我们都知道正常的syslog是这样的:
"Jul 31 11:37:27 node1 sshd[4540]: Disconnected from user root 192.168.6.113 port 45884",
"Jul 31 12:50:00 node1 sshd[19962]: Accepted keyboard-interactive/pam for root from 192.168.3.123 port 48604 ssh2",
"Jul 31 13:06:47 node1 sshd[22786]: Accepted password for root from 192.168.11.39 port 50890 ssh2",
"Aug 1 11:07:38 node1 kernel: Initializing cgroup subsys cpuset",
"Aug 1 11:07:38 node1 kernel: Initializing cgroup subsys cpu",
"Aug 1 11:07:38 node1 kernel: Linux version 2.6.32-573.el6.x86_64 (mockbuild@c6b9.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Thu Jul 23 15:44:03 UTC 2015",
"Aug 1 11:07:38 node1 kernel: Command line: ro root=/dev/mapper/vg_node1-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=vg_node1/lv_swap rd_NO_MD SYSFONT=latarcyrheb-sun16 crashkernel=128M rd_LVM_LV=vg_node1/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet",
"Aug 1 11:07:38 node1 kernel: KERNEL supported cpus:",
所以如何获取有tid的syslog?
String str = "Jul 31 11:14:18 node1 sshd[4540]: Accepted publickey for root from 192.168.6.113 port 45884 ssh2: RSA SHA256:gbM+sCkvbt/BWa1umukzWksrL070HXHapr0z+7ROcg0";
String regex_ori = "(?<date>\\w{3}\\s+\\d{1,2}\\s\\d\\d:\\d\\d:\\d\\d)\\s+(?<dst>\\w+)\\s+(?<pid>\\w+\\[\\d+\\]):\\s+(?<content>.*)";
Matcher m =Pattern.compile(regex).matcher(str);
if(m.find()) {
map.put("date", m.group(1));
map.put("host",m.group(2));
map.put("tid", m.group(3));
map.put("sysaction", m.group(4));
}