ELK版本:7.4
交换机日志:
Logstash配置:
问题:
logTime字段没有按date插件进行格式化,输出依旧是Oct 24 2019 10:30:03,时区还是UTC,没有+08:00,但@timestamp字段的时区是正确的,求指点。
交换机日志:
<189>Oct 24 2019 10:30:03 VR-CORE %CLI/5/CMDRECORD(s):CID=0x80ca2713;Recorded command information. (Task=VTY0, Ip=10.3.51.1, VpnName=_public_, User=admin1, AuthenticationMethod="Local-user", Command="display acl all".)Logstash配置:
input {
udp {
port => 5001
tags => switch_syslog
}
}
filter {
if "switch_syslog" in [tags] {
grok {
match => { "message" => "<%{NUMBER:id}>%{GREEDYDATA:logTime} %{USER:edition} %{NOTSPACE:event}:CID=%{BASE16FLOAT:cid};%{GREEDYDATA:info} \(Task=%{USER:task}, Ip=%{IP:sourceIP}, VpnName=%{USER:vpnName}, User=%{USER:user}, AuthenticationMethod=\"%{USER:authenticationMethod}\", Command=\"%{GREEDYDATA:command}\".\)" }
}
date {
match => [ "logTime" , "dd/MMM/yyyy:HH:mm:ss ZZZ" ]
timezone => "Asia/Shanghai"
}
}
}
问题:
logTime字段没有按date插件进行格式化,输出依旧是Oct 24 2019 10:30:03,时区还是UTC,没有+08:00,但@timestamp字段的时区是正确的,求指点。
1 个回复
yu89780012
赞同来自:
timezone => "+00:00"
match => ["create_time","yyyy/MM/dd HH:mm:ss.SSSSSSSSS"]
target=>"create_time"
locale=>"en"
}
这样处理试一下