAME:remote_user} \[%{HTTPDATE:time_local}\] %{QS:request} %{INT:status} %{INT:body_bytes_sent} %{QS:http_referer} %{QS:http_user_agent}" ] add_field => [ "nginx_response", "%{NUMBER:response}" ] } } output { stdout {} elasticsearch { embedded => false host => "localhost" cluster => "cluster01" } email { match => [ "status", "status,304"] to => "[email protected]" from => "[email protected]" options => [ "smtpIporHost", "", "port", "", "userName", "", "password", "", "starttls", "", "authenticationType", "" ] via => "smtp" # or pop or sendmail subject => "Found %{IP:client} Alert on %{@source_host}" body => "Here is the event line %{@message}" htmlbody => "<h2>%{matchName}</h2><br/><br/><h3>Full Event</h3><br/><br/><div align='center'>%{@message}</div>" } }
这似乎工作,尽可能多的我可以看到,它现在认识到logstash中的东西,并有一个电子邮件插件命令那里,但比赛失败…..任何想法?
谢谢
你不需要先parsing出[program]
吗? 我不认为“input”字段根本就没有做任何过滤,所以你可能需要从%SYSLOGBASE
http://logstash.net/docs/1.4.1/filters/grok
你可以尝试,也许:
if [message] =~ /nginx-access/ {
哪个关键字符合您的message
字段。 那至less会告诉你这是怎么回事。
电子邮件输出不支持匹配function。 相反,你可以做的是add_tag成功grok匹配,然后把条件你的电子邮件输出只发送特定的电子邮件取决于你定义的标签。