1
我在S3存储桶上有AWS ElasticBeanstalk实例日志。如何从日志文件路径中提取变量,在Logstash中为模式测试日志文件名?
路径记录是:
resources/environments/logs/publish/e-3ykfgdfgmp8/i-cf216955/_var_log_nginx_rotated_access.log1417633261.gz
翻译为:
资源/环境/日志/发布/ E- [随机环境ID]/I-[随机实例id]/
该路径包含多个日志:
_var_log_eb-docker_containers_eb-current-app_rotated_application.log1417586461.gz
_var_log_eb-docker_containers_eb-current-app_rotated_application.log1417597261.gz
_var_log_rotated_docker1417579261.gz
_var_log_rotated_docker1417582862.gz
_var_log_rotated_docker-events.log1417579261.gz
_var_log_nginx_rotated_access.log1417633261.gz
请注意,有一些随机号码前加“广州”
问题在文件名由AWS插入(时间戳?)是,我需要设置根据日志文件名的变量。
这里是我的配置:
input {
s3 {
debug => "true"
bucket => "elasticbeanstalk-us-east-1-something"
region => "us-east-1"
region_endpoint => "us-east-1"
credentials => ["..."]
prefix => "resources/environments/logs/publish/"
sincedb_path => "/tmp/s3.sincedb"
backup_to_dir => "/tmp/logstashed/"
tags => ["s3","elastic_beanstalk"]
type => "elastic_beanstalk"
}
}
filter {
if [type] == "elastic_beanstalk" {
grok {
match => [ "@source_path", "resources/environments/logs/publish/%{environment}/%{instance}/%{file}<unnecessary_number>.gz" ]
}
}
}
在这种情况下,我想从路径中提取环境,实例和文件名。在文件名中,我需要忽略那个随机数。 我是否正确地做这件事?什么将是完整的,正确的解决方案呢?
另一个问题是我怎样才能从上面指定特定日志文件的自定义日志格式字段?
这可能是这样的:(元代码)
filter {
if [type] == "elastic_beanstalk" {
if [file_name] BEGINS WITH "application_custom_log" {
grok {
match => [ "message", "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" ]
}
}
if [file_name] BEGINS WITH "some_other_custom_log" {
....
}
}
}
如何测试文件名模式?
你真的得到这个@source_path的工作吗?我得到了很多Grok解析错误,因为它看起来@source_path不存在。 – bvulaj 2015-05-21 19:58:21
不,我不能工作 – Roman 2015-05-21 21:03:31
想知道你是如何解决这个问题的? – Raoot 2016-03-03 04:18:18