日志格式化-logstash grok for openstack T版

ceph日志

ceph.conf

样例数据：

2022-10-20 10:19:15.137851 mon.10.50.50.1 (mon.2) 1794601 : audit [DBG] from='mgr.32944897 10.50.50.1:0/92638' entity='mgr.con01' cmd=[{"prefix": "config-key get", "key": "mgr/dashboard/crt"}]: dispatch

grok :

^%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE:logsource} (%{NOTSPACE:client}) %{NOTSPACE:number} : %{NOTSPACE:cluster} \[%{NOTSPACE:log_level}\] %{GREEDYDATA:log_message}

格式化输出：

{"number": "1794601","cluster": "audit","log_level": "DBG","client": "mon.2","log_message": "from='mgr.32944897 10.50.50.1:0/92638' entity='mgr.con01' cmd=[{"prefix": "config-key get", "key": "mgr/dashboard/crt"}]: dispatch","logsource": "mon.10.50.50.1","timestamp": "2022-10-20 10:19:15.137851"}

ceph-mds.*.log

ceph-osd.*.log

ceph-mon.*.log

ceph-mgr.*.log

样例数据：

2022-10-20 11:33:18.651 7f89f322f700 0 log_channel(audit) log [DBG] : from='mgr.34246129 10.50.50.2:0/27781' entity='mgr.con02' cmd=[{"prefix": "config-key get", "key": "mgr/dashboard/crt"}]: dispatch

grok：

^%{TIMESTAMP_ISO8601:timestamp} %{NOTSPACE}%{SPACE}+%{GREEDYDATA:log_message}

格式化输出：

{"log_message": "0 log_channel(audit) log [DBG] : from='mgr.34246129 10.50.50.2:0/27781' entity='mgr.con02' cmd=[{"prefix": "config-key get", "key": "mgr/dashboard/crt"}]: dispatch","timestamp": "2022-10-20 11:33:18.651"}

nova

nova-api

样例数据：

2022-10-20 13:44:43.892 38 INFO nova.metadata.wsgi.server [-] 10.50.1.1,10.50.1.3 "GET / HTTP/1.1" status: 200 len: 215 time: 0.0004249

grok:

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} \[-\] %{NOTSPACE:client_ip} "%{WORD:verb} %{NOTSPACE:request} HTTP/%{NOTSPACE:httpversion}" status: %{NUMBER:response} len: %{NUMBER:bytes} time: %{GREEDYDATA:time}

格式化输出：

样例数据：

2022-10-20 13:44:43.437 34 INFO nova.osapi_compute.wsgi.server [req-d8c697a4-e347-4a94-8c7c-3eea76d0895b 3bb358a361e745fb85f6d3fd743b7fd0 a906e997a53d4721b7f46db6eba20c20 - default default] [None] 10.50.1.1,10.50.1.3 "GET /v2.1/servers/detail?all_tenants=True&limit=100&marker=827167c7-dc70-4dc9-a7b2-94faddaa8a9e HTTP/1.1" status: 200 len: 371715 time: 1.4381750

grok：

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} \[req-%{NOTSPACE:request_id} %{NOTSPACE:user_id} %{NOTSPACE:project_id} - %{NOTSPACE:user_domain} %{NOTSPACE:project_domain}\] \[None\] %{NOTSNPACE:client_ip} \"%{WORD:verb} %{NOTSPACE:request} HTTP\/%{NOTSPACE:httpversion}\" status: %{NUMBER:response} len: %{NUMBER:bytes} time: %{GREEDYDATA:time}

格式化输出：​​​​​​​

{"request": "/v2.1/servers/detail?all_tenants=True&limit=100&marker=827167c7-dc70-4dc9-a7b2-94faddaa8a9e","log_level": "INFO","verb": "GET","pid": "34","program": "nova.osapi_compute.wsgi.server","user_id": "3bb358a361e745fb85f6d3fd743b7fd0","project_id": "a906e997a53d4721b7f46db6eba20c20","user_domain": "default","response": "200","bytes": "371715","client_ip": "10.50.1.1,10.50.1.3","httpversion": "1.1","time": "1.4381750","project_domain": "default","request_id": "d8c697a4-e347-4a94-8c7c-3eea76d0895b","timestamp": "2022-10-20 13:44:43.437"}

