1

如果它们遵循格式,是否可以自动映射我将通过 syslog 接收的事件的字段field1=value1 field2=value2 ...?一个例子是

name=john age=15
age=29 name=jane
name=mark car=porshe

(请注意,字段不同,并不总是存在)

我正在考虑的解决方案之一是将系统日志“消息”部分作为 JSON 发送,但我不确定是否可以自动解析它(当日志的其余部分为系统日志格式时)。我目前的方法失败了,_jsonparsefailure但我会继续尝试

input {
  tcp
    {
      port => 5514
      type => "syslogandjson"
      codec => json
    }

}

filter{
    json{
      source => "message"
    }
}

output ...
4

1 回答 1

1

Fields with a key=value format can be parsed with the kv filter, but it doesn't support fields with double-quoted values, i.e.

key1=value1 key2="value2 with spaces" key3=value3

or (even worse)

key1=value1 key2=value2 with spaces key3=value3

won't turn out good.

Sending the message as JSON is way better, but as you've discovered you can't use the json codec since the codec applies to the whole message (timestamp and all) and not just the message part where your serialized JSON string can be found. You're on the right track with the json filter though. Just make sure you have that filter after the grok filter that parses the raw syslog message to extract timestamp, severity, and so on. You'll want something like this:

filter {
  grok {
    match => [...]
    # Allow replacement of the original message field
    overwrite => ["message"]
  }
  date {
    ...
  }
  json {
    source => "message"
  }
}

Since presumably not all messages you pick up are JSON messages you might want a conditional around the json filter. Or, attempt the JSON parsing of all messages but remove any _jsonparsefailure tag that the filter adds for messages it couldn't parse.

于 2015-02-03T09:37:19.080 回答