logstash - 用于 Cisco Call Manager 日志的 Logstash Grok
问题描述
我正在努力让呼叫管理器登录到logstash,我需要一些关于日志解析器的帮助。谁能帮我想出以下日志条目的 grok 模式:
<190>136768: Dec 23 2019 10:48:59.476 UTC : %UC_AUDITLOG-6-AdministrativeEvent: %[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][ResourceAccessed=CUCMServiceability][EventStatus=Success][CompulsoryEvent=No][AuditCategory=AdministrativeEvent][ComponentID=Cisco CCM Servicability][CorrelationID=][AuditDetails=Attempt to access data was successful.User is authorized to access alarmconfig][AppID=Cisco Tomcat][ClusterID=][NodeID=cm01.home.local]: Audit Event is generated by this application
我正在尝试使用 Grok 调试器,但我并没有走得太远 https://grokdebug.herokuapp.com/
到目前为止,我有这个:
<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{DATA:gmt}:%{SPACE}%{PROG}:
解决方案
尝试这个:
输入:
<190>136768: Dec 23 2019 10:48:59.476 UTC : %UC_AUDITLOG-6-AdministrativeEvent: %[UserID=administrator][ClientAddress=192.168.1.5][Severity=6][EventType=UserAccess][ResourceAccessed=CUCMServiceability][EventStatus=Success][CompulsoryEvent=No][AuditCategory=AdministrativeEvent][ComponentID=Cisco CCM Servicability][CorrelationID=][AuditDetails=Attempt to access data was successful.User is authorized to access alarmconfig][AppID=Cisco Tomcat][ClusterID=][NodeID=cm01.home.local]: Audit Event is generated by this application
GROK 模式:
<%{NUMBER:message_type_id}>%{NUMBER:internal_id}:%{SPACE}%{CISCOTIMESTAMP:cisco_timestamp}%{SPACE}%{DATA:gmt}%{SPACE}:%{SPACE}%{PROG}:%{SPACE}\%\[UserID=%{GREEDYDATA:UserID}\]\[ClientAddress=%{IP:ClientAddress}\]\[Severity=%{NUMBER:Severity}\]\[EventType=%{GREEDYDATA:EventType}\]\[ResourceAccessed=%{GREEDYDATA:ResourceAccessed}\]\[EventStatus=%{GREEDYDATA:EventStatus}\]\[CompulsoryEvent=%{GREEDYDATA:CompulsoryEvent}\]\[AuditCategory=%{GREEDYDATA:AuditCategory}\]\[ComponentID=%{GREEDYDATA:ComponentID}\]\[CorrelationID=%{GREEDYDATA:CorrelationID}\]\[AuditDetails=%{GREEDYDATA:AuditDetails}\]\[AppID=%{GREEDYDATA:AppID}\]\[ClusterID=%{GREEDYDATA:ClusterID}\]\[NodeID=%{GREEDYDATA:NodeID}\]:%{SPACE}%{GREEDYDATA:description}
输出:
{
"message_type_id": [
[
"190"
]
],
"BASE10NUM": [
[
"190",
"136768",
"6"
]
],
"internal_id": [
[
"136768"
]
],
"SPACE": [
[
" ",
" ",
" ",
" ",
" ",
" "
]
],
"cisco_timestamp": [
[
"Dec 23 2019 10:48:59.476"
]
],
"MONTH": [
[
"Dec"
]
],
"MONTHDAY": [
[
"23"
]
],
"YEAR": [
[
"2019"
]
],
"TIME": [
[
"10:48:59.476"
]
],
"HOUR": [
[
"10"
]
],
"MINUTE": [
[
"48"
]
],
"SECOND": [
[
"59.476"
]
],
"gmt": [
[
"UTC"
]
],
"PROG": [
[
"%UC_AUDITLOG-6-AdministrativeEvent"
]
],
"UserID": [
[
"administrator"
]
],
"ClientAddress": [
[
"192.168.1.5"
]
],
"IPV6": [
[
null
]
],
"IPV4": [
[
"192.168.1.5"
]
],
"Severity": [
[
"6"
]
],
"EventType": [
[
"UserAccess"
]
],
"ResourceAccessed": [
[
"CUCMServiceability"
]
],
"EventStatus": [
[
"Success"
]
],
"CompulsoryEvent": [
[
"No"
]
],
"AuditCategory": [
[
"AdministrativeEvent"
]
],
"ComponentID": [
[
"Cisco CCM Servicability"
]
],
"CorrelationID": [
[
""
]
],
"AuditDetails": [
[
"Attempt to access data was successful.User is authorized to access alarmconfig"
]
],
"AppID": [
[
"Cisco Tomcat"
]
],
"ClusterID": [
[
""
]
],
"NodeID": [
[
"cm01.home.local"
]
],
"description": [
[
"Audit Event is generated by this application "
]
]
}
推荐阅读
- javascript - 用于验证登录表单的 HTML/JS 脚本在提交时失败
- nginx - 从带有斜杠的 url 中删除 index.html ,web-server nginx
- python - Mukhaov 方程的解
- intellij-idea - 使用 JetBrains Toolbox 获取 Early Access 版本
- c# - Emgu CV, Tessdata - can't load pol language
- python-3.x - 忽略循环中丢失的文件 - 数据未显示
- java - Why is @JacksonXmlProperty ignoring parameters in Spring Boot with Kotlin?
- python - 自动主题标签评估指标
- java - 编写方法,以便将主要代码替换为更简单的代码
- javascript - 外部类调用一个LitElement组件方法(传递html模板),组件方法更新其html模板