design-patterns - logstash grok 模式未按预期运行

Question

我有一个有趣的问题。

使用http://grokdebug.herokuapp.com/后效果很好。我发现以下消息虽然适用于上述站点，并且适用于看似相同的消息，但并未按预期工作。

这是模式：

%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} %{PROG:program}: %{LOGLEVEL:loglevel}: %{USER:from} %{IP:ip}\#%{INT:port} \(%{GREEDYDATA:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet}

这是输出：

{
"message" => "03-Feb-2014 21:33:51.867 queries: info: client 123.123.123.123#57710 (some.dns.server.1.1.1.1.in-addr.arpa): drop  response to 231.231.231.0/24",
"@version" => "1",
"@timestamp" => "2014-02-06T00:51:04.240Z",
"type" => "ns_query",
"host" => "ns2",
"path" => "/tmp/named-query.log.29"
}

我已经看到它按预期运行，奇怪的是这些特别是不起作用，如果有人对我可能正在做的事情有任何想法，请告诉我。

您还将在下面看到与之比较的实际模式文件的内部结构：

# Parse the time stamp whis is an odd time stamp
DNS_TIME_STAMP %{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}
# Create the Header, basically the beginning of each line of the log
DNS_HEADER %{DNS_TIME_STAMP:log_timestamp} %{PROG:program}: %{LOGLEVEL:loglevel}: %{USER:from} %{IP:ip}\#%{INT:port}
# The different queires
DNS_QUERY_1 %{DNS_HEADER} \(%{IPORHOST:request}\): %{WORD:stage}: %{IPORHOST:request2} %{WORD:rq_where} %{WORD:r_type} %{DATA:flags} \(%{IPORHOST:serviced_by}\)
DNS_QUERY_2 %{DNS_HEADER} \(%{GREEDYDATA:request}\): %{WORD:stage}: %{GREEDYDATA:request2} %{WORD:rq_where} %{WORD:r_type} %{DATA:flags} \(%{GREEDYDATA}:serviced_by\)
# The different drop/slip/etc
DNS_DROP_1 %{DNS_HEADER} \(%{IPORHOST:request}\): %{WORD:stage} %{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet} for %{IPORHOST:requester} %{GREEDYDATA:dr_type}  \(%{BASE16NUM:request_ID}\)
DNS_DROP_2 %{DNS_HEADER} \(%{IPORHOST:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet} %{GREEDYDATA:dr_type}  \(%{BASE16NUM:request_ID}\)
DNS_DROP_3 %{DNS_HEADER} \(%{IPORHOST:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet}
DNS_DROP_4 %{DNS_HEADER} \(%{GREEDYDATA:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet}
DNS_DROP_5 %{DNS_HEADER} \(%{GREEDYDATA:request}\): %{WORD:stage}(\s|\s\s)%{GREEDYDATA:drop_reason} to %{IPORHOST:to}/%{INT:subnet} %{GREEDYDATA:dr_type}  \(%{BASE16NUM:request_ID}\)
# Bringing them together for ease of use in Logstash
DNS_QUERY (%{DNS_QUERY_1}|%{DNS_QUERY_2})
DNS_DROP (%{DNS_DROP_1}|%{DNS_DROP_2}|%{DNS_DROP_3}|%{DNS_DROP_4}|%{DNS_DROP_5}|)
# The pattern we call in the logstash config
DNS (%{DNS_QUERY}|%{DNS_DROP})