有人可以帮我修这个日志吗?

时间:2016-05-23 07:38:29

标签: logging elasticsearch expression logstash grok

127.0.0.1 - - [21 / May / 2016:13:43:37 +0200]“GET /images/example.png HTTP / 1.1”304 0“ - ”“Mozilla / 5.0(X11; Ubuntu; Linux x86_64; rv:46.0​​)Gecko / 20100101 Firefox / 46.0“” - “

1 个答案:

答案 0 :(得分:0)

这是一个Apache日志,而grok有一个专用于它的模式,称为COMBINEDAPACHELOG。所以你的grok可以像这样定义:

grok {
   match => {"message" => "%{COMBINEDAPACHELOG}"}
}

你会得到这样的事件:

{
        "message" => "127.0.0.1 - - [21/May/2016:13:43:37 +0200] \"GET /images/example.png HTTP/1.1\" 304 0 \"-\" \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0\" \"-\"",
       "@version" => "1",
     "@timestamp" => "2016-05-23T07:43:53.439Z",
           "host" => "iMac.local",
       "clientip" => "127.0.0.1",
          "ident" => "-",
           "auth" => "-",
      "timestamp" => "21/May/2016:13:43:37 +0200",
           "verb" => "GET",
        "request" => "/images/example.png",
    "httpversion" => "1.1",
       "response" => "304",
          "bytes" => "0",
       "referrer" => "\"-\"",
          "agent" => "\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0\""
}
相关问题
最新问题