假设你有类似这样的日志
Thu 2014-10-09 23:55:12: 01: Session 525229; child 0101
Thu 2014-10-09 23:55:12: 05: Accepting IMAP connection from [172.1.2.3:52337] to [1.2.3.4:143]
Thu 2014-10-09 23:55:12: 03: --> * OK bla.com IMAP4rev1 Mailserver 14.0.3 ready
Thu 2014-10-09 23:55:12: 02: <-- 1 capability
Thu 2014-10-09 23:55:12: 03: --> * CAPABILITY IMAP4rev1 NAMESPACE AUTH=LOGIN AUTH=PLAIN IDLE COMPRESS=DEFLATE ACL UNSELECT UIDPLUS QUOTA BINA
RY XLIST
Thu 2014-10-09 23:55:12: 03: --> 1 OK CAPABILITY completed
Thu 2014-10-09 23:55:12: 02: <-- 2 authenticate plain
Thu 2014-10-09 23:55:12: 03: --> +
Thu 2014-10-09 23:55:12: 02: <-- ******
Thu 2014-10-09 23:55:12: 01: Authenticated as [email protected]
我想做一些用户会计。
现在信息(会话号、IP 地址、用户名等)分布在多行上,如上所示。
如何将此类数据“转换”为 IP /用户对列表?
你可以做类似的事情grep -e ": Session" -e ": Accepting" -e ": Authenticated" logfile
这将给你
Thu 2014-10-09 23:55:12: 01: Session 525229; child 0101
Thu 2014-10-09 23:55:12: 05: Accepting IMAP connection from [172.1.2.3:52337] to [1.2.3.4:143]
Thu 2014-10-09 23:55:12: 01: Authenticated as [email protected]
Thu 2014-10-09 23:55:13: 01: Session 525230; child 0101
Thu 2014-10-09 23:55:13: 05: Accepting IMAP connection from [172.1.2.4:52537] to [1.2.3.4:143]
Thu 2014-10-09 23:55:13: 01: Authenticated as [email protected]
...
您将如何分离这些物品?
所有这一切都发生得非常不自然。
答案1
使用 LogStash,它原生支持多行条目。