logging - logstash grok pattern not functioning as expected -
i having interesting problem.
after using http://grokdebug.herokuapp.com/ works well. finding following message, though works on above site, , works seemingly identical messages, not working expected.
this pattern:
%{monthday}-%{month}-%{year} %{time} %{prog:program}: %{loglevel:loglevel}: %{user:from} %{ip:ip}\#%{int:port} \(%{greedydata:request}\): %{word:stage}(\s|\s\s)%{greedydata:drop_reason} %{iporhost:to}/%{int:subnet}
this output:
{ "message" => "03-feb-2014 21:33:51.867 queries: info: client 123.123.123.123#57710 (some.dns.server.1.1.1.1.in-addr.arpa): drop response 231.231.231.0/24", "@version" => "1", "@timestamp" => "2014-02-06t00:51:04.240z", "type" => "ns_query", "host" => "ns2", "path" => "/tmp/named-query.log.29" }
i have seen function expected, odd these in particular not working, if has ideas may doing incorrect please let me know.
below see internals of actual patterns file comparing against:
# parse time stamp whis odd time stamp dns_time_stamp %{monthday}-%{month}-%{year} %{time} # create header, beginning of each line of log dns_header %{dns_time_stamp:log_timestamp} %{prog:program}: %{loglevel:loglevel}: %{user:from} %{ip:ip}\#%{int:port} # different queires dns_query_1 %{dns_header} \(%{iporhost:request}\): %{word:stage}: %{iporhost:request2} %{word:rq_where} %{word:r_type} %{data:flags} \(%{iporhost:serviced_by}\) dns_query_2 %{dns_header} \(%{greedydata:request}\): %{word:stage}: %{greedydata:request2} %{word:rq_where} %{word:r_type} %{data:flags} \(%{greedydata}:serviced_by\) # different drop/slip/etc dns_drop_1 %{dns_header} \(%{iporhost:request}\): %{word:stage} %{greedydata:drop_reason} %{iporhost:to}/%{int:subnet} %{iporhost:requester} %{greedydata:dr_type} \(%{base16num:request_id}\) dns_drop_2 %{dns_header} \(%{iporhost:request}\): %{word:stage}(\s|\s\s)%{greedydata:drop_reason} %{iporhost:to}/%{int:subnet} %{greedydata:dr_type} \(%{base16num:request_id}\) dns_drop_3 %{dns_header} \(%{iporhost:request}\): %{word:stage}(\s|\s\s)%{greedydata:drop_reason} %{iporhost:to}/%{int:subnet} dns_drop_4 %{dns_header} \(%{greedydata:request}\): %{word:stage}(\s|\s\s)%{greedydata:drop_reason} %{iporhost:to}/%{int:subnet} dns_drop_5 %{dns_header} \(%{greedydata:request}\): %{word:stage}(\s|\s\s)%{greedydata:drop_reason} %{iporhost:to}/%{int:subnet} %{greedydata:dr_type} \(%{base16num:request_id}\) # bringing them ease of use in logstash dns_query (%{dns_query_1}|%{dns_query_2}) dns_drop (%{dns_drop_1}|%{dns_drop_2}|%{dns_drop_3}|%{dns_drop_4}|%{dns_drop_5}|) # pattern call in logstash config dns (%{dns_query}|%{dns_drop})
Comments
Post a Comment