Logstash 解析错误 CISCOTIMESTAMP 调试器检查正常

Question

有以下logstash conf文件：

filter {
  if [type] == "TACACS_log" {
    grok {
      match => { "message" => "%{CISCOTIMESTAMP:JsonTimestamp} %{IP:LogonTo} \s* %{USERNAME:User} \s* %{WORD:Port} \s* %{IP:LogonFrom} %{DATA} cmd=%{GREEDYDATA:command}" }
      match => { "message" => "%{CISCOTIMESTAMP:JsonTimestamp} %{IP:LogonTo} \s* %{USERNAME:User} %{WORD:Port} %{DATA} cmd=%{GREEDYDATA:command}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{LogonTo}" ]
    }
    date {
          match => [ "CISCOTIMESTAMP", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

日志通过 logstash 转发器进入，但 CISCOTIMESTAMP 不匹配。示例日志文件：

6 月 11 日 11:32:38 192.168.2.49 user tty1 10.1.250.5 stop task_id=176 timezone=EDT service=shell start_time=1434036772 priv-lvl=15 cmd=show running-config

Answer 1

问题在于您可以在 _message 字段中看到的日志条目的格式：{"message":"Jun 2 14:43:24\t192.168.2.53\tadmintest\ttty1\t10.1.250. 6\tstop\ttask_id=133\ttimezone=EDT\tservice=shell\tstart_time=1433270604\tpriv-lvl=15\tcmd=记录陷阱警告 ","@version":"1","@timestamp":"2015- 06-12T10:14:30.493Z","type":"TACACS_log","host":"ELK","path":"/tmp/tac_plus_acct.log","JsonTimestamp":"Jun 2 14:43: 24","LogonTo":"192.168.2.53","User":"admintest","Port":"tty1","LogonFrom":"10.1.250.6","command":"记录陷阱警告"}

一些字段是制表符分隔的，但不是全部。有效的语句是：

match => { "message" => "%{CISCOTIMESTAMP:JsonTimestamp}\s*%{IP:LogonTo}\s*%{USERNAME:User}\s*%{WORD:Port}\s*% {IP:LogonFrom}%{GREEDYDATA}cmd=%{GREEDYDATA:command}" }