Logstash 每次抛出 _grokparsefailure

Question

我安装了最新的 logstash (2.3)，我想使用 grok 过滤器解析 syslog。 所以，这里是过滤器：

    filter {
  if [type] == "linux-syslog" {
    grok {
      match => { "message" => "^%{SYSLOGTIMESTAMP:syslog_timestamp}\s*%{SYSLOGHOST:syslog_hostname}\s*(%{PROG:syslog_program})?\s*(:?\[%{POSINT:syslog_pid}\])?:?\s*%{GREEDYDATA:syslog_message}[a-z]*\s*$" }
      patterns_dir => ["/var/opt/logstash/patterns"]
      add_tag => "syslog_everything"
      keep_empty_captures => "true"
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

1. 这是我从 logstash 尝试解析它时得到的：

            "message" => "Apr 20 14:31:35 node1 ansible-service: Invoked with name=logstash pattern=None enabled=True state=restarted sleep=None arguments= runlevel=default ",
           "@version" => "1",
         "@timestamp" => "2016-04-20T14:31:35.000Z",
               "path" => "/var/log/syslog",
               "host" => "node1",
               "type" => "linux-syslog",
   "syslog_timestamp" => "Apr 20 14:31:35",
    "syslog_hostname" => "node1",
     "syslog_program" => "ansible-service:",
         "syslog_pid" => nil,
     "syslog_message" => "Invoked with name=logstash pattern=None enabled=True state=restarted sleep=None arguments= runlevel=default ",
               "tags" => [
       [0] "syslog_everything",
       [1] "_grokparsefailure"
   ]
   

   }

2. 还有……

   { "消息" => "Apr 20 14:35:10 node1 crontab [29052]: (vagrant) END EDIT (vagrant)", "@version" => "1", "@timestamp" => "2016-04-20T14:35:10.000Z", "路径" => "/var/log/syslog", “主机”=>“节点1”， "type" => "linux-syslog", "syslog_timestamp" => "4 月 20 日 14:35:10", "syslog_hostname" => "node1", "syslog_program" => "crontab", "syslog_pid" => "29052", "syslog_message" => "(vagrant) END EDIT (vagrant)", “标签” => [ [0] "syslog_everything", [1]“_grokparsefailure” ] }

---

我在这里做错了什么？我使用 grokdebugger 进行了检查，结果很好...

Answer 1

如果正在创建字段，那么 grok 正在工作。你可能有另一个失败的 grok 节。为每一个添加不同的 tag_on_failure。