sh Logstash配置结构“syslog {docker {kafka | zk | go | x} | system}”日志
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了sh Logstash配置结构“syslog {docker {kafka | zk | go | x} | system}”日志相关的知识,希望对你有一定的参考价值。
input {
tcp {
port => 6514
}
}
filter {
# Match docker services
grok {
break_on_match => true
match => {
"message" => "%{SYSLOGTIMESTAMP} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:source} (?<service>[a-zA-Z0-9\-\._]+)?\/%{WORD:containerid}\[%{INT}\]:"
}
overwrite => [ "service" ]
add_tag => ["docker"]
}
# Match golang logs formatted using logrus (k=v)
grok {
break_on_match => true
match => {
"message" => [
"\"%{TIMESTAMP_ISO8601}\" level=%{LOGLEVEL:level} msg=\"%{DATA:message}\" %{GREEDYDATA:gokv}",
"\"%{TIMESTAMP_ISO8601}\" level=%{LOGLEVEL:level} msg=%{DATA:message} %{GREEDYDATA:gokv}"
]
}
overwrite => [ "message" ]
add_tag => ["go"]
}
# Extract key/values
kv {
source => "gokv"
remove_field => [ "gokv" ]
}
# Match Kafka logs
grok {
break_on_match => true
match => {
"message" => [
"\[%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}\]\s%{LOGLEVEL:level}\s%{GREEDYDATA:message}$"
]
}
add_tag => ["kafka"]
overwrite => [ "message" ]
}
# Match Zookeeper logs
grok {
break_on_match => true
match => {
"message" => [
"%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME} \[myid:%{INT:zkid}\]\s-\s%{LOGLEVEL:level}\s*\[%{GREEDYDATA:class}\]\s-\s%{GREEDYDATA:message}$"
]
}
add_tag => ["zk"]
overwrite => [ "message" ]
}
# Match Java stacktrace
grok {
break_on_match => true
match => {
"message" => [
"\s#011at\s%{GREEDYDATA:message}$"
]
}
add_tag => ["stacktrace"]
overwrite => [ "message" ]
}
# In the end match syslog logs
grok {
break_on_match => true
match => {
"message" => [
"%{SYSLOGBASE} %{GREEDYDATA:message}"
]
}
add_tag => ["syslog"]
overwrite => [ "message"]
}
# Match iptables logs
grok {
break_on_match => true
match => {
"message" => [
"\[DROPPED by iptables\]%{GREEDYDATA:message}"
]
}
add_tag => ["iptables"]
overwrite => [ "message" ]
}
# Clean up
mutate {
remove_field => ["@version", "pid", "host", "port"]
remove_tag => ["_grokparsefailure"]
rename => ["logsource", "source"]
#rename => ["program", "service"]
lowercase => ["level"]
}
if ![level] {
mutate {
remove_field => ["level"]
}
}
if "iptables" in [tags] {
mutate {
remove_field => ["program"]
add_field => { "service" => "iptables" }
add_field => { "level" => "warn" }
}
}
}
output {
stdout { codec => json }
}
以上是关于sh Logstash配置结构“syslog {docker {kafka | zk | go | x} | system}”日志的主要内容,如果未能解决你的问题,请参考以下文章
Logstash设置服务启动加载自定义的管道配置
轻松测试 logstash 的配置文件
ELK配置新增脚本
学会这一招,轻松测试 logstash 的配置文件
Logstash配置语法
Logstash快速入门