1、文档使用工具:
图形化:kibana_6.7.1
数据存储:elasticsearch-6.7.1
日志采集:filebeat-6.7.1
以下模拟日志数据采集使用工具是:
Kibana >> Dev Tools >> Console
2、两种样例数据
样例1为异常数据格式
2022-02-16 18:15:11 10.10.11.2 os[7028]: 2022 RAC:root login from 172.17.199.200
样例2为正常需求数据格式
2022-02-19 10:56:37 10.10.80.18 Severity: Informational, Category: Storage, MessageID: CTL37, Message: A Patrol Read operation started for RAID Controller in Slot 7
3、初始定义pipeline规则
PUT /_ingest/pipeline/idrac-pipeline_v2?pretty
{
"description" : "Pipeline for parsing idrac logs.",
"processors" : [
{
"grok" : {
"field" : "_source.message",
"patterns" : [
"%{MY_DATETIME:time} %{IPORHOST:server_ip} Severity: %{DATA:Severity}, Category: %{DATA:Category}, MessageID: %{DATA:MessageID}, Message: %{GREEDYDATA:Message}"
],
"pattern_definitions" : {
"MY_DATE" : "%{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY}",
"MY_TIME" : "[0-9][0-9]:[0-9][0-9]:[0-9][0-9]",
"MY_DATETIME" : "%{MY_DATE} %{MY_TIME}"
}
}
},
{
"date" : {
"field" : "time",
"target_field" : "@timestamp",
"formats" : [
"yyyy-MM-dd HH:mm:ss||yyyy-MM-dd||yyyy/MM/dd||yyy