我从 eset 获取 syslog,在消息字段中所有需要解析并创建单独字段的信息,我编写了在 kibana 的 grokdebuger 中工作的 grok:请告诉我哪里出错了。
消息字段中的信息示例
<13>1 2019-11-22T10:20:31.316Z Server-ESET ERAServer 10160 - - Threat type: trojan Threat name: HTML/ScrInject.B Computer name: XX.YY.ZZ Logged user: ZZ\aa.bb Time of occurrence: 11/22/19, 1:18:56 PM UTC+4 Scanner: HTTP filter Action performed: connection terminated
这是我写的grok:
%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:RequestedHost} %{WORD:environment} %{NOTSPACE:ID:string}\s*-\s*-\s*%{WORD} %{WORD}:\s*%{WORD:Tread_Type}\s*%{WORD}\s*%{WORD}:%{GREEDYDATA:Thread_name}Computer%{SPACE}name: %{HOSTNAME:Host} %{WORD} %{WORD}:%{GREEDYDATA:USER}Time%{SPACE}of%{SPACE}occurrence:%{SPACE}%{MONTHNUM}[//]%{MONTHDAY}[//]%{YEAR},%{GREEDYDATA:Time}
配置:
filter
{
if[type] == "syslog" {
if[host] == "xxx.yyy.zzz.ccc" {
grok {
match => {"message" => ["%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:RequestedHost} %{WORD:environment} %{NOTSPACE:ID:string}\s*-\s*-\s*%{WORD} %{WORD}:\s*%{WORD:Tread_Type}\s*%{WORD}\s*%{WORD}:%{GREEDYDATA:Thread_name}Computer%{SPACE}name: %{HOSTNAME:Host} %{WORD} %{WORD}:%{GREEDYDATA:USER}Time%{SPACE}of%{SPACE}occurrence:%{SPACE}%{MONTHNUM}[//]%{MONTHDAY}[//]%{YEAR},%{GREEDYDATA:Time}"]}
}
}
}
}
问题出在 Eset 日志中,有一个符号应该跳过了工作 grok
%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME:RequestedHost} %{WORD:environment} %{NOTSPACE:ID:string}\s*-\s*-\s*\S+ 威胁\s类型:\s %{WORD: Tread_Type}\s威胁\s名称:%{GREEDYDATA:Thread_name}计算机%{SPACE}名称:%{HOSTNAME:Host} %{WORD} %{WORD}:%{GREEDYDATA:USER}时间%{SPACE} of% {SPACE}出现次数:%{SPACE}%{MONTHNUM}[//]%{MONTHDAY}[//]%{YEAR},%{GREEDYDATA:Time}