0
logstash 2.4.0で動作するようにカスタムパターンを取得しようとしていますが、失敗しています。logstash 2.4.0:grokがカスタムパターンでサイレントに失敗する
#########
QID a
私が手にこれを実行する(再フォーマット: - パターンのディレクトリのみ、ファイルsendmail.grokが含まれている
が#some parsing happens above...
grok {
patterns_dir => ["/config_dir/patterns"]
match => [ "syslog_message", "%{QID:qid}:" ]
}
(フル設定は終わりです):ここではconfファイルの関連部分はあります例外):
{:exception=>"Grok::PatternError",
:backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.3/lib/grok-pure.rb:123:in `compile'",
"org/jruby/RubyKernel.java:1479:in `loop'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/jls-grok-0.11.3/lib/grok-pure.rb:93:in `compile'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:264:in `register'",
"org/jruby/RubyArray.java:1613:in `each'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:259:in `register'",
"org/jruby/RubyHash.java:1342:in `each'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-grok-2.0.5/lib/logstash/filters/grok.rb:255:in `register'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:182:in `start_workers'",
"org/jruby/RubyArray.java:1613:in `each'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:182:in `start_workers'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/pipeline.rb:136:in `run'",
"/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.4.0-java/lib/logstash/agent.rb:491:in `start_pipeline'"],
:level=>:error,
:file=>"logstash/agent.rb",
:line=>"493",
:method=>"start_pipeline"
}
この例外は、パターン/ sendmail.grokの内容とは無関係です。これはPatternErrorですが、どこでエラーが発生するのかはわかりません。しかし、私がマッチラインをコメントアウトした場合、すべてが問題ありません(以下のサンプル入力):
{
"message" => "Oct 25 13:18:27 alpha opendkim[1160]: u9PBIMwu011394: authsmtp79.register.it [195.110.122.164] not internal",
"@version" => "1",
"@timestamp" => "2016-10-25T11:25:35.072Z",
"path" => "/log/maillog",
"host" => "93fe70f98023",
"syslog_severity_code" => 5,
"syslog_facility_code" => 1,
"syslog_facility" => "user-level",
"syslog_severity" => "notice",
"tags" => [
[0] "syslog_message_unparsed",
[1] "syslog_relay"
],
"syslog_timestamp" => "Oct 25 13:18:27",
"syslog_host" => "alpha",
"program" => "opendkim",
"pid" => "1160",
"syslog_message" => "u9PBIMwu011394: authsmtp79.register.it [195.110.122.164] not internal",
"syslog_fullhost" => "alpha"
}
アイデア?
TIA、 ALF
全設定:
input {
file {
path => "/log/maillog"
}
}
filter {
syslog_pri {
}
mutate {
add_tag => [ "syslog_parsefailure", "syslog_message_unparsed" ]
}
grok {
match => [ "message", "%{CISCOTIMESTAMP:syslog_timestamp} %{IPORHOST:syslog_host} %{SYSLOGPROG}: %{GREEDYDATA:syslog_message}" ]
add_field => { "syslog_fullhost" => "%{syslog_host}" }
add_tag => [ "syslog_relay" ]
remove_tag => [ "syslog_parsefailure" ]
tag_on_failure => [ ]
}
if [program] == "sendmail" {
mutate {
add_tag => [ "sendmail_log" ]
}
grok {
patterns_dir => ["/config_dir/patterns"]
match => [ "syslog_message", "%{QID:qid}:" ]
}
}
}
output {
stdout { codec => rubydebug }
}