我正试图用Elastic Stack解析minecraft日志,我遇到了一个非常奇怪的问题(对我来说可能很奇怪!(
我日志的所有行都得到了正确的解析,但我在每个行中都得到了_grokparsefailure标记。
我的logstash管道配置是这样的:
input {
file {
path => [ "/path/to/my/log" ]
#start_position => "beginning"
tags => ["minecraft"]
}
}
filter {
if "minecraft" in [tags] {
# mutate {
# gsub => [
# "message", "\n", ""
# ]
# }
#############################
# Num 1 #
#############################
grok {
match => [ "message", "[%{TIME:timestamp}] [(?<originator>[^/]+)?/%{LOGLEVEL:level}]: %{GREEDYDATA:message}" ]
overwrite => [ "message" ]
break_on_match => false
}
#############################
# Num 2 #
#############################
grok {
match => [ "message", "UUID of player %{USERNAME} is %{UUID}" ]
add_tag => [ "player", "uuid" ]
break_on_match => true
}
#############################
# Num 3 #
#############################
grok {
match => [ "message", "A(?<player>[a-zA-Z0-9_]+)[/%{IPV4:ip_address}:%{POSINT}] logged in with entity id %{POSINT:entity_id} at ([(?<world>[a-zA-Z]+)](?<pos>[^)]+))Z" ]
add_tag => [ "player", "join" ]
break_on_match => true
}
#
# grok {
# match => [ "message", "^(?<player>[a-zA-Z0-9_]+) has just earned the achievement [(?<achievement>[^[]+)]$" ]
# add_tag => [ "player", "achievement" ]
# }
#
# grok {
# match => [ "message", "^(?<player>[a-zA-Z0-9_]+) left the game$" ]
# add_tag => [ "player", "part" ]
# }
#
# grok {
# match => [ "message", "^<(?<player>[a-zA-Z0-9_]+)> .*$" ]
# add_tag => [ "player", "chat" ]
# }
}
}
output {
elasticsearch {
hosts => ["elasticsearch:xxxx"]
user => "xxxx"
password => "xxxxxx"
index => "minecraft_s1v15_%{+YYYY.MM.dd}"
}
}
我的日志样本是:
[11:21:46] [User Authenticator #7/INFO]: UUID of player MyAwsomeUsername is d800b63e-c2d2-3140-83a7-32315d09feca
[11:21:46] [Server thread/INFO]: MyAwsomeUsername joined the game
[11:21:46] [Server thread/INFO]: MyAwsomeUsername[/111.111.111.111:45140] logged in with entity id 6868 at ([world]61.45686149445207, 70.9375, -175.44700729217607)
[11:21:49] [Server thread/INFO]: MyAwsomeUsername issued server command: //efererg
[11:21:52] [Async Chat Thread - #1/INFO]: <MyAwsomeUsername> egerg
[11:21:54] [Async Chat Thread - #1/INFO]: <MyAwsomeUsername> ef
[12:00:19] [Server thread/INFO]: MyAwsomeUsername lost connection: Disconnected
[12:00:19] [Server thread/INFO]: MyAwsomeUsername left the game
[12:00:21] [User Authenticator #8/INFO]: UUID of player MyAwsomeUsername is d800b63e-c2d2-3140-83a7-32315d09feca
[12:00:21] [Server thread/INFO]: MyAwsomeUsername joined the game
[12:00:21] [Server thread/INFO]: MyAwsomeUsername[/111.111.111.111:45470] logged in with entity id 11767 at ([world]61.45686149445207, 70.9375, -175.44700729217607)
[12:00:27] [Server thread/INFO]: MyAwsomeUsername issued server command: /wgergerger
[12:00:29] [Async Chat Thread - #2/INFO]: <MyAwsomeUsername> gerg