样例数据：

2022-10-16 03:30:10.407 34 INFO nova.api.openstack.wsgi [req-29ae1023-fe48-4852-ba6e-701f7ab6f158 3a7b7e7887f14b8e80df8af8a75bed63 9cd1bb672bee48fb870809a1383c392f - default default] [None] HTTP exception thrown: Instance b679b8ba-0baf-472c-92fe-b02b915e304f could not be found.

grok:

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} \[req-%{NOTSPACE:request_id} %{NOTSPACE:user_id} %{NOTSPACE:project_id} - %{NOTSPACE:user_domain} %{NOTSPACE:project_domain}\] \[None\] %{GREEDYDATA:log_message}

格式化输出：

{"log_level": "INFO","pid": "34","program": "nova.api.openstack.wsgi","user_id": "3a7b7e7887f14b8e80df8af8a75bed63","project_id": "9cd1bb672bee48fb870809a1383c392f","user_domain": "default","log_message": "[None] HTTP exception thrown: Instance b679b8ba-0baf-472c-92fe-b02b915e304f could not be found.","project_domain": "default","request_id": "29ae1023-fe48-4852-ba6e-701f7ab6f158","timestamp": "2022-10-16 03:30:10.407"}

nova-conductor

nova-scheduler

nova-manage

nova-novncproxy

nova-serialproxy

样例数据：

2022-10-20 09:08:34.477 28 ERROR nova.servicegroup.drivers.db File "/var/lib/kolla/venv/lib64/python2.7/site-packages/sqlalchemy/engine/base.py", line 1755, in _do_commit

grok：

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} %{GREEDYDATA:log_message}

格式化输出:​​​​​​​

{"log_level": "ERROR","pid": "28","log_message": " File "/var/lib/kolla/venv/lib64/python2.7/site-packages/sqlalchemy/engine/base.py", line 1755, in _do_commit","program": "nova.servicegroup.drivers.db","timestamp": "2022-10-20 09:08:34.477"}

nova-compute

样例数据：

2022-07-19 04:00:00.370 7 WARNING nova.compute.resource_tracker [req-11063cba-02c2-46ff-8007-7b55caabb757 - - - - -] [None] Instance 4595032d-8b24-4b7c-ab50-e72e53f83a96 has been moved to another host con03.vim1.local(con03.vim1.local). There are allocations remaining against the source host that might need to be removed: {u'resources': {u'VCPU': 2, u'MEMORY_MB': 4096}}.

grok：

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} \[req-%{NOTSPACE:request_id} .*\] %{GREEDYDATA:log_message}

格式化输出：​​​​​​​

{"log_level": "WARNING","pid": "7","log_message": "Instance 4595032d-8b24-4b7c-ab50-e72e53f83a96 has been moved to another host con03.vim1.local(con03.vim1.local). There are allocations remaining against the source host that might need to be removed: {u'resources': {u'VCPU': 2, u'MEMORY_MB': 4096}}.","program": "nova.compute.resource_tracker","request_id": "11063cba-02c2-46ff-8007-7b55caabb757","timestamp": "2022-07-19 04:00:00.370"}

neutron

neutron-dhcp-agent

neutron-l3-agent

neutron-openvswitch-agent

neutron-metadata-agent

neutron-server

样例数据：

2022-10-15 01:14:26.224 114454 INFO neutron.agent.dhcp.agent [req-27f694d1-eab9-4052-8219-d7a6bec17c48 - - - - -] [None] Agent has just been revived. Scheduling full sync

grok：

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} \[req-%{NOTSPACE:request_id} %{NOTSPACE:user_id} %{NOTSPACE:project_id} - %{NOTSPACE:user_domain} %{NOTSPACE:project_domain}\] %{GREEDYDATA:log_message}

