Logstash多行与系统日志

Question

有Logstash和多一起工作

我使用的是Logspout容器，所有的标准输出日志条目转发的系统日志，以logstash一些困难。

这是logstash收到的最终内容。这里有多行代表两个事件。

<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: 2015-02-10 11:55:38.496 INFO 1 --- [tp1302304527-19] c.z.service.DefaultInvoiceService  : Creating with DefaultInvoiceService started... 
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: 2015-02-10 11:55:48.596 WARN 1 --- [tp1302304527-19] o.eclipse.jetty.servlet.ServletHandler : 
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: 
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.dao.DataAccessResourceFailureException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]; nested exception is com.mongodb.MongoTimeoutException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}] 
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978) 
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868) 
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) 
<14>2015-02-09T14:25:01Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842) 

每条日志行都以syslog头开始。

根据上面的日志内容我创建了logstash配置文件。

input { 
    udp { 
    port => 5000 
    type => syslog 
    } 
} 

filter { 
    multiline { 
    pattern => "^<%{NUMBER}>%{TIMESTAMP_ISO8601} %{SYSLOGHOST:container_name} %{DATA}(?:\[%{POSINT}\])?:%{SPACE}%{TIMESTAMP_ISO8601}" 
    negate => true 
    what => "previous" 
    stream_identity => "%{container_name}" 
    } 

    grok { 
    match => [ "message", "(?m)^<%{NUMBER}>%{TIMESTAMP_ISO8601} %{SYSLOGHOST} %{DATA:container_name}(?:\[%{POSINT}\])?:%{SPACE}%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{LOGLEVEL:loglevel}%{SPACE}%{NUMBER}%{SPACE}---%{SPACE}(?:\[%{DATA:threadname}\])?%{SPACE}%{JAVACLASS:clas 
    } 

    date { 
    match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSS" ] 
    remove_field => ["timestamp"] 
    } 
    if !("_grokparsefailure" in [tags]) { 
    mutate { 
     replace => [ "source_host", "%{container_name}" ] 
     replace => [ "raw_message", "%{message}" ] 
     replace => [ "message", "%{logmessage}" ] 
     remove_field => [ "logmessage", "host", "source_host" ] 
    } 
    } 
    mutate { 
    strip => [ "threadname" ] 
    } 
} 

output { 
    elasticsearch { } 
} 

现在，当上述事件到达的第一个事件是正确的分析和显示：

message = "Creating with DefaultInvoiceService started..." 

第二个事件包含此消息包含三个问题：

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: 

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: org.springframework.web.util.NestedServletException: Request processing failed; nested exception is org.springframework.dao.DataAccessResourceFailureException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}]; nested exception is com.mongodb.MongoTimeoutException: Timed out after 10000 ms while waiting for a server that matches AnyServerSelector{}. Client view of cluster state is {type=Unknown, servers=[{address=mongo:27017, type=Unknown, state=Connecting, exception={com.mongodb.MongoException$Network: Exception opening the socket}, caused by {java.net.UnknownHostException: mongo: unknown error}}] 

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:978) 

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868) 

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) 

<14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]: at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842) 

<14>2015-02-10T12:59:09Z logspout dev_nginx_1[1]: 192.168.59.3 - - [10/Feb/2015:12:59:09 +0000] "POST /api/invoice/ HTTP/1.1" 500 1115 "http://192.168.59.103/"; "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.94 Safari/537.36" "-" 

1. 的消息文本中包含一行dev_nginx_1条目，它将n不属于这里。这应该被视为一个单独的事件。

2. 每行包含前缀。 <14>2015-02-10T12:59:09Z logspout dev_zservice_1[1]:

3. 每一行都有一个额外的新行

问题。 为什么dev_nginx_1条目本身不是一个事件。为什么它被认为属于前一个？ 如何摆脱消息每一行中的系统日志前缀。 如何摆脱额外的新行？

Answer 1

至于（1），您在多行中使用了container_name。这是时间戳之后的字段。在你的例子中，他们都是“logspout”。对我来说似乎是对的。

至于（2），每一行都带有前缀和时间戳，所以你会希望它们默认在那里。您正在执行mutate{}以用log_message替换message，但我没有看到您正在设置log_message。那么，您如何看待前缀和时间戳被删除？

Answer 2

对于（1），用%{SYSLOGHOST} %{DATA:container_name}（如您在grok中使用的）替换您的多线模式中的%{SYSLOGHOST:container_name} %{DATA}。

对于（2）和（3），你可以尝试这样的事：

mutate { 
    gsub => [ "message", "<\d+>.*?:\s", "", "message", "\n(\n)", "\1" ] 
} 

这里，gsub设置执行两个操作：

1. 检查领域的 “信息”，找到从“< 14>”的子字符串到一个冒号后跟一个空格，然后用空字符串替换那些子字符串。
2. 检查字段“消息”，找到由两个连续的换行符组成的子字符串，并用一个换行符替换它们。它使用\1对组(\n)执行替代，因为如果您尝试使用\n本身，则Logstash实际上会将其替换为\\n，这将不起作用。