IBM HTTPServer ACC日志对接logstash
匿名 | 发布于2017年09月11日 | 阅读数:2942
IBM HTTPServer ACC日志对接logstash
调试几天了,就是无法获取对应字段,这是啥问题?
日志格式如下
113.57.196.114 - - [06/Sep/2017:17:15:08 +0800] TIME:2702 "GET /XXX/css/.bash_history HTTP/1.0" 404 2167 "https://XXX.com.cn/hahah/css/login.css" "Moz
illa/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0"
input {
file {
path => "/tmp/ihs2"
start_position => "beginning"
}
}
filter {
grok {
match => {
"message" => "%{IPV4:remote_addr} (%{USERNAME:ident}|-) (%{USERNAME:auth}|-) \[%{HTTPDATE:timestamp}\] TIME:%{NUMBER:timeused} \"%{WORD:verb} (%{URI:referer}|-) HTTP/%{NUMBER:httpversion}\" (%{NUMBER:http_status:int}|-) (%{BASE10NUM:body_bytes_sent}|-) \"(%{URIPATHPARAM:uri}|-)\" \"(%{GREEDYDATA:agent}|-)\""
}
}
# date {
# match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
# target => "@timestamp"
# }
# ruby {
# code => "event.set('temp', event.get('@timestamp').time.localtime + 8*60*60); event.set('@timestamp', event.get('temp'))"
# }
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["10.14.197.159:9200"]
manage_template => false
index => "logstash-ihsacc1-%{+YYYY-MM}"
}
}
DEBUG如下
{
"path" => "/tmp/ihs2",
"@timestamp" => 2017-09-11T04:19:27.007Z,
"@version" => "1",
"host" => "hadooptest01",
"message" => "113.57.196.114 - - [06/Sep/2017:17:15:10 +0800] TIME:2694 \"GET /XXX/scripts/installer HTTP/1.0\" 404 2167 \"https://XXX.com.cn/haha/scripts/public.js\" \"Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0\"",
"tags" => [
[0] "_grokparsefailure"
]
}
调试几天了,就是无法获取对应字段,这是啥问题?
日志格式如下
113.57.196.114 - - [06/Sep/2017:17:15:08 +0800] TIME:2702 "GET /XXX/css/.bash_history HTTP/1.0" 404 2167 "https://XXX.com.cn/hahah/css/login.css" "Moz
illa/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0"
input {
file {
path => "/tmp/ihs2"
start_position => "beginning"
}
}
filter {
grok {
match => {
"message" => "%{IPV4:remote_addr} (%{USERNAME:ident}|-) (%{USERNAME:auth}|-) \[%{HTTPDATE:timestamp}\] TIME:%{NUMBER:timeused} \"%{WORD:verb} (%{URI:referer}|-) HTTP/%{NUMBER:httpversion}\" (%{NUMBER:http_status:int}|-) (%{BASE10NUM:body_bytes_sent}|-) \"(%{URIPATHPARAM:uri}|-)\" \"(%{GREEDYDATA:agent}|-)\""
}
}
# date {
# match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
# target => "@timestamp"
# }
# ruby {
# code => "event.set('temp', event.get('@timestamp').time.localtime + 8*60*60); event.set('@timestamp', event.get('temp'))"
# }
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["10.14.197.159:9200"]
manage_template => false
index => "logstash-ihsacc1-%{+YYYY-MM}"
}
}
DEBUG如下
{
"path" => "/tmp/ihs2",
"@timestamp" => 2017-09-11T04:19:27.007Z,
"@version" => "1",
"host" => "hadooptest01",
"message" => "113.57.196.114 - - [06/Sep/2017:17:15:10 +0800] TIME:2694 \"GET /XXX/scripts/installer HTTP/1.0\" 404 2167 \"https://XXX.com.cn/haha/scripts/public.js\" \"Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0\"",
"tags" => [
[0] "_grokparsefailure"
]
}
0 个回复