问题
I am not able to get specific lines from logs file /var/log/messages. I am using logstash-forwarder in client-server and logstash, elasticsearch and kibana in log-server. I tried to install grep filter but it gives me some error so I try to implement below with grok. My original post is here . I found this but m quite unsatisfied.
Following is the configuration for logstash-forwarder file-name: logstash-forwarder in client-server
{
"network": {
"servers": [ "logstashserver-ip:5000" ],
"timeout": 15,
"ssl ca": "xxx.crt"
},
"files": [
{
"paths": [
"/var/log/messages"
],
"fields": { "type": "syslog" }
}
]
}
and following is the logstash configuration in logstashserver
file-name:input.conf
input {
lumberjack {
port => 5000
type => "logs"
ssl_certificate => "xxx.crt"
ssl_key => "xxx.key"
}
}
file-name:filter.conf
filter {
grok {
match => ["message", "\[%{WORD:messagetype}\]: %{GREEDYDATA}"]
}
}
file-name:output.conf
output {
elasticsearch { host => "logstashserver-ip" }
if [messagetype] == "ERROR" {
stdout {
codec => "rubydebug"
}
}
}
Is there anything wrong?
回答1:
Not sure if you're still having this problem, but I'd look at dropping the messages you don't want. On my server, I get syslog severity levels which include syslog_severity_code as defined at http://en.wikipedia.org/wiki/Syslog#Severity_levels.
If you're getting them in your indices, try something like
filter {
if [type] == 'syslog' and [syslog_severity_code] > 5 {
drop { }
}
}
来源:https://stackoverflow.com/questions/25058191/filtering-specific-lines-from-log-file-in-logstash