grok语法过滤Centos7 ssh登陆日志方法
grok语法过滤Centos7 ssh登陆日志方法
日志内容如下:
Apr 19 16:09:30 92-com sshd[2749]: Did not receive identification string from 101.200.56.162 port 53456
Apr 19 16:10:26 92-com sshd[2756]: Bad protocol version identification 'GET /console/login/LoginForm.jsp HTTP/1.1' from 101.200.56.162 port 42608
Apr 19 17:07:05 92-com sshd[2852]: Accepted password for tt from 211.137.70.64 port 7182 ssh2
过滤语法:
%{MONTH:yuefen} %{MONTHDAY:riqi} %{TIME:shijian} %{HOSTNAME:zhoujiming} .* %{IPV4:remoteip} .*}
过滤后数据如下:
{
"yuefen": [
[
"Apr"
]
],
"riqi": [
[
"19"
]
],
"shijian": [
[
"08:41:40"
]
],
"HOUR": [
[
"08"
]
],
"MINUTE": [
[
"41"
]
],
"SECOND": [
[
"40"
]
],
"zhoujiming": [
[
"92-com"
]
],
"remoteip": [
[
"211.137.70.64"
]
],
"port": [
[
"12925"
]
]
}
目录 返回
首页