各位大大,我一直無法解析對方送來的syslog,不知道是不是對方送來的不是標準的syslog格式,請問該如何解決,謝謝,以下是我的配置
input {
syslog {
port => "514"
}
}
filter {
grok {
match => ["message","datetime=20%{DATESTAMP:datetime},type=%{DATA:type},sip=%{IP:srcIP},dip=%{IP:dstIP},sport=%{NUMBER:srcPort},dport=%{NUMBER:dstPort},protocol=%{INT:Protocol},find_id=%{WORD:find_id},find_content=%{WORD:find_content}"]
}
}
output {
elasticsearch {
hosts => ["192.168.141.65:9200"]
index => "syslog-%{+Y.MM.dd}"
}
stdout {
codec => rubydebug
}
}
對方送來的資料如下:
datetime=2019-08-05 19:13:36,type=1,sip=113.96.138.7,dip=120.106.171.158,sport=51206,dport=445,protocol=6,find_id=632,find_content=113.96.138.7
input {
syslog {
port => "514"
}
}
filter {
grok {
match => ["message","datetime=20%{DATESTAMP:datetime},type=%{DATA:type},sip=%{IP:srcIP},dip=%{IP:dstIP},sport=%{NUMBER:srcPort},dport=%{NUMBER:dstPort},protocol=%{INT:Protocol},find_id=%{WORD:find_id},find_content=%{WORD:find_content}"]
}
}
output {
elasticsearch {
hosts => ["192.168.141.65:9200"]
index => "syslog-%{+Y.MM.dd}"
}
stdout {
codec => rubydebug
}
}
對方送來的資料如下:
datetime=2019-08-05 19:13:36,type=1,sip=113.96.138.7,dip=120.106.171.158,sport=51206,dport=445,protocol=6,find_id=632,find_content=113.96.138.7
0 个回复