-1

我正在使用 nxlog 及其 Perl 模块 xm_perl ( https://nxlog.co/documentation/nxlog-user-guide/xm_perl.html )。我用正则表达式编写了一个 Perl 代码,它可以完美地处理我想要的数据。我的 nxlog 看起来像这样:

User nxlog
Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

<Extension json>
    Module      xm_json
</Extension>

<Extension perl>
    Module      xm_perl
    PerlCode    /usr/libexec/nxlog/modules/extension/perl/perlcode.pl
</Extension>

<Extension syslog>
    Module      xm_syslog
</Extension>

<Input udp>
    Module      im_udp
    Host        0.0.0.0
    Port        514 
    Exec        parse_syslog(); to_json();perl_call("rec2msg");
</Input> 

<Output file_udp>
    Module      om_file
    File        "/tmp/logmsg2.txt"
</Output> 

<Route udp_to_file>
    Path        udp => file_udp
</Route>

perlcode.pl看起来像这样:

use strict;
use warnings;
use feature 'say';
use JSON;
use utf8;

my %IDs = ( "User awx01 logged in." => 1001 );  
my %levels = ( INFO => 4 );                                 
my $json    = data2json($event);         
my $record  = decode_json($json);       
say rec2msg($record);
sub data2json {                         
    my $json = shift;                   
    $json =~ s/[""]/"/g;
    $json =~ s/\\//g;
    $json =~ s/"(\{.*?\})"/$1/;
    return $json;
}
sub rec2msg {                           
    my $r = shift;
    $r->{Message}{message} =~ /(\w+) (\w+) (.+)/;

    my($user,$msg) = ($2,"$1 $3");
    my $ID   = $IDs{$r->{Message}{message}};
    my $level   = $levels{$r->{Message}{level}};

    my $out = "$r->{Message}{'@timestamp'} host CEF:0|OpenSource|AWX|7.0.0|$ID|$msg|$level|src=127.0.0.1 dst=$r->{MessageSourceAddress} duser=$user";
    return $out;
}

所以我希望我在 to_json() 之后得到的 JSON 用 perl_call ("rec2msg") 变成新格式,但是我收到了这个错误:

ERROR perl subroutine rec2msg failed with an error: 'Can't use string ("140116462930352") as a HASH ref while "strict refs" in use at /usr/libexec/nxlog/modules/extension/perl/perlcode.pl line 21.;'

我究竟做错了什么?

这是 JSON,它应该被转换:

{"MessageSourceAddress":"192.168.81.20","EventReceivedTime":"2020-02-06 11:55:14","SourceModuleName":"udp","SourceModuleType":"im_udp","SyslogFacilityValue":1,"SyslogFacility":"USER","SyslogSeverityValue":5,"SyslogSeverity":"NOTICE","SeverityValue":2,"Severity":"INFO","EventTime":"2020-02-06 11:55:14","Hostname":"192.168.81.20","Message":"{\"@timestamp\": \"2020-02-06T08:55:52.907Z\", \"message\": \"User awx01 logged in.\", \"host\": \"awxweb\", \"level\": \"INFO\", \"logger_name\": \"awx.api.generics\", \"stack_info\": null, \"type\": \"other\", \"cluster_host_id\": \"awx-contr-01\", \"tower_uuid\": \"333b4131-495f-4460-8e4b-890241a9d73d\"}"}
4

1 回答 1

1

要么 要么$r不是$r->{Message}哈希引用,而是一个很大的数字。

该数字可能是参考地址,您不是在某处的数字上下文中使用哈希引用吗?

还有一条可疑的线:

  • s/[""]/"/g什么都不做,[""]是一个等价于".
于 2020-04-01T16:15:06.787 回答