filter {
grok {
match => {
"message" => "%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\" (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \"(%{NOTSPACE:referrer}|-)\" (%{QS:agent}|-) \"(%{WORD:x_forword}|-)\"\"(?<upstream_cache_status>\S+)\""--这个是根据我日志的格式进行正则匹配吗?
}
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "client_ip"
}
}
grok {
match => {
"message" => "%{IPORHOST:client_ip} (%{USER:ident}|-) (%{USER:auth}|-) \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} (%{NOTSPACE:request}|-)(?: HTTP/%{NUMBER:http_version})?|-)\" (%{NUMBER:response}|-) (?:%{NUMBER:bytes}|-) \"(%{NOTSPACE:referrer}|-)\" (%{QS:agent}|-) \"(%{WORD:x_forword}|-)\"\"(?<upstream_cache_status>\S+)\""--这个是根据我日志的格式进行正则匹配吗?
}
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "client_ip"
}
}
0 个回复