O C*_*nor 6 filter logstash logstash-grok
我一直在那里四处寻找,但找不到工作决议.我尝试在Logstash配置文件中使用Grok Filter来过滤Apache-Access日志文件.日志消息如下所示:{"message":"00.00.0.000 - - [dd/mm/YYYY:hh:mm:ii +0000] \"GET /index.html HTTP/1.1\" 200 00"}.
在这一刻,我只能通过使用过滤客户端IP grok { match => [ "message", "%{IP:client_ip}" ] }.
我想过滤:
- The GET method,
- requested page (index.html),
- HTTP/1.1\,
- server response 200
- the last number 00 after 200 inside the message body
请注意,这些都不适合我:
grok { match => { "message" => "%{COMBINEDAPACHELOG}" } }
要么
grok { match => [ "message", "%{COMBINEDAPACHELOG}" ] }
O C*_*nor 18
grok {
match => [ "message", "%{IP:client_ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:apache_timestamp}\] \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:server_response} " ]
}