4

Logstash 和多线协同工作有一些困难

我正在使用Logspout容器,它将所有标准输出日志条目作为 syslog 转发到 logstash。

这是 logstash 收到的最终内容。这里有多行应该代表两个事件。

<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: 2015-02-10 11:55:38.496  INFO 1 --- [tp1302304527-19] c.z.service.DefaultInvoiceService        : Creating with DefaultInvoiceService started...
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: 2015-02-10 11:55:48.596  WARN 1 --- [tp1302304527-19] o.eclipse.jetty.servlet.ServletHandler   : 
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: 
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.dao.DataAccessResourceFailureException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]; nested exception is com.mongodb.MongoTimeoutException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]:    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978)
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]:    at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]:    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]:    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)

每个日志行都以 syslog 头开头。

基于上述日志内容,我创建了 logstash 配置文件。

input {
  udp {
    port => 5000
    type => syslog
  }
}

filter {
  multiline {
    pattern => "^<%{NUMBER}>%{TIMESTAMP_ISO8601} %{SYSLOGHOST:container_name} %{DATA}(?:\[%{POSINT}\])?:%{SPACE}%{TIMESTAMP_ISO8601}"
    negate => true
    what => "previous"
    stream_identity => "%{container_name}"
  }

  grok {
    match => [ "message", "(?m)^<%{NUMBER}>%{TIMESTAMP_ISO8601} %{SYSLOGHOST} %{DATA:container_name}(?:\[%{POSINT}\])?:%{SPACE}%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{NUMBER}%{SPACE}---%{SPACE}(?:\[%{DATA:threadname}\])?%{SPACE}%{JAVACLASS:clas
  }

  date {
    match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSS" ]
    remove_field => ["timestamp"]
  }
  if !("_grokparsefailure" in [tags]) {
    mutate {
      replace => [ "source_host", "%{container_name}" ]
      replace => [ "raw_message", "%{message}" ]
      replace => [ "message", "%{logmessage}" ]
      remove_field => [ "logmessage", "host", "source_host" ]
    }
  }
  mutate {
    strip => [ "threadname" ]
  }
}

output {
  elasticsearch { }
}

现在,当上述事件到达时,第一个事件被正确解析并显示:

message = "Creating with DefaultInvoiceService started..."

第二个事件包含此消息,其中包含三个问题:

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: 

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.dao.DataAccessResourceFailureException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]; nested exception is com.mongodb.MongoTimeoutException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]:    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978)

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]:    at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]:    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]:    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)

<14>2015-02-10T12:59:09Z logspout dev_nginx_1[1]: 192.168.59.3 - - [10/Feb/2015:12:59:09 +0000] "POST /api/invoice/ HTTP/1.1" 500 1115 "http://192.168.59.103/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36" "-"
  1. 消息文本包含一行不属于这里的dev_nginx_1条目。这应该被视为一个单独的事件。

  2. 每行都包含前缀。<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]:

  3. 每行都有一个额外的新行

问题。为什么dev_nginx_1条目本身不是一个事件。为什么它被认为属于前一个?如何摆脱消息每行中的 syslog 前缀。我怎样才能摆脱额外的新线?

4

2 回答 2

0

至于(1),您container_name在多行中使用。这是时间戳之后的字段。在您的示例中,它们都是“logspout”。对我来说似乎是对的。

至于(2),每一行都带有前缀和时间戳,因此您希望它们默认存在。你正在做一个mutate{}替换messagelog_message,但我没有看到你正在设置log_message。那么,您认为前缀和时间戳是如何被删除的?

于 2015-02-10T23:48:08.703 回答
0

对于 (1),在您的多线模式中替换为(就像您在%{SYSLOGHOST:container_name} %{DATA}grok中使用的那样)。%{SYSLOGHOST} %{DATA:container_name}

对于 (2) 和 (3),您可以尝试以下操作:

mutate {
    gsub => [ "message", "<\d+>.*?:\s", "", "message", "\n(\n)", "\1" ]
}

在这里,gsub设置正在执行两个操作:

  1. 检查字段“message”,找到从“<14>”到冒号后跟空格的子字符串,然后用空字符串替换这些子字符串。
  2. 检查“消息”字段,找到由两个连续换行符组成的子字符串,并将它们替换为一个换行符。它使用\1对 group 的反向引用执行替换(\n),因为如果您尝试使用\n自身,Logstash 实际上会将其替换为\\n,这将不起作用。
于 2016-12-08T22:01:20.933 回答