我有这种格式的 php 日志
[Day Mon DD HH:MM:SS YYYY] [Log-Type] [client <ipv4 ip address>] <some php error type>: <other msg with /path/of/a/php/script/file.php and something else>
[Day Mon DD HH:MM:SS YYYY] [Log-Type] [client <ipv4 ip address>] <some php error type>: <other msg without any file name in it>
[Day Mon DD HH:MM:SS YYYY] [Log-Type] [client <ipv4 ip address>] <some msg with out semicolon in it but /path/of/a/file inside the message>
我试图通过logstash处理后发送到Graylog2。在这里使用这篇文章,我可以开始了。现在我想获得一些额外的字段,以便我的最终版本看起来像这样。
{
"message" => "<The entire error message goes here>",
"@version" => "1",
"@timestamp" => "converted timestamp from Day Mon DD HH:MM:SS YYYY",
"host" => "<ipv4 ip address>",
"logtime" => "Day Mon DD HH:MM:SS YYYY",
"loglevel" => "Log-Type",
"clientip" => "<ipv4 ip address>",
"php_error_type" => "<some php error type>"
"file_name_from_the_log" => "/path/of/a/file || /path/of/a/php/script/file.php"
"errormsg" => "<the error message after first colon (:) found>"
}
我有单个行的表达式,或者至少我认为这些应该能够解析,使用grokdebugger。像这样的东西:
%{DATA:php_error_type}: %{DATA:message_part1}%{URIPATHPARAM:file_name}%{GREEDYDATA:errormsg}
%{DATA:php_error_type}: %{GREEDYDATA:errormsg}
%{DATA:message_part1}%{URIPATHPARAM:file_name}%{GREEDYDATA:errormsg}
但不知何故,我发现很难让它适用于整个日志文件。
请问有什么建议吗?此外,不确定日志文件中是否会出现任何其他类型的错误消息。但目的是为所有人获得相同的格式。任何建议如何处理这些日志以获得上述格式?