我正在运行LS 2.0.0,我注意到syslog_prifilter没有检测到我的系统日志开始时的优先级的问题。 我的过滤configuration如下:
filter { if [type] == "relp" { syslog_pri { } grok { match => { "message" => "%{SYSLOG5424PRI}(?:%{POSINT} |-)+(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII:syslog5424_app}) +%{GREEDYDATA:syslog5424_msg}" } add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{syslog5424_host}" ] tag_on_failure => "gpf_relp" } date { match => [ "syslog5424_ts", "ISO8601" ] } } } 这应该能够从以下日志中提取PRI,但是它会失败,并恢复为所有消息的默认优先级(13):
{ "_index": "logstash-2015.11.10", "_type": "relp", "_id": "AVDxXHq4lzuNTbjDHPbE", "_score": null, "_source": { "message": "<86>1 2015-11-10T12:26:20.429088+00:00 integration-gw3 sshd 2587 - - pam_unix(sshd:session): session closed for user sftpuser\n", "@version": "1", "@timestamp": "2015-11-10T12:26:20.429Z", "type": "relp", "host": "10.10.11.23:39532", "syslog_severity_code": 5, "syslog_facility_code": 1, "syslog_facility": "user-level", "syslog_severity": "notice", "syslog5424_pri": "86", "syslog5424_ts": "2015-11-10T12:26:20.429088+00:00", "syslog5424_host": "integration-gw3", "syslog5424_app": "sshd", "syslog5424_msg": "2587 - - pam_unix(sshd:session): session closed for user sftpuser\n", "received_at": "2015-11-10T12:26:20.430Z", "received_from": "integration-gw3" }, "fields": { "@timestamp": [ 1447158380429 ] }, "sort": [ 1447158380429 ] }
正如你可以看到PRI设置为86,我的Grokfilterselect了这个,但是syslog_pri不会将这些值从默认值更改为:
"syslog_facility": "user-level", "syslog_severity": "notice",
任何人都可以build议我做错了什么?
在查看syslog_prifilter的文档时 ,似乎它正在寻找名为syslog_pri的字段的优先级,而不是原始消息。
假设你在运行该filter之前运行该filter,那么在该字段中没有任何内容,因此返回优先级13(user.notice),如上面的文档中所述。
为了以您想要的方式工作,您需要在syslog_pri 后面移动syslog_prifilter并将其更改为:
syslog_pri { syslog_pri_field_name => "syslog5424_pri" }