我正在使用在一台机器上运行的麋鹿堆栈,并使用在另一台机器上运行的filebeat来馈送日志。输入格式类型为apache日志。只是一个例子
10.1.119.222 - elon_musk [16/Jun/2018:00:00:03 +0000] "GET /a/changes/?q=project:dev/solarcity-microservice-framework+is:open&n=100 HTTP/1.1" 200 2717 - "libwww-perl/6.15"
我正在使用基本过滤器将我的消息分为不同的字段并删除消息字段,但是不知何故过滤器根本无法工作。
input {
beats {
port => 5044
}
}
filter {
if [path] =~ "httpd" {
grok {
match => { "message" => "%{IP:client_ip} %{USERNAME:ident} %{USER:auth} \[%{HTTPDATE:apache_timestamp}\] \"%{WORD:method} /%{NOTSPACE:request} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response}"
}
remove_field => ["message"]
}
}
}
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
stdout {
codec => rubydebug
}
}
logstash输出:
{
logstash_1 | "message" => "10.1.119.177 - elon_musk - [16/Jun/2018:00:14:56 +0000] \"GET /monitoring?part=graph&graph=usedMemory HTTP/1.1\" 200 2189 \"http://git.xx.com/monitoring?part=graph&graph=usedMemory\" \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0\"",
logstash_1 | "@version" => "1",
logstash_1 | "@timestamp" => 2018-07-18T22:35:53.225Z,
logstash_1 | "input" => {
logstash_1 | "type" => "log"
logstash_1 | },
logstash_1 | "prospector" => {
logstash_1 | "type" => "log"
logstash_1 | },
logstash_1 | "offset" => 67786,
logstash_1 | "beat" => {
logstash_1 | "hostname" => "coloserver",
logstash_1 | "version" => "6.3.0",
logstash_1 | "name" => "coloserver"
logstash_1 | },
logstash_1 | "tags" => [
logstash_1 | [0] "beats_input_codec_plain_applied"
logstash_1 | ],
logstash_1 | "source" => "/usr/gerrit/logs/httpd_log",
logstash_1 | "host" => {
logstash_1 | "name" => "colobp15"
logstash_1 | }
logstash_1 | }
我希望未显示消息字段,相反,它应该已经显示了消息隔离到的所有其他字段。
如果我做错了任何事情,请告诉我。
非常感谢, LifeIsButifool