格式化输出：​​​​​​​

{"log_level": "INFO","pid": "114454","program": "neutron.agent.dhcp.agent","user_id": "-","project_id": "-","user_domain": "-","log_message": "[None] Agent has just been revived. Scheduling full sync","project_domain": "-","request_id": "27f694d1-eab9-4052-8219-d7a6bec17c48","timestamp": "2022-10-15 01:14:26.224"}

样例数据：

2022-10-20 03:07:32.453 42041 INFO eventlet.wsgi.server [-] <local> "GET / HTTP/1.1" status: 200 len: 115 time: 0.0005751

grok：

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} \[-\] %{NOTSPACE:client_ip} "%{WORD:verb} %{NOTSPACE:request} HTTP/%{NOTSPACE:httpversion}" status: %{NUMBER:response} len: %{NUMBER:bytes} time: %{GREEDYDATA:time}

#neutron状态码和len之间的2个空格

结构化输出​​​​​​​

{"request": "/","log_level": "INFO","verb": "GET","pid": "42041","program": "eventlet.wsgi.server","response": "200","bytes": "115","client_ip": "<local>","httpversion": "1.1","time": "0.0005751","timestamp": "2022-10-20 03:07:32.453"}

样例数据：

2022-10-15 01:13:46.509 114454 INFO neutron.agent.dhcp.agent [-] Finished network 74482ee4-bf3b-4690-bdc2-dbeb187a2fd4 dhcp configuratio

grok：

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} %{GREEDYDATA:log_message}

格式化输出:​​​​​​​

{"log_level": "INFO","pid": "114454","log_message": "[-] Finished network 74482ee4-bf3b-4690-bdc2-dbeb187a2fd4 dhcp configuratio","program": "neutron.agent.dhcp.agent","timestamp": "2022-10-15 01:13:46.509"}

ndsmsq:

样例数据：

Oct 16 19:15:06 dnsmasq[66547]: using nameserver 1.1.1.1#53

grok：

^%{SYSLOGTIMESTAMP:timestamp} %{NOTSPACE:msqpid} %{GREEDYDATA:log_message}

格式化输出:​​​​​​​

{"msqpid": "dnsmasq[66547]:","log_message": "using nameserver 1.1.1.1#53","timestamp": "Oct 16 19:15:06"}

cinder

cinder-scheduler

cinder-manage

样例数据:

2022-09-21 20:19:02.396 7 INFO cinde:r.service [-] Starting cinder-scheduler node (version 15.1.1)

Grok:

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} \[-\] %{GREEDYDATA:log_message}

格式化输出:​​​​​​​

{"log_level": "INFO","pid": "7","log_message": "Starting cinder-scheduler node (version 15.1.1)","program": "cinder.service","timestamp": "2022-09-21 20:19:02.396"}

样例数据:

2022-09-21 20:19:02.359 7 INFO cinder.rpc [req-b924f3b0-404b-456b-88db-34fa071f2092 - - - - -] [None] Automatically selected cinder-scheduler RPC version 3.11 as minimum service version.

Grok:

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} \[req-%{NOTSPACE:request_id} .*\] %{GREEDYDATA:log_message}

格式化输出:​​​​​​​

{"log_level": "INFO","pid": "7","log_message": "Automatically selected cinder-scheduler RPC version 3.11 as minimum service version.","program": "cinder.rpc","request_id": "b924f3b0-404b-456b-88db-34fa071f2092","timestamp": "2022-09-21 20:19:02.359"}

样例数据:

2022-09-21 20:42:06.822 7 ERROR oslo_db.sqlalchemy.engines File "/var/lib/kolla/venv/lib/python2.7/site-packages/oslo_db/sqlalchemy/engines.py", line 73, in _connect_ping_listener

Grok:

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{GREEDYDATA:log_message}

格式化输出:​​​​​​​

{"log_level": "ERROR","pid": "7","log_message": "oslo_db.sqlalchemy.engines File "/var/lib/kolla/venv/lib/python2.7/site-packages/oslo_db/sqlalchemy/engines.py", line 73, in _connect_ping_listener","timestamp": "2022-09-21 20:42:06.822"}

cinder-api

样例数据:

2022-01-21 13:50:23.280633 /var/lib/kolla/venv/lib/python2.7/site-packages/webob/acceptparse.py:1051: DeprecationWarning: The behavior of AcceptValidHeader.best_match is currently being maintained for backward compatibility, but it will be deprecated in the future, as it does not conform to the RFC.

