我有以下类型的系统日志消息。我想捕获系统日志消息字段中包含“错误”的所有此类消息。
<30>Apr 9 04:27:13 ip-172-31-26-235 POSTMETHOD_fx-control-plane.1.k61c5pc0vd89zlrr3uwt7cj82/c720d84be94a[24233]: 2019-04-09 04:27:13.276 WARN 6 --- [ container-2] ingErrorHandler$DefaultExceptionStrategy : Fatal message conversion error; message rejected; it will be dropped or routed to a dead letter exchange, if so configured: (Body:'[B@2ce66e13(byte[3009])' MessageProperties [headers={}, contentType=application/x-java-serialized-object, contentLength=0, receivedDeliveryMode=PERSISTENT, priority=0, redelivered=false, receivedExchange=fx-exchange, receivedRoutingKey=fx-default-response-queue, deliveryTag=87, consumerTag=amq.ctag-wDCsD1_770goBmFKBAOhug, consumerQueue=fx-default-response
为了实现此结果,我使用 elastalert 黑名单规则并采用以下配置
es_host: elasticsearch
es_port: 9200
es_username: elastic
es_password: changeme
name: Slack blacklist rule
type: blacklist
index: logstash*
compare_key: message
blacklist:
- "error"
realert:
hours: 1
filter:
- query:
query_string:
query: "error"
alert:
- slack
slack_webhook_url: "https://hooks.slack.com/services/******/*****/*******"
slack_username_override: "ElastAlert"
我无法弄清楚配置出了什么问题,从而无法实现我想要的结果,即捕获包含错误的消息字段的所有系统日志消息。
答案1
我的想法是捕获 syslog 消息字段中包含错误的所有消息。我使用了任何类型的 elastalert 规则来获取它。这是我的配置
es_host: elasticsearch
es_port: 9200
es_username: elastic
es_password: changeme
name: Slack error rule
type: any
index: logstash*
timeframe:
hours: 4
filter:
- match:
message: "error"
alert:
- slack
slack_webhook_url: "https://hooks.slack.com/services/*******/*****/*****"
slack_username_override: "ElastAlert"