[12:00:33] [Async Chat Thread - #2/INFO]: <MyAwsomeUsername> gerger
[12:00:35] [Async Chat Thread - #2/INFO]: <MyAwsomeUsername> rerg
[12:00:37] [Server thread/INFO]: MyAwsomeUsername lost connection: Disconnected
[12:00:37] [Server thread/INFO]: MyAwsomeUsername left the game
[12:00:38] [User Authenticator #8/INFO]: UUID of player MyAwsomeUsername is d800b63e-c2d2-3140-83a7-32315d09feca
[12:00:38] [Server thread/INFO]: MyAwsomeUsername joined the game
[12:00:38] [Server thread/INFO]: MyAwsomeUsername[/111.111.111.111:45476] logged in with entity id 11793 at ([world]62.97573252632079, 71.0, -179.01739415148737)
[12:00:40] [Server thread/INFO]: MyAwsomeUsername lost connection: Disconnected
[12:00:40] [Server thread/INFO]: MyAwsomeUsername left the game
[12:00:51] [User Authenticator #8/INFO]: UUID of player MyAwsomeUsername is d800b63e-c2d2-3140-83a7-32315d09feca
[12:00:51] [Server thread/INFO]: MyAwsomeUsername joined the game
[12:00:51] [Server thread/INFO]: MyAwsomeUsername[/111.111.111.111:45486] logged in with entity id 11805 at ([world]62.97573252632079, 71.0, -179.01739415148737)
[12:00:55] [Server thread/INFO]: MyAwsomeUsername lost connection: Disconnected
[12:00:55] [Server thread/INFO]: MyAwsomeUsername left the game
解释:
我评论了其他grok,以更简单地解释问题(取消记忆时完全相同的问题(
我测试了3种情况:
- 注释2和3以及其他注释,只有1处于活动状态,在这种情况下,日志的每一行都被解析,而记录中没有任何
_grokparsefailure - 只有人和其他人一样被评论,1和2人处于活动状态。在这种情况下,与grok编号2匹配的日志行在没有
_grokparsefailure的情况下被解析,而其他日志行得到_grokparsefailure。这还是有道理的 - 在最后一种情况下,我取消了对所有3个grok(1、2、3是活动的(的注释,日志的每一行都被解析为BUT,其中包含
_grokparsefailure!即使默认情况下CCD_ 6是CCD_
我在stackerflow中读到了其他一些与我类似的问题:类似的问题1,我在grok筛选器之前添加了mutate块(导致日志的每一行都以\n结尾(,但没有任何更改,问题仍然存在!
我想我需要提到的另一件事是,我知道在grok2(3和其他(旁边添加更多的grok会导致这个标签,因为一些日志根本不匹配grok2,必须用正则表达式包装它们。但目前,至少与grok2匹配的日志应该是可以的(没有_grokparsefailure(,但它们不是!(在堆叠式问题中阅读:类似问题2
事实上,这是预期的行为,您对logstash和grok的工作方式有点混淆。
首先,所有过滤器都是相互独立的,在grok中使用break_on_match只会影响该grok,这对管道中随后出现的其他grok过滤器没有影响。break_on_match也只有在同一个grok中有多个模式时才有意义,但情况并非如此。
其次,由于Logstash是串行的,并且您没有使用任何条件,因此您的grok过滤器将应用于管道中的每一条消息,不管它是否已经被解析,这就是使您的行获得_grokparsefailure的原因
要解决这个问题,您需要使用条件语句。
在前两个grok过滤器中不需要条件,第一个过滤器只是获取日志行的不同部分并覆盖到message字段中,第二个将只是您的第一个测试,对于第二个过滤器之后的每个grok,您都需要以下配置。
if "_grokparsefailure" in [tags] {
grok {
match => "your pattern"
add_tag => "your tags"
remove_tag => ["_grokparsefailure"]
}
}
只有当消息的tags字段中有_grokparsefailure时,才会应用此grok,如果消息与您的模式匹配,则此标记将被删除,如果不匹配,则标记将保留,并且可以通过以下步骤测试消息。
最后,您的grok配置应该是这样的。
grok {
"your first grok"
}
grok {
"your second grok, can be any of the others"
}
if "_grokparsefailure" in [tags] {
grok {
"your grok N"
remove_tag => ["_grokparsefailure"]
}
}
这只是因为您要为每条消息添加不同的标签,所以才需要这样做。例如,如果将此逻辑移动到mutate过滤器,则只能使用两个grok过滤器,第二个过滤器将是多模式grok,break_on_match设置为true。
grok {
match => {
"message" => [
"pattern from grok 2",
"pattern from grok 3",
"pattern from grok N"
]
}
break_on_match => true
}