Grok:

^%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:log_message}

格式化输出:{

"log_message": "/var/lib/kolla/venv/lib/python2.7/site-packages/webob/acceptparse.py:1051: DeprecationWarning: The behavior of AcceptValidHeader.best_match is currently being maintained for backward compatibility, but it will be deprecated in the future, as it does not conform to the RFC.","timestamp": "2022-01-21 13:50:23.280633"}

样例数据:

10.250.4.11 - - [13/Oct/2022:19:33:53 +0800] "GET /v3/af0bdc5dcede42d58b2e87dbacf399e0/volumes/detail?all_tenants=1&limit=100&marker=c98d42d6-d2df-4b11-8c90-7aef68375517 HTTP/1.1" 200 15 133098 "-" "python-cinderclient"

Grok:

%{IPORHOST:clientip} %{HTTPDUSER:ident} %{HTTPDUSER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" (?:-|%{NUMBER:response}) (?:-|%{NUMBER:bytes}) (?:-|%{NUMBER:asd}) %{GREEDYDATA:access_client}

格式化输出:

{"request": "/v3/af0bdc5dcede42d58b2e87dbacf399e0/volumes/detail?all_tenants=1&limit=100&marker=c98d42d6-d2df-4b11-8c90-7aef68375517","auth": "-","ident": "-","verb": "GET","access_client": ""-" "python-cinderclient"","asd": "133098","response": "200","bytes": "15","clientip": "10.250.4.11","httpversion": "1.1","timestamp": "13/Oct/2022:19:33:53 +0800"}

glance

Glance-api

样例数据:

2022-10-28 03:22:58.692 29 INFO eventlet.wsgi.server [req-f87ef007-f2ab-4092-9a07-795982707712 8eb6aaab763944be857581ecda3e4c71 ebe54ee9ceff4f3eb23b02c84da81596 - default default] [None] 10.50.111.200,10.50.111.1 - - [28/Oct/2022 03:22:58] "GET /v2/images?limit=20 HTTP/1.1" 200 26558 0.066983

Grok:

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} \[req-%{NOTSPACE:request_id} %{NOTSPACE:user_id} %{NOTSPACE:project_id} - %{NOTSPACE:user_domain} %{NOTSPACE:project_domain}\] \[None\] %{NOTSPACE:client_ip} - - \[(?<request_time>.*)\] "%{WORD:verb} %{NOTSPACE:request} HTTP/%{NOTSPACE:httpversion}" %{NUMBER:response} %{NUMBER:bytes} %{GREEDYDATA:time}

格式化输出:​​​​​​​

{"request": "/v2/images?limit=20","log_level": "INFO","verb": "GET","pid": "29","program": "eventlet.wsgi.server","request_time": "28/Oct/2022 03:22:58","user_id": "8eb6aaab763944be857581ecda3e4c71","project_id": "ebe54ee9ceff4f3eb23b02c84da81596","user_domain": "default","response": "200","bytes": "26558","client_ip": "10.50.111.200,10.50.111.1","httpversion": "1.1","time": "0.066983","project_domain": "default","request_id": "f87ef007-f2ab-4092-9a07-795982707712","timestamp": "2022-10-28 03:22:58.692"}

样例数据:

