Logstash 多行日志文件 XML 解析过滤器

Question

我是 Logstash 的新手，我正在尝试解析我的多行日志，格式如下

<log level="INFO" time="Wed May 03 08:25:03 CEST 2017" timel="1493792703368" host="host"> <msg><![CDATA[Method=GET URL=http://localhost (Vers=[Version], Param1=[param1], Param2=[param1]) Result(Content-Length=[22222], Content-Type=[text/xml; charset=utf-8]) Status=200 Times=TISP:1098/CSI:-/Me:1/Total:1099]]> </msg> </log>

你知道如何在 logstash 配置中实现过滤器，以便能够索引 elasticsearch 中的以下字段

时间、主机、Vers、Param1、Param2、TISP

非常感谢

Answer 1

好的，我知道怎么做。这是我的 pipeline.conf 文件，它可以工作

input {
        beats {
                port => 5044
        }
}

filter {
        xml {
                store_xml => false
                source => "message"
                xpath => [
                 "/log/@level", "level",
                 "/log/@time", "time",
                 "/log/@timel", "unixtime",
                 "/log/@host", "host_org",
                 "/log/@msg", "msg",
                 "/log/msg/text()","msg_txt"
                ]
        }

        grok {
                break_on_match => false
                match => ["msg_txt", "Param1=\[(?<param1>-?\w+)\]"]
                match => ["msg_txt", "Param2=\[(?<param2>-?\w+)\]"]
                match => ["msg_txt", "Vers=\[(?<vers>-?\d+\.\d+)\]"]
                match => ["msg_txt", "TISP:(?<tisp>-?\d+)"]
                match => [unixtime, "(?<customTime>-?\d+)"]
        }
        if "_grokparsefailure" in [tags] {
                drop { }
        }

        mutate {
                convert => { "tisp" => "integer" }
        }

        date {
                match => [ "customTime", "UNIX_MS"]
                target => "@timestamp"
        }
        if "_dateparsefailure" in [tags] {
                drop { }
        }



}

output {
        elasticsearch {
                hosts => "elasticsearch:9200"
                user => user
                password => passwd
        }
}