用于 Cisco Call Manager 日志的 Logstash Grok

Question

我正在努力将呼叫管理器登录到 logstash，我需要一些有关日志解析器的帮助。谁能帮我想出以下日志条目的 grok 模式：

<190>136768: Dec 23 2019 10:48:59.476 UTC :  %UC_AUDITLOG-6-AdministrativeEvent: %[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][ResourceAccessed=CUCMServiceability][EventStatus=Success][CompulsoryEvent=No][AuditCategory=AdministrativeEvent][ComponentID=Cisco CCM Servicability][CorrelationID=][AuditDetails=Attempt to access data was successful.User is authorized to access alarmconfig][AppID=Cisco Tomcat][ClusterID=][NodeID=cm01.home.local]: Audit Event is generated by this application 

我正在尝试使用 Grok 调试器，但我并没有走得太远 https://grokdebug.herokuapp.com/

到目前为止，我有这个：

<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{DATA:gmt}:%{SPACE}%{PROG}:

Answer 1

试试这个：

输入：

<190>136768: Dec 23 2019 10:48:59.476 UTC :  %UC_AUDITLOG-6-AdministrativeEvent: %[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][ResourceAccessed=CUCMServiceability][EventStatus=Success][CompulsoryEvent=No][AuditCategory=AdministrativeEvent][ComponentID=Cisco CCM Servicability][CorrelationID=][AuditDetails=Attempt to access data was successful.User is authorized to access alarmconfig][AppID=Cisco Tomcat][ClusterID=][NodeID=cm01.home.local]: Audit Event is generated by this application 

GROK 模式：

<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{DATA:gmt}%{SPACE}:%{SPACE}%{PROG}:%{SPACE}\%\[UserID=%{GREEDYDATA:UserID}\]\[ClientAddress=%{IP:ClientAddress}\]\[Severity=%{NUMBER:Severity}\]\[EventType=%{GREEDYDATA:EventType}\]\[ResourceAccessed=%{GREEDYDATA:ResourceAccessed}\]\[EventStatus=%{GREEDYDATA:EventStatus}\]\[CompulsoryEvent=%{GREEDYDATA:CompulsoryEvent}\]\[AuditCategory=%{GREEDYDATA:AuditCategory}\]\[ComponentID=%{GREEDYDATA:ComponentID}\]\[CorrelationID=%{GREEDYDATA:CorrelationID}\]\[AuditDetails=%{GREEDYDATA:AuditDetails}\]\[AppID=%{GREEDYDATA:AppID}\]\[ClusterID=%{GREEDYDATA:ClusterID}\]\[NodeID=%{GREEDYDATA:NodeID}\]:%{SPACE}%{GREEDYDATA:description}

输出：

{
  "message_type_id": [
    [
      "190"
    ]
  ],
  "BASE10NUM": [
    [
      "190",
      "136768",
      "6"
    ]
  ],
  "internal_id": [
    [
      "136768"
    ]
  ],
  "SPACE": [
    [
      " ",
      " ",
      " ",
      "  ",
      " ",
      " "
    ]
  ],
  "cisco_timestamp": [
    [
      "Dec 23 2019 10:48:59.476"
    ]
  ],
  "MONTH": [
    [
      "Dec"
    ]
  ],
  "MONTHDAY": [
    [
      "23"
    ]
  ],
  "YEAR": [
    [
      "2019"
    ]
  ],
  "TIME": [
    [
      "10:48:59.476"
    ]
  ],
  "HOUR": [
    [
      "10"
    ]
  ],
  "MINUTE": [
    [
      "48"
    ]
  ],
  "SECOND": [
    [
      "59.476"
    ]
  ],
  "gmt": [
    [
      "UTC"
    ]
  ],
  "PROG": [
    [
      "%UC_AUDITLOG-6-AdministrativeEvent"
    ]
  ],
  "UserID": [
    [
      "administrator"
    ]
  ],
  "ClientAddress": [
    [
      "192.168.1.5"
    ]
  ],
  "IPV6": [
    [
      null
    ]
  ],
  "IPV4": [
    [
      "192.168.1.5"
    ]
  ],
  "Severity": [
    [
      "6"
    ]
  ],
  "EventType": [
    [
      "UserAccess"
    ]
  ],
  "ResourceAccessed": [
    [
      "CUCMServiceability"
    ]
  ],
  "EventStatus": [
    [
      "Success"
    ]
  ],
  "CompulsoryEvent": [
    [
      "No"
    ]
  ],
  "AuditCategory": [
    [
      "AdministrativeEvent"
    ]
  ],
  "ComponentID": [
    [
      "Cisco CCM Servicability"
    ]
  ],
  "CorrelationID": [
    [
      ""
    ]
  ],
  "AuditDetails": [
    [
      "Attempt to access data was successful.User is authorized to access alarmconfig"
    ]
  ],
  "AppID": [
    [
      "Cisco Tomcat"
    ]
  ],
  "ClusterID": [
    [
      ""
    ]
  ],
  "NodeID": [
    [
      "cm01.home.local"
    ]
  ],
  "description": [
    [
      "Audit Event is generated by this application "
    ]
  ]
}