2022-11-22 13:48:58.705 32 INFO eventlet.wsgi.server [req-aaad7498-de01-42db-bf13-80cc122622c4 8eb6aaab763944be857581ecda3e4c71 ebe54ee9ceff4f3eb23b02c84da81596 - default default] [req-aaad7498-de01-42db-bf13-80cc122622c4] 10.50.111.200,10.50.111.1 - - [22/Nov/2022 13:48:58] "GET /v2/images?marker=4b000b71-51b2-40ae-83e3-7bc192b6ee99&limit=20 HTTP/1.1" 200 4524 0.036881

Grok:

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} (?<log_level>AUDIT|CRITICAL|DEBUG|INFO|TRACE|WARNING|ERROR) %{NOTSPACE:program} [req-%{NOTSPACE:request_id} %{NOTSPACE:user_id} %{NOTSPACE:project_id} - %{NOTSPACE:user_domain} %{NOTSPACE:project_domain}] [req-%{NOTSPACE:request_id}] %{NOTSPACE:client_ip} - - [(?<request_time>.*)] "%{WORD:verb} %{NOTSPACE:request} HTTP/%{NOTSPACE:httpversion}" %{NUMBER:response} %{NUMBER:bytes}%{GREEDYDATA:time}

格式化输出:

{"request": "/v2/images?marker=4b000b71-51b2-40ae-83e3-7bc192b6ee99&limit=20","log_level": "INFO","verb": "GET","pid": "32","program": "eventlet.wsgi.server","request_time": "22/Nov/2022 13:48:58","user_id": "8eb6aaab763944be857581ecda3e4c71","project_id": "ebe54ee9ceff4f3eb23b02c84da81596","user_domain": "default","response": "200","bytes": "4524","client_ip": "10.50.111.200,10.50.111.1","httpversion": "1.1","time": "0.036881","project_domain": "default","request_id": "aaad7498-de01-42db-bf13-80cc122622c4","timestamp": "2022-11-22 13:48:58.705"}

rabbitmq

rabbitmq

样例数据：

2022-04-25 04:46:34.396 [info] <0.15181.85> closing AMQP connection <0.15181.85> (10.50.1.31:60512 -> 10.50.1.1:5672 - nova-compute:7:7ef6eed1-cf7d-4ee3-b64b-1ec513bd167c, vhost: '/', user: 'openstack')

grok：

^%{TIMESTAMP_ISO8601:timestamp} \[(?<log_level>audit|critical|debug|info|trace|waring|error)\] %{GREEDYDATA:log_message}

格式化输出:{

"log_level": "info","log_message": "<0.15181.85> closing AMQP connection <0.15181.85> (10.50.1.31:60512 -> 10.50.1.1:5672 - nova-compute:7:7ef6eed1-cf7d-4ee3-b64b-1ec513bd167c, vhost: '/', user: 'openstack')","timestamp": "2022-04-25 04:46:34.396"}

mariadb

样例数据：

2022-09-28 17:46:34 1063 [Warning] Aborted connection 1063 to db: 'nova_api' user: 'nova_api' host: 'overcloud.vim1.local' (Got an error reading communication packets)

grok:

^%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:pid} [(?<log_level>Note|CRITICAL|DEBUG|INFO|TRACE|Warning|ERROR)] %{GREEDYDATA:log_message}

格式化输出：​​​​​​​

{"msg": "Aborted connection 1063 to db: 'nova_api' user: 'nova_api' host: 'overcloud.vim1.local' (Got an error reading communication packets)","log_level": "Warning","pid": "1063","timestamp": "2022-09-28 17:46:34"}

libvirt

样例数据:

2021-09-27 14:09:01.591+0000: 102218: error : qemuDomainAgentAvailable:9185 : argument unsupported: QEMU guest agent is not configured

Grok:

^%{TIMESTAMP_ISO8601:timestamp}: %{NUMBER:pid}: (?<log_level>audit|critical|debug|info|trace|warning|error) : %{NOTSPACE:mod} : %{GREEDYDATA:msg}

格式化输出：

{"msg": "argument unsupported: QEMU guest agent is not configured","mod": "qemuDomainAgentAvailable:9185","log_level": "error","pid": "102218","timestamp": "2021-09-27 14:09:01.591+